Sam
Help to make this dream come true!
nspawn is a great feature, but to be honest, kamil, I'd prefer that the nspawn features would be ported to the chroot command. Since UNIX systems already has such facility, I think improving it would be a better strategy than rewrite another tool that is doing the same (no, well, actually it's not doing the same thing, but the result is mostly that).
Since you have more knowledge and visibility of the NetBSD's chroot implementation than I am, do you think that improving it by introducing the same capabilities of nspawn (without destroying backwards compatibility, I guess) would be possibile, or it would be better to write a specific tool, like systemd developers did?
chroot(8) is designed as a wrapper over the chroot(2) syscall. nspawn(8) could wrap over native APIs delivering namespaces + cgroups. There is some overlap from high lever point of view, but the internals would differ significantly and the feature set of nspawn, with OCI standards integrated is incomparable to chroot(8).
Thus, we could add a secure version of chroot that plugs the security issues from the real chroot(8) and enable it for normal users. A demonstrative version of a secure chroot was crafted with the research project on netbsd-sandbox. It could be shipped as a drop-in replacement for the current chroot(8) users.