Index: sandbox/linux/services/credentials.h |
diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h |
index 80b2ec181197eabc0148781580b6f64eb36e0431..c23db930df270ea39d95845fadda268f94b01cd5 100644 |
--- a/sandbox/linux/services/credentials.h |
+++ b/sandbox/linux/services/credentials.h |
@@ -26,6 +26,20 @@ class Credentials { |
Credentials(); |
~Credentials(); |
+ // Checks whether the current process has any directory file descriptor open. |
+ // Directory file descriptors are "capabilities" that would let a process use |
+ // system calls such as openat() to bypass restrictions such as |
+ // DropFileSystemAccess(). |
+ // Sometimes it's useful to call HasOpenDirectory() after file system access |
+ // has been dropped. In this case, |proc_fd| should be a file descriptor to |
+ // /proc. The file descriptor in |proc_fd| will be ignored by |
+ // HasOpenDirectory() and remains owned by the caller. It is very important |
+ // for the caller to close it. |
+ // If /proc is available, |proc_fd| can be passed as -1. |
+ // If |proc_fd| is -1 and /proc is not available, this function will return |
+ // false. |
+ bool HasOpenDirectory(int proc_fd); |
+ |
// Drop all capabilities in the effective, inheritable and permitted sets for |
// the current process. |
bool DropAllCapabilities(); |
@@ -52,9 +66,8 @@ class Credentials { |
// CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. |
// Make sure to call DropAllCapabilities() after this call to prevent |
// escapes. |
- // To be secure, it's very important for this API to not be called with any |
- // directory file descriptor present. TODO(jln): integrate with |
- // crbug.com/269806 when available. |
+ // To be secure, it's very important for this API to not be called while the |
+ // process has any directory file descriptor open. |
bool DropFileSystemAccess(); |
private: |