fixup! lib,permission: add permission.drop

RafaelGSS · RafaelGSS · commit 995de8ec4afb · 2026-04-29T13:58:45.000-03:00
diff --git a/doc/api/permissions.md b/doc/api/permissions.md
@@ -98,6 +98,11 @@ API call to drop permissions at runtime. This operation is **irreversible**.
 
 When called without a reference, the entire scope is dropped. When called
 with a reference, only the permission for that specific resource is revoked.
+Dropping a permission only affects future access checks. It does not close or
+revoke access to resources that are already open, such as file descriptors,
+network sockets, child processes, or worker threads. Applications are
+responsible for closing or terminating those resources when they are no longer
+needed.
 
 You can only drop the exact resource that was explicitly granted. The
 reference passed to `drop()` must match the original grant. If a permission
diff --git a/src/permission/ffi_permission.cc b/src/permission/ffi_permission.cc
@@ -14,6 +14,12 @@ void FFIPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void FFIPermission::Drop(Environment* env,
+                                  PermissionScope scope,
+                                  const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool FFIPermission::is_granted(Environment* env,
                                PermissionScope perm,
                                const std::string_view& param) const {
diff --git a/src/permission/ffi_permission.h b/src/permission/ffi_permission.h
@@ -15,6 +15,9 @@ class FFIPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/test/parallel/test-permission-drop-ffi.js b/test/parallel/test-permission-drop-ffi.js
@@ -0,0 +1,40 @@
+// Flags: --permission --allow-ffi --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { fixtureSymbols, libraryPath } = require('./ffi-test-common');
+
+common.skipIfFFIMissing();
+
+const ffi = require('node:ffi');
+const assert = require('assert');
+
+function openLibrary() {
+  const { lib } = ffi.dlopen(libraryPath, {
+    add_i32: fixtureSymbols.add_i32,
+    allocate_memory: fixtureSymbols.allocate_memory,
+    deallocate_memory: fixtureSymbols.deallocate_memory,
+  });
+  lib.close();
+}
+
+
+{
+  assert.ok(process.permission.has('ffi'));
+}
+
+{
+  // shouldNotThrow
+  openLibrary();
+}
+
+{
+  process.permission.drop('ffi');
+  assert.ok(!process.permission.has('ffi'));
+  assert.throws(() => {
+    openLibrary();
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FFI',
+  }));
+}
