add a LinuxSandbox::HasOpenDirectories() sanity check

content/common/sandbox_linux.h

Index: content/common/sandbox_linux.h
diff --git a/content/common/sandbox_linux.h b/content/common/sandbox_linux.h
index 412c04ab20bdf1915974443370025d853579ed9b..de71dfd197a38ae739408d581e108ab24870bb58 100644
--- a/content/common/sandbox_linux.h
+++ b/content/common/sandbox_linux.h
@@ -80,6 +80,10 @@ class LinuxSandbox {
 
   // We must have been pre_initialized_ before using this.
   bool seccomp_bpf_supported() const;
+  // Returns true if it can be determined that the current process has open
+  // directories that are not managed by the LinuxSandbox class. This would
+  // be a vulnerability as it would allow to bypass the setuid sandbox.
+  bool HasOpenDirectories();
   // The last part of the initialization is to make sure any temporary "hole"
   // in the sandbox is closed. For now, this consists of closing proc_fd_.
   void SealSandbox();
@@ -91,6 +95,7 @@ class LinuxSandbox {
   bool seccomp_bpf_started_;
   // Did PreinitializeSandbox() run?
   bool pre_initialized_;
+  bool sealed_;

[jln (very slow on Chromium), 2013/11/02 00:10:56]

This is not needed, I would rather remove it for now, as more states make this
more complicated.

[Mostyn Bramley-Moore, 2013/11/02 07:30:07]

Done.

   bool seccomp_bpf_supported_;  // Accurate if pre_initialized_.
   scoped_ptr<sandbox::SetuidSandboxClient> setuid_sandbox_client_;