As discussed on tech-kern:

Factor out common code of chroot-like syscalls into change_root() and export
that function for use in other parts of the kernel.
Rename change_dir() to chdir_lookup() as the latter describes better what
the function does.  While there, move the namei_data initialisation into
chdir_lookup(), too.  And export chdir_lookup().

sys/kern/vfs_syscalls.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls.c,v 1.396 2009/07/02 12:53:47 pooka Exp $	*/
+/*	$NetBSD: vfs_syscalls.c,v 1.397 2009/08/01 21:17:11 bad Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.396 2009/07/02 12:53:47 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.397 2009/08/01 21:17:11 bad Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_fileassoc.h"
@@ -110,7 +110,6 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.396 2009/07/02 12:53:47 pooka Exp
 
 MALLOC_DEFINE(M_MOUNT, "mount", "vfs mount struct");
 
-static int change_dir(struct nameidata *, struct lwp *);
 static int change_flags(struct vnode *, u_long, struct lwp *);
 static int change_mode(struct vnode *, int, struct lwp *l);
 static int change_owner(struct vnode *, uid_t, gid_t, struct lwp *, int);
@@ -1126,7 +1125,6 @@ int
 sys_fchroot(struct lwp *l, const struct sys_fchroot_args *uap, register_t *retval)
 {
 	struct proc *p = l->l_proc;
-	struct cwdinfo *cwdi;
 	struct vnode	*vp;
 	file_t	*fp;
 	int		 error, fd = SCARG(uap, fd);
@@ -1135,7 +1133,7 @@ sys_fchroot(struct lwp *l, const struct sys_fchroot_args *uap, register_t *retva
  	    KAUTH_REQ_SYSTEM_CHROOT_FCHROOT, NULL, NULL, NULL)) != 0)
 		return error;
 	/* fd_getvnode() will use the descriptor for us */
-	if ((error = fd_getvnode(SCARG(uap, fd), &fp)) != 0)
+	if ((error = fd_getvnode(fd, &fp)) != 0)
 		return error;
 	vp = fp->f_data;
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
@@ -1148,27 +1146,7 @@ sys_fchroot(struct lwp *l, const struct sys_fchroot_args *uap, register_t *retva
 		goto out;
 	VREF(vp);
 
-	/*
+	change_root(p->p_cwdi, vp, l);
-	 * Prevent escaping from chroot by putting the root under
-	 * the working directory.  Silently chdir to / if we aren't
-	 * already there.
-	 */
-	cwdi = p->p_cwdi;
-	rw_enter(&cwdi->cwdi_lock, RW_WRITER);
-	if (!vn_isunder(cwdi->cwdi_cdir, vp, l)) {
-		/*
-		 * XXX would be more failsafe to change directory to a
-		 * deadfs node here instead
-		 */
-		vrele(cwdi->cwdi_cdir);
-		VREF(vp);
-		cwdi->cwdi_cdir = vp;
-	}
-
-	if (cwdi->cwdi_rdir != NULL)
-		vrele(cwdi->cwdi_rdir);
-	cwdi->cwdi_rdir = vp;
-	rw_exit(&cwdi->cwdi_lock);
 
  out:
 	fd_putfile(fd);
@@ -1188,16 +1166,15 @@ sys_chdir(struct lwp *l, const struct sys_chdir_args *uap, register_t *retval)
 	struct proc *p = l->l_proc;
 	struct cwdinfo *cwdi;
 	int error;
-	struct nameidata nd;
+	struct vnode *vp;
 
