Enable one PID namespace per process for NaCl processes.

components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
index 869658f9f8b4eddec6efdd545b89c966626b0440..4ff1d4c076dcf71f5f7df6013fcc1c9452407843 100644
--- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
@@ -139,10 +139,14 @@ void NaClSandbox::InitializeLayerOneSandbox() {
     layer_one_enabled_ = true;
   } else if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
     CHECK(sandbox::Credentials::MoveToNewUserNS());
-    // This relies on SealLayerOneSandbox() to be called later since this

[Mark Seaborn, 2015/06/09 23:44:19]

Isn't this still true?  We still call SealLayerOneSandbox() later and the
requirement is still there, isn't it?

[rickyz (no longer on Chrome), 2015/06/10 01:31:43]

Yeah, it's still true - I removed the comment to be consistent with the fact
that we don't explicitly call out the need for SealLayerOneSandbox when dropping
FS access in the suid sandbox case. The fact that we continue to use proc_fd_
after DropFileSystemAccess hopefully makes it clear that there's still a dir fd
around.

-    // class is keeping a file descriptor to /proc/.
     CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));
-    CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get()));
+
+    // We do not drop CAP_SYS_ADMIN because we need it to place each child
+    // process in its own PID namespace later on.
+    std::vector<sandbox::Credentials::Capability> caps;
+    caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN);
+    CHECK(sandbox::Credentials::SetCapabilities(proc_fd_.get(), caps));
+
     CHECK(IsSandboxed());
     layer_one_enabled_ = true;
   }