Index: content/common/sandbox_linux.h |
diff --git a/content/common/sandbox_linux.h b/content/common/sandbox_linux.h |
index 412c04ab20bdf1915974443370025d853579ed9b..de71dfd197a38ae739408d581e108ab24870bb58 100644 |
--- a/content/common/sandbox_linux.h |
+++ b/content/common/sandbox_linux.h |
@@ -80,6 +80,10 @@ class LinuxSandbox { |
// We must have been pre_initialized_ before using this. |
bool seccomp_bpf_supported() const; |
+ // Returns true if it can be determined that the current process has open |
+ // directories that are not managed by the LinuxSandbox class. This would |
+ // be a vulnerability as it would allow to bypass the setuid sandbox. |
+ bool HasOpenDirectories(); |
// The last part of the initialization is to make sure any temporary "hole" |
// in the sandbox is closed. For now, this consists of closing proc_fd_. |
void SealSandbox(); |
@@ -91,6 +95,7 @@ class LinuxSandbox { |
bool seccomp_bpf_started_; |
// Did PreinitializeSandbox() run? |
bool pre_initialized_; |
+ bool sealed_; |
jln (very slow on Chromium)
2013/11/02 00:10:56
This is not needed, I would rather remove it for n
Mostyn Bramley-Moore
2013/11/02 07:30:07
Done.
|
bool seccomp_bpf_supported_; // Accurate if pre_initialized_. |
scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_; |