-	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | TRYEMULROOT, UIO_USERSPACE,
+	if ((error = chdir_lookup(SCARG(uap, path), UIO_USERSPACE,
-	    SCARG(uap, path));
+				  &vp, l)) != 0)
-	if ((error = change_dir(&nd, l)) != 0)
 		return (error);
 	cwdi = p->p_cwdi;
 	rw_enter(&cwdi->cwdi_lock, RW_WRITER);
 	vrele(cwdi->cwdi_cdir);
-	cwdi->cwdi_cdir = nd.ni_vp;
+	cwdi->cwdi_cdir = vp;
 	rw_exit(&cwdi->cwdi_lock);
 	return (0);
 }
@@ -1213,24 +1190,31 @@ sys_chroot(struct lwp *l, const struct sys_chroot_args *uap, register_t *retval)
 		syscallarg(const char *) path;
 	} */
 	struct proc *p = l->l_proc;
-	struct cwdinfo *cwdi;
-	struct vnode *vp;
 	int error;
-	struct nameidata nd;
+	struct vnode *vp;
 
 	if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_CHROOT,
 	    KAUTH_REQ_SYSTEM_CHROOT_CHROOT, NULL, NULL, NULL)) != 0)
 		return (error);
-	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | TRYEMULROOT, UIO_USERSPACE,
+	if ((error = chdir_lookup(SCARG(uap, path), UIO_USERSPACE,
-	    SCARG(uap, path));
+				  &vp, l)) != 0)
-	if ((error = change_dir(&nd, l)) != 0)
 		return (error);
 
-	cwdi = p->p_cwdi;
+	change_root(p->p_cwdi, vp, l);
+
+	return (0);
+}
+
+/*
+ * Common routine for chroot and fchroot.
+ */
+void
+change_root(struct cwdinfo *cwdi, struct vnode *vp, struct lwp *l)
+{
+
 	rw_enter(&cwdi->cwdi_lock, RW_WRITER);
 	if (cwdi->cwdi_rdir != NULL)
 		vrele(cwdi->cwdi_rdir);
-	vp = nd.ni_vp;
 	cwdi->cwdi_rdir = vp;
 
 	/*
@@ -1248,31 +1232,31 @@ sys_chroot(struct lwp *l, const struct sys_chroot_args *uap, register_t *retval)
 		cwdi->cwdi_cdir = vp;
 	}
 	rw_exit(&cwdi->cwdi_lock);
-
-	return (0);
 }
 
 /*
  * Common routine for chroot and chdir.
  */
-static int
+int
-change_dir(struct nameidata *ndp, struct lwp *l)
+chdir_lookup(const char *path, int where, struct vnode **vpp, struct lwp *l)
 {
-	struct vnode *vp;
+	struct nameidata nd;
 	int error;
 
-	if ((error = namei(ndp)) != 0)
+	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | TRYEMULROOT, where,
+	    path);
+	if ((error = namei(&nd)) != 0)
 		return (error);
-	vp = ndp->ni_vp;
+	*vpp = nd.ni_vp;
-	if (vp->v_type != VDIR)
+	if ((*vpp)->v_type != VDIR)
 		error = ENOTDIR;
 	else
-		error = VOP_ACCESS(vp, VEXEC, l->l_cred);
+		error = VOP_ACCESS(*vpp, VEXEC, l->l_cred);
 
 	if (error)
-		vput(vp);
+		vput(*vpp);
 	else
-		VOP_UNLOCK(vp, 0);
+		VOP_UNLOCK(*vpp, 0);
 	return (error);
 }
 

sys/sys/vfs_syscalls.h

@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_syscalls.h,v 1.11 2009/07/02 12:56:40 pooka Exp $        */
+/*     $NetBSD: vfs_syscalls.h,v 1.12 2009/08/01 21:17:12 bad Exp $        */
 
 /*
  * Copyright (c) 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -65,4 +65,7 @@ int	do_sys_rename(const char *, const char *, enum uio_seg, int);
 int	do_sys_mknod(struct lwp *l, const char *, mode_t, dev_t, register_t *);
 int	do_sys_mkdir(const char *, mode_t);
 
+int	chdir_lookup(const char *, int, struct vnode **, struct lwp *);
+void	change_root(struct cwdinfo *, struct vnode *, struct lwp *);
+
 #endif /* _SYS_VFS_SYSCALLS_H_ */