Set a new TLS when using CLONE_VM.

sandbox/linux/services/credentials_unittest.cc

Index: sandbox/linux/services/credentials_unittest.cc
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc
index 6b93c86c3ecbc2104282b50da80e32f3d9ad06d3..39fd6a7e6def2fcca19b62766c688f2ae7e0d50e 100644
--- a/sandbox/linux/services/credentials_unittest.cc
+++ b/sandbox/linux/services/credentials_unittest.cc
@@ -6,6 +6,8 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <pthread.h>
+#include <signal.h>
 #include <stdio.h>
 #include <sys/capability.h>
 #include <sys/stat.h>
@@ -237,6 +239,31 @@ SANDBOX_TEST(Credentials, SetCapabilitiesMatchesLibCap2) {
   CHECK_EQ(0, cap_compare(expected_cap.get(), actual_cap.get()));
 }
 
+volatile sig_atomic_t signal_handler_called;
+void SignalHandler(int sig) {
+  signal_handler_called = 1;
+}
+
+// Disabled on ASAN because of crbug.com/451603.
+SANDBOX_TEST(Credentials, DISABLE_ON_ASAN(DropFileSystemAccessPreservesTLS)) {
+  // Probably missing kernel support.
+  if (!Credentials::MoveToNewUserNS()) return;
+  CHECK(Credentials::DropFileSystemAccess(ProcUtil::OpenProc().get()));
+
+  // In glibc, pthread_getattr_np makes an assertion about the cached PID/TID in
+  // TLS.
+  pthread_attr_t attr;
+  EXPECT_EQ(0, pthread_getattr_np(pthread_self(), &attr));
+
+  // raise also uses the cached TID in glibc.
+  struct sigaction action = {};
+  action.sa_handler = &SignalHandler;
+  PCHECK(sigaction(SIGUSR1, &action, nullptr) == 0);
+
+  PCHECK(raise(SIGUSR1) == 0);
+  CHECK_EQ(1, signal_handler_called);
+}
+
 }  // namespace.
 
 }  // namespace sandbox.