I think people are concentrating on the outdated chroot model far to
much. The Hurd already has a immensly secure way to create a secure
box from which one cannot escape, it is called a sub-hurd.
It would be useful to make a precise proposal to eliminate chroot as a
mechanism and use sub-hurds to do the same job. Then people could look
for flaws in it and we could see if it really works.
I'm not sure what such a proposal would look like, or how one would
find flaws in it. A sub-hurd is a completely seperate system running
within a system. It has a completely seperate space, and does not
share anything with the host system, not even devices (hence the need
to somehow poke holes in a sub-hurd so devices can be shared).
It is like emulating a system within a system, but without emulating
the hardware. Where as a chroot simply changes where / is located (in
very simplistic terms).
