Index: sandbox/linux/services/credentials.h |
diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h |
index a52617690bd0d877299a745f4bfc15195f9ca3f7..2b761b6034aeb7445a0f114166b41c11f5eebdf7 100644 |
--- a/sandbox/linux/services/credentials.h |
+++ b/sandbox/linux/services/credentials.h |
@@ -26,7 +26,9 @@ namespace sandbox { |
class SANDBOX_EXPORT Credentials { |
public: |
// Drop all capabilities in the effective, inheritable and permitted sets for |
- // the current process. |
+ // the current process. For security reasons, since capabilities are |
+ // per-thread, the caller is responsible for ensuring it is single-threaded |
+ // when calling this API. |
static bool DropAllCapabilities() WARN_UNUSED_RESULT; |
// Return true iff there is any capability in any of the capabilities sets |
// of the current process. |