diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c
index 506ce8627ff8..c93cc6f7cc1f 100644
--- a/sys/kern/kern_mib.c
+++ b/sys/kern/kern_mib.c
@@ -145,6 +145,11 @@ static char	machine_arch[] = MACHINE_ARCH;
 SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
     machine_arch, 0, "System architecture");
 
+static int	jailcansethostname=1;
+SYSCTL_INT(_kern, KERN_JAILCANSETHOSTNAME, jailcansethostname,
+	CTLFLAG_RW, &jailcansethostname, 0,
+	"Jail can set its hostname");
+
 char hostname[MAXHOSTNAMELEN];
 
 static int
@@ -152,11 +157,13 @@ sysctl_hostname SYSCTL_HANDLER_ARGS
 {
 	int error;
 
-	if (req->p->p_prison) 
+	if (req->p->p_prison) {
+		if (!jailcansethostname)
+			return(EPERM);
 		error = sysctl_handle_string(oidp, 
 		    req->p->p_prison->pr_host,
 		    sizeof req->p->p_prison->pr_host, req);
-	else
+	} else
 		error = sysctl_handle_string(oidp, 
 		    hostname, sizeof hostname, req);
 	return (error);
diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h
index d5697a6edb10..0e61c047ce2f 100644
--- a/sys/sys/sysctl.h
+++ b/sys/sys/sysctl.h
@@ -260,7 +260,8 @@ void sysctl_unregister_oid(struct sysctl_oid *oidp);
 #define	KERN_PS_STRINGS		32	/* int: address of PS_STRINGS */
 #define	KERN_USRSTACK		33	/* int: address of USRSTACK */
 #define	KERN_LOGSIGEXIT		34	/* int: do we log sigexit procs? */
-#define KERN_MAXID		35      /* number of valid kern ids */
+#define KERN_JAILCANSETHOSTNAME	35	/* int: jailed p can set hostname */
+#define KERN_MAXID		36      /* number of valid kern ids */
 
 #define CTL_KERN_NAMES { \
 	{ 0, 0 }, \
@@ -298,6 +299,7 @@ void sysctl_unregister_oid(struct sysctl_oid *oidp);
 	{ "ps_strings", CTLTYPE_INT }, \
 	{ "usrstack", CTLTYPE_INT }, \
 	{ "logsigexit", CTLTYPE_INT }, \
+	{ "jailcansethostname", CTLTYPE_INT }, \
 }
 
 /*