Add a sysctl variable which can help stop chroot(2) escapes.

kern.chroot_allow_open_directories = 0
	chroot(2) fails if there are open directories.

kern.chroot_allow_open_directories = 1 (default)
	chroot(2) fails if there are open directories and the process
	is subject of a previous chroot(2).

kern.chroot_allow_open_directories = anything else
	filedescriptors are not checked.  (old behaviour).

I'm very interested in reports about software which breaks when
running with the default setting.

1 files changed, 29 insertions, 2 deletions

diff --git a/lib/libc/sys/chroot.2 b/lib/libc/sys/chroot.2
index 10a9b5e..01258da 100644
--- a/lib/libc/sys/chroot.2
+++ b/lib/libc/sys/chroot.2
@@ -60,7 +60,33 @@ It should be noted that
 has no effect on the process's current directory.
 .Pp
 This call is restricted to the super-user.
-.Sh RETURN VALUES
+.Pp
+Depending on the setting of the
+.Ql kern.chroot_allow_open_directories
+sysctl variable, open filedescriptors which reference directories
+will make the 
+.Fn chroot
+fail as follows:
+.Pp
+If 
+.Ql kern.chroot_allow_open_directories
+is set to zero, 
+.Fn chroot
+will always fail with EPERM if there are any directories open.
+.Pp
+If 
+.Ql kern.chroot_allow_open_directories
+is set to one (the default), 
+.Fn chroot
+will fail with EPERM if there are any directories open and the
+process is already subject to a 
+.Fn chroot
+call.
+.Pp
+Any other value for
+.Ql kern.chroot_allow_open_directories
+will bypass the check for open directories
+.Pp
 Upon successful completion, a value of 0 is returned.  Otherwise,
 a value of -1 is returned and
 .Va errno
@@ -72,7 +98,8 @@ will fail and the root directory will be unchanged if:
 .It Bq Er ENOTDIR
 A component of the path name is not a directory.
 .It Bq Er EPERM
-The effective user ID is not the super-user.
+The effective user ID is not the super-user, or one or more
+filedescriptors are open directories.
 .It Bq Er ENAMETOOLONG
 A component of a pathname exceeded 255 characters,
 or an entire path name exceeded 1023 characters.