Start all children in their own PID namespace.

content/common/sandbox_linux/sandbox_linux.h

Index: content/common/sandbox_linux/sandbox_linux.h
diff --git a/content/common/sandbox_linux/sandbox_linux.h b/content/common/sandbox_linux/sandbox_linux.h
index 12aabcfc06da020d693ae8b721beb90f805723d1..01a0bd9a3546552fddbe2fea9c8c468d9bb3ab9d 100644
--- a/content/common/sandbox_linux/sandbox_linux.h
+++ b/content/common/sandbox_linux/sandbox_linux.h
@@ -9,6 +9,7 @@
 #include <vector>
 
 #include "base/basictypes.h"
+#include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "content/public/common/sandbox_linux.h"
 
@@ -118,6 +119,13 @@ class LinuxSandbox {
   // to make some vulnerabilities harder to exploit.
   bool LimitAddressSpace(const std::string& process_type);
 
+  // Returns a file descriptor to proc. The file descriptor is no longer valid
+  // after the sandbox has been sealed.
+  int proc_fd() const {
+    DCHECK_NE(-1, proc_fd_);
+    return proc_fd_;
+  }
+
 #if defined(ANY_OF_AMTLU_SANITIZER)
   __sanitizer_sandbox_arguments* sanitizer_args() const {
     return sanitizer_args_.get();