Start all children in their own PID namespace.

content/zygote/zygote_main_linux.cc

Index: content/zygote/zygote_main_linux.cc
diff --git a/content/zygote/zygote_main_linux.cc b/content/zygote/zygote_main_linux.cc
index 96fac2194377a0f6c43b9ba22c4ff0b8b74b5480..b9dfdcabfb6f730fcd280318c6b502572a8a6e29 100644
--- a/content/zygote/zygote_main_linux.cc
+++ b/content/zygote/zygote_main_linux.cc
@@ -40,6 +40,7 @@
 #include "content/public/common/zygote_fork_delegate_linux.h"
 #include "content/zygote/zygote_linux.h"
 #include "crypto/nss_util.h"
+#include "sandbox/linux/services/credentials.h"
 #include "sandbox/linux/services/init_process_reaper.h"
 #include "sandbox/linux/services/libc_urandom_override.h"
 #include "sandbox/linux/services/namespace_sandbox.h"
@@ -80,6 +81,11 @@ void CloseFds(const std::vector<int>& fds) {
   }
 }
 
+void RunTwoClosures(const base::Closure* first, const base::Closure* second) {
+  first->Run();
+  second->Run();
+}
+
 }  // namespace
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
@@ -407,12 +413,20 @@ static bool EnterSuidSandbox(sandbox::SetuidSandboxClient* setuid_sandbox,
   return true;
 }
 
+static void DropAllCapabilities(int proc_fd) {
+  CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd));
+}
+
 static void EnterNamespaceSandbox(LinuxSandbox* linux_sandbox,
                                   base::Closure* post_fork_parent_callback) {
   linux_sandbox->EngageNamespaceSandbox();
 
   if (getpid() == 1) {
-    CHECK(CreateInitProcessReaper(post_fork_parent_callback));
+    base::Closure drop_all_caps_callback =
+        base::Bind(&DropAllCapabilities, linux_sandbox->proc_fd());
+    base::Closure callback = base::Bind(
+        &RunTwoClosures, &drop_all_caps_callback, post_fork_parent_callback);
+    CHECK(CreateInitProcessReaper(&callback));
   }
 }