Take the chroot into account when search for the command.

This could a a user-specific chroot via the -R option, a runchroot
Defaults value, or a per-command CHROOT spec in the sudoers rule.

plugins/sudoers/match.c

@@ -366,14 +366,14 @@ host_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw,
  */
 int
 cmndlist_matches(struct sudoers_parse_tree *parse_tree,
-    const struct member_list *list)
+    const struct member_list *list, const char *runchroot)
 {
     struct member *m;
     int matched = UNSPEC;
     debug_decl(cmndlist_matches, SUDOERS_DEBUG_MATCH);
 
     TAILQ_FOREACH_REVERSE(m, list, member_list, entries) {
-	matched = cmnd_matches(parse_tree, m);
+	matched = cmnd_matches(parse_tree, m, runchroot);
 	if (matched != UNSPEC)
 	    break;
     }
@@ -385,7 +385,8 @@ cmndlist_matches(struct sudoers_parse_tree *parse_tree,
  * Returns ALLOW, DENY or UNSPEC.
  */
 int
-cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m)
+cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m,
+    const char *runchroot)
 {
     struct alias *a;
     struct sudo_command *c;
@@ -401,13 +402,13 @@ cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m)
 	    FALLTHROUGH;
 	case COMMAND:
 	    c = (struct sudo_command *)m->name;
-	    if (command_matches(c->cmnd, c->args, &c->digests))
+	    if (command_matches(c->cmnd, c->args, runchroot, &c->digests))
 		matched = !m->negated;
 	    break;
 	case ALIAS:
 	    a = alias_get(parse_tree, m->name, CMNDALIAS);
 	    if (a != NULL) {
-		rc = cmndlist_matches(parse_tree, &a->members);
+		rc = cmndlist_matches(parse_tree, &a->members, runchroot);
 		if (rc != UNSPEC)
 		    matched = m->negated ? !rc : rc;
 		alias_put(a);