Comment by mike_hock

You're right, it doesn't address the file descriptor leak, only the root restriction (well, user namespaces address that).

But that isn't really an issue with chroot (or namespaces). It's (1) that CLOEXEC is opt-in, not opt-out, and (2) that you need this poll hack to enumerate open file descriptors.