Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.h |
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h |
index f1e4bb96c199e155ee0c9eafdeaed55e597d5388..fe7c5dc94ec4cb826f1d757780e5d1cbff37ad48 100644 |
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h |
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h |
@@ -18,11 +18,13 @@ class SandboxBPFPolicy; |
// that reduces the Linux kernel's attack surface. Given its nature, it doesn't |
// have a clear semantics and is mostly "implementation-defined". |
// |
-// This returns an object that implements the SandboxBPFPolicy interface with |
-// a "baseline" policy within Chromium. |
+// This class implements the SandboxBPFPolicy interface with a "baseline" |
+// policy for us within Chromium. |
// The "baseline" policy is somewhat arbitrary. All Chromium policies are an |
// alteration of it, and it represents a reasonable common ground to run most |
// code in a sandboxed environment. |
+// A baseline policy is only valid for the process for which this object was |
+// instantiated (so do not fork() and use it in a child). |
class SANDBOX_EXPORT BaselinePolicy : public SandboxBPFPolicy { |
public: |
BaselinePolicy(); |
@@ -36,6 +38,7 @@ class SANDBOX_EXPORT BaselinePolicy : public SandboxBPFPolicy { |
private: |
int fs_denied_errno_; |
+ pid_t current_pid_; |
DISALLOW_COPY_AND_ASSIGN(BaselinePolicy); |
}; |