How a chrooted process can access its library dependencies?

Question

1. After I put a process in a chroot jail, it can access libc.so library that is outside of jail. Why or maybe how?

2. If we have a soft link referring to a file outside of jail, can we access the main file?

3. can we use chroot in multi threaded applications? or if we change root directory from one thread, the root directory of the whole process will change?

4. I have read that chroot function does not provide real secure environment, is there any alternative solution on Linux?

Answer 1

1. As long as it had it open before calling chroot, it still has it open, just like it's own binary. However, chroot is privileged operation, so the process calling it is probably going to change identity and exec the real process and that will not have access to libc.so unless it's available in the chroot.
2. Soft link is resolved in the namespace of the process, so it will not resolve to file outside of the chroot.
3. I am not sure (and would suspect it does not). Normally it does not matter, because being privileged operation it is done in a simple wrapper that is not multi-threaded, but only launches the multi-threaded application after chrooting, closing all file handles, changing current directory into the chroot and dropping the privileges.
4. Chroot is not secure. Root can escape easily (e.g. by mounting the device again). There are Linux-Vserver, lxc and OpenVZ that provide secure process isolation. LXC uses cgroups Linux feature (since kernel 2.6.29), the other two seem to need patched kernel. You might also be able to just set up the cgroup yourself if you just need to jail one application.