Chroot: change root to explicit prefix and label sub-dirs

Change the root of a session request into an explicit path and apply the
label-to-path conversion using the "path_prefix" policy attribute. This
is in addition to only applying a root change with a "path" attribute.

Ref #3031
Fix #3056

repos/os/src/server/chroot/README

@@ -6,8 +6,10 @@ hierarchy of directories.
 Sessions matching policies with _path_ attributes will be "chrooted" to the
 configured policy path, sessions not matching policies with _path_ attributes
 will be chrooted into paths formed from each session label element. Sessions
-requests are downgraded to read-only requests unless matched by polices
+matching polices with a _path_prefix_ attribute are both rooted at the
-with an affirmative _writeable_ attribute. Sessions not matching any
+attribute path and in sub-directories formed by the session label.
+Sessions requests are downgraded to read-only requests unless matched by
+polices with an affirmative _writeable_ attribute. Sessions not matching any
 policy are rejected.
 
 Please note that this server is only effective for File_system servers that

repos/os/src/server/chroot/component.cc

@@ -112,8 +112,13 @@ struct Chroot::Main
 		Session_label const label = label_from_args(args.string());
 		Session_policy const policy(label, config_rom.xml());
 
-		/* Use a chroot path from policy */
+		if (policy.has_attribute("path_prefix")) {
-		if (policy.has_attribute("path")) {
+			/* Use a chroot path from policy and label sub-directories */
+			policy.attribute("path_prefix").value(tmp, sizeof(tmp));
+			root_path.import(tmp);
+			root_path.append(path_from_label<Path>(label.string()).string());
+		} else if (policy.has_attribute("path")) {
+			/* Use a chroot path from policy */
 			policy.attribute("path").value(tmp, sizeof(tmp));
 			root_path.import(tmp);
 		} else {