Enable one PID namespace per process for NaCl processes.

sandbox/linux/services/namespace_sandbox.h

Index: sandbox/linux/services/namespace_sandbox.h
diff --git a/sandbox/linux/services/namespace_sandbox.h b/sandbox/linux/services/namespace_sandbox.h
index 80097fb16afa625415070e8e581540e514e67abf..9749e4b6ef4318cf9488ac35b6f43600904b332c 100644
--- a/sandbox/linux/services/namespace_sandbox.h
+++ b/sandbox/linux/services/namespace_sandbox.h
@@ -38,8 +38,6 @@ namespace sandbox {
 class SANDBOX_EXPORT NamespaceSandbox {
  public:
 #if !defined(OS_NACL_NONSFI)
-  static const int kDefaultExitCode = 1;
-
   // Launch a new process inside its own user/PID/network namespaces (depending
   // on kernel support). Requires at a minimum that user namespaces are
   // supported (use Credentials::CanCreateProcessInNewUserNS to check this).
@@ -70,8 +68,8 @@ class SANDBOX_EXPORT NamespaceSandbox {
   //
   // SIGHUP, SIGINT, SIGABRT, SIGQUIT, SIGPIPE, SIGTERM, SIGUSR1, SIGUSR2
   //
-  // that exits with kDefaultExitCode. These are signals whose default action is
-  // to terminate the program (apart from SIGILL, SIGFPE, and SIGSEGV, which
+  // that exits with SignalExitCode(sig). These are signals whose default action
+  // is to terminate the program (apart from SIGILL, SIGFPE, and SIGSEGV, which
   // will still terminate the process if e.g. an illegal instruction is
   // encountered, etc.).
   //
@@ -85,6 +83,10 @@ class SANDBOX_EXPORT NamespaceSandbox {
   static bool InstallTerminationSignalHandler(int sig, int exit_code);
 #endif  // !defined(OS_NACL_NONSFI)
 
+  // Returns an exit code corresponding to the process being killed by sig. This
+  // is the same as exit code that NaCl's default signal handler uses.
+  static int SignalExitCode(int sig) { return -sig & 0xff; }
+
   // Returns whether the namespace sandbox created a new user, PID, and network
   // namespace. In particular, InNewUserNamespace should return true iff the
   // process was started via this class.