[HIGH]
Enforce non-executable pages
Deny writing to /dev/kmem, /dev/mem, and /dev/port
Remove addresses from /proc/pid/maps
Additional restrictions
Deny (f)chmod +s
Deny fchdir out of chroot
Deny shmat() out of chroot
Deny access to abstract AF_UNIX sockets out of chroot
Protect outside processes
Restrict priority changes
Capability restrictions within chroot
Resource logging
Mount logging
+ [MEDIUM]
  Address Space Layout Randomization
  Randomize kernel stack base
  Randomize user stack base
  Randomize mmap() base
  Proc restrictions
  Allow special group
  Chroot jail restrictions
  Deny mounts
  Deny double-chroots
  Deny pivot_root in chroot
  Deny mknod
  Deny sysctl writes in chroot
  Signal logging
  Fork failure logging
  Time change logging
  Truly random TCP ISN selection
  Randomized TCP source ports
  Randomized RPC XIDs
  Altered Ping IDs
  + [LOW]
     Linking restrictions
     FIFO restrictions
     Enforce chdir(/) on all chroots
     Enforce RLIMIT_NPROC on execs
     Dmesg(8) restriction
     Randomized PIDs
     Larger entropy pools
     Randomized IP IDs