Bug 1199481 - Complain more when entering sandboxing code as root. r=kang

security/sandbox/linux/LinuxCapabilities.h

@@ -84,6 +84,15 @@ public:
     }
   }
 
+  bool AnyEffective() const {
+    for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; ++i) {
+      if (mBits[i].effective != 0) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   // These three methods expose individual bits in the three
   // capability sets as objects that can be used as bool lvalues.
   // The argument is the capability number, as defined in

security/sandbox/linux/Sandbox.cpp

@@ -558,8 +558,22 @@ SandboxEarlyInit(GeckoProcessType aType, bool aIsNuwa)
     return;
   }
 
+  {
+    LinuxCapabilities existingCaps;
+    if (existingCaps.GetCurrent() && existingCaps.AnyEffective()) {
+      SANDBOX_LOG_ERROR("PLEASE DO NOT RUN THIS AS ROOT.  Strange things may"
+                        " happen when capabilities are dropped.");
+    }
+  }
+
   // If capabilities can't be gained, then nothing can be done.
   if (!info.Test(SandboxInfo::kHasUserNamespaces)) {
+    // Drop any existing capabilities; unsharing the user namespace
+    // would implicitly drop them, so if we're running in a broken
+    // configuration where that would matter (e.g., running as root
+    // from a non-root-owned mode-0700 directory) this means it will
+    // break the same way on all kernels and be easier to troubleshoot.
+    LinuxCapabilities().SetCurrent();
     return;
   }