There are further things that can be done to tighten up a chroot jail. Let us assume that a black hat has found a way of breaking out of UML and also has a way of breaking out of a chroot jail as a normal user. Let us assume that he has complete control of the UML.
To break out of the chroot jail, he will presumably need some tools. The only files available in the jail are the UML binary and the filesystem. Presumably, these are not directly usable, so he will have to import them somehow.
This leads to our first requirement - that the chroot directory be non-writeable by the uid running UML. This prevents any new files from being created.