Linux Sandbox: add Credentials::SupportsNewUserNS()

sandbox/linux/services/credentials_unittest.cc

Index: sandbox/linux/services/credentials_unittest.cc
diff --git a/sandbox/linux/services/credentials_unittest.cc b/sandbox/linux/services/credentials_unittest.cc
index 9160bf7a1ca1b0ac09703b063a215d4369d83f2c..9b792aa8c555990fc2d5bb536189f29b88b3e6fd 100644
--- a/sandbox/linux/services/credentials_unittest.cc
+++ b/sandbox/linux/services/credentials_unittest.cc
@@ -112,11 +112,12 @@ SANDBOX_TEST(Credentials, GetCurrentCapString) {
 SANDBOX_TEST(Credentials, MoveToNewUserNS) {
   Credentials creds;
   creds.DropAllCapabilities();
-  bool userns_supported = creds.MoveToNewUserNS();
-  fprintf(stdout, "Unprivileged CLONE_NEWUSER supported: %s\n",
-          userns_supported ? "true." : "false.");
+  bool moved_to_new_ns = creds.MoveToNewUserNS();
+  fprintf(stdout,
+          "Unprivileged CLONE_NEWUSER supported: %s\n",
+          moved_to_new_ns ? "true." : "false.");
   fflush(stdout);
-  if (!userns_supported) {
+  if (!moved_to_new_ns) {
     fprintf(stdout, "This kernel does not support unprivileged namespaces. "
             "USERNS tests will succeed without running.\n");
     fflush(stdout);
@@ -127,6 +128,14 @@ SANDBOX_TEST(Credentials, MoveToNewUserNS) {
   CHECK(!creds.HasAnyCapability());
 }
 
+SANDBOX_TEST(Credentials, SupportsUserNS) {
+  Credentials creds;
+  creds.DropAllCapabilities();
+  bool user_ns_supported = Credentials::SupportsNewUserNS();
+  bool moved_to_new_ns = creds.MoveToNewUserNS();
+  CHECK_EQ(user_ns_supported, moved_to_new_ns);
+}
+
 SANDBOX_TEST(Credentials, UidIsPreserved) {
   Credentials creds;
   creds.DropAllCapabilities();
@@ -207,6 +216,7 @@ SANDBOX_TEST(Credentials, CannotRegainPrivileges) {
 
   // The kernel should now prevent us from regaining capabilities because we
   // are in a chroot.
+  CHECK(!Credentials::SupportsNewUserNS());
   CHECK(!creds.MoveToNewUserNS());
 }