dhclient runs in capability mode, so its filesystem access is already
restricted. Moreover, libutil keeps open a directory descriptor for the
pidfile (/var/run by default). If kern.chroot_allow_open_directories is
not set, this descriptor will cause the chroot to fail. To fix this,
stop using chroot(), and store pidfiles under /var/run/dhclient/ instead
to restrict the scope of libutil's descriptor. This is not perfect
since different dhclient instances can still mess with each other's
pidfiles despite the use of capability mode, but I don't think that this
is a serious problem.
Also stop removing rights from the pidfile descriptor after writing the
PID. This interferes with pidfile_verify(), called from
pidfile_close(). We already restrict rights to the pidfile somewhat in
libutil; one possible follow-up enhancement would be drop the
CAP_PWRITE and CAP_TRUNCATE rights in pidfile_write(). Of course, this
would mean that pidfile_write() could only be called once, but that's
most likely fine.