Chroot: remove merge policies

The chroot server was conceived to automatically place File_system
sessions into segregated root directories by converting session labels
to paths. If multiple children needed to be grouped under the same path,
a 'merge' policy would truncate the session label before path conversion.
Now that init can rewrite session labels and thus reproduce truncation,
the chroot merge feature is redundant and can be removed.

Fix #2846

repos/os/src/server/chroot/README

@@ -1,37 +1,14 @@
 This component intercepts File_system requests and changes
-the root directory of the request using the session label.
+the root directory attached to requests as defined by
+policy or by converting session label elements to a
+hierarchy of directories.
 
-In this example if cli_monitor had a child named "X", every
+Sessions matching policies with _path_ attributes will be "chrooted" to the
-file system session from "X" would be rooted to the directory
+configured policy path, sessions not matching policies with _path_ attributes
-"/cli_monitor/X" at "fs_server".
+will be chrooted into paths formed from each session label element. Sessions
+requests are downgraded to read-only requests unless matched by polices
+with an affirmative _writeable_ attribute. Sessions not matching any
+policy are rejected.
 
-! <start name="fs_server">
+Please note that this server is only effective for File_system servers that
-!   <provides> <service name="File_system"/> </provides>
+honor the "root" or "writeable" argument to session requests.
-!   ...
-! </start>
-!
-! <start name="chroot">
-!   <provides> <service name="File_system"/> </provides>
-!   <config>
-!     <policy label_prefix="cli_monitor ->" merge="yes"/>
-!   </config>
-!   <route>
-!     <any-service>
-!       <child name="fs_server"/> <parent/>
-!     </any-service>
-!   </route>
-!   ...
-! </start>
-!
-! <start name="cli_monitior">
-!   <route>
-!     <any-service>
-!       <child name="chroot"/> <parent/>
-!     </any-service>
-!   </route>
-!   ...
-! </start>
-
-In addition, the 'chroot' component will intercept the 'writeable' session
-argument and only if its own policy allows it (i.e. the 'writeable' attribute
-is to 'yes') the child is permitted to create a writeable connection.

repos/os/src/server/chroot/component.cc

@@ -116,26 +116,8 @@ struct Chroot::Main
 		if (policy.has_attribute("path")) {
 			policy.attribute("path").value(tmp, sizeof(tmp));
 			root_path.import(tmp);
-		}
+		} else {
-
+			/* generate implicit chroot path from the label */
-		/* if policy specifies a merge, use a truncated label */
-		else if (policy.has_attribute("label_prefix")
-		        && policy.attribute_value("merge", false))
-		{
-			/* merge at the next element */
-			size_t offset = policy.attribute("label_prefix").value_size();
-			for (size_t i = offset; i < label.length()-4; ++i) {
-				if (strcmp(label.string()+i, " -> ", 4))
-					continue;
-
-				strncpy(tmp, label.string(), min(sizeof(tmp), i+1));
-				break;
-			}
-			root_path = path_from_label<Path>(tmp);
-		}
-
-		/* use an implicit chroot path from the label */
-		else {
 			root_path = path_from_label<Path>(label.string());
 		}