For example, if you want to limit xinetd service in the root server to a single IP, you can do
/usr/sbin/chbind --ip eth0 /etc/rc.d/init.d/xinetd restart
The package provides the v_xinetd for this purpose. So to get this going, you need very little reconfiguration. No fiddling in configuration files and so on.
I am unsure about the jail system call and the new_s_context() I have implemented though. The later is used to isolate the process in a private world where it can't see and interact with other processes in the box, except itself. The new_s_context is not privileged, so a normal user can use this to, for example, setup a personal security box before executing a not-so-trusted game.
Also the new_s_context() syscall allow root user in the root server to "enter" a running vserver, unlike the jail syscall (which can't add new processes to a running "jail"). On this side, the implementation is also more flexible. This is very useful, because it allows the root server to monitor the vservers and to start and stop them very easily, in a clean way.