You're right, it doesn't address the file descriptor leak, only the root restriction (well, user namespaces address that).
But that isn't really an issue with chroot (or namespaces). It's (1) that CLOEXEC is opt-in, not opt-out, and (2) that you need this poll hack to enumerate open file descriptors.
Ah, sorry I misunderstood.
Addressed, yeah, but I would not say solved for the general case of all the namespaces.
"Just put me in a (sand)box" is actually really tricky with namespaces, and depends on if you started off as root or not.
More on using namespaces to drop privs: https://blog.habets.se/2022/03/Dropping-privileges.html (another backburner project)
It's early morning so I may be wrong, but my testing seems to show that actually yes you can still fchdir() your way out of a file system namespace.
You're right, it doesn't address the file descriptor leak, only the root restriction (well, user namespaces address that).
But that isn't really an issue with chroot (or namespaces). It's (1) that CLOEXEC is opt-in, not opt-out, and (2) that you need this poll hack to enumerate open file descriptors.