Enforce/require MOJO_HANDLE_RIGHT_TRANSFER in sending handles via MojoWriteMessage().
R=azani@chromium.org
Review URL: https://codereview.chromium.org/2012613002 .
diff --git a/mojo/public/c/system/message_pipe.h b/mojo/public/c/system/message_pipe.h
index ea3dcc3..166e08f 100644
--- a/mojo/public/c/system/message_pipe.h
+++ b/mojo/public/c/system/message_pipe.h
@@ -99,7 +99,8 @@
// |message_pipe_handle| is not a valid handle, or some of the
// requirements above are not satisfied).
// |MOJO_RESULT_PERMISSION_DENIED| if |message_pipe_handle| does not have the
-// |MOJO_HANDLE_RIGHT_WRITE| right.
+// |MOJO_HANDLE_RIGHT_WRITE| right or if one of the handles to be sent
+// does not have the |MOJO_HANDLE_RIGHT_TRANSFER| right.
// |MOJO_RESULT_RESOURCE_EXHAUSTED| if some system limit has been reached, or
// the number of handles to send is too large (TODO(vtl): reconsider the
// latter case).
@@ -113,6 +114,15 @@
// being sent in a message), or if some handle to be sent is currently in
// use.
//
+// Note: |MOJO_RESULT_BUSY| is generally "preferred" over
+// |MOJO_RESULT_PERMISSION_DENIED|. E.g., if a handle to be sent both is busy
+// and does not have the transfer right, then the result will be "busy".
+//
+// TODO(vtl): We'll also report |MOJO_RESULT_BUSY| if a (data pipe
+// producer/consumer) handle to be sent is in a two-phase write/read). But
+// should we? (For comparison, there's no such provision in |MojoClose()|.)
+// https://github.com/domokit/mojo/issues/782
+//
// TODO(vtl): Add a notion of capacity for message pipes, and return
// |MOJO_RESULT_SHOULD_WAIT| if the message pipe is full.
MojoResult MojoWriteMessage(MojoHandle message_pipe_handle, // In.
