> > It means it can be granted or hidden per-chroot.  It means it can have
> > its permissions twiddled (no chmod/chown-alikes for sysctl).  (The
> > latter is admittedly fairly pointless for veriexec with its explicit
> > suser, but I think the point is valid more generally.)
> 
> Keeping this about Veriexec, is there any real world application to
> having the Veriexec device file hidden inside a chroot? like I said,
> this is an esoteric case.

There's a real world advantage to having the veriexec device *NOT* in
a chroot.  Root in that chroot can't then cause problems
accidentally.  With the suser check in sysctl, you lose that
protection.

Chroots are used extensively for poor man's machine virtualization.
Running older version of the tools and the like in support of having
recreatable build environments independent of the host OS.  For better
or worse, some of these build envs run as root.

Warner