This allows system root to unwind read(2) of dirfd restrictions with the security.bsd.allow_read_dir sysctl set in one of two ways:
1.) Allow jail root to read(2) a dir fd
2.) Allow all users to read(2) a dir fd
Jail root and in-fact all jail users are included in the all users toggle, which can be used to generally return the system to historical behavior or slightly more secure behavior with at most one module load and two sysctls (security.bsd.allow_read_dir=1 and either security.mac.read_dir.all_users=1 or security.mac.read_dir.jail_root=1).
The mac_read_dir module may be built into the kernel with options MAC_READ_DIR in your kernel configuration or loaded via loader with mac_read_dir_load="YES" in loader.conf(5).