The operating theory here is that one might want a jail structure like:
prison0
- foo: allow.nounprivileged_parent_tampering
- bar: allow.unprivileged_parent_tampering
From a high-level view, the above settings effectively say that the
foo uid space is independent of prison0, but bar is expected to be the
same as foo. With the current implementation, prison0 unprivileged
users would be allowed to operate on foo.bar, but not on foo. This is
clearly not the intended behavior.
Add a prison_chain_allow() that evaluates the target jail and all
intermediates to confirm that the given allow bit is set in the entire
path, and use it for PR_ALLOW_UNPRIV_PARENT_TAMPER. This creates the
appropriate barrier for prison0 -> foo.bar in all cases.