Linux sandbox: restrict *kill to the current process.

sandbox/linux/seccomp-bpf-helpers/baseline_policy.h

Index: sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
index f1e4bb96c199e155ee0c9eafdeaed55e597d5388..fe7c5dc94ec4cb826f1d757780e5d1cbff37ad48 100644
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
@@ -18,11 +18,13 @@ class SandboxBPFPolicy;
 // that reduces the Linux kernel's attack surface. Given its nature, it doesn't
 // have a clear semantics and is mostly "implementation-defined".
 //
-// This returns an object that implements the SandboxBPFPolicy interface with
-// a "baseline" policy within Chromium.
+// This class implements the SandboxBPFPolicy interface with a "baseline"
+// policy for us within Chromium.
 // The "baseline" policy is somewhat arbitrary. All Chromium policies are an
 // alteration of it, and it represents a reasonable common ground to run most
 // code in a sandboxed environment.
+// A baseline policy is only valid for the process for which this object was
+// instantiated (so do not fork() and use it in a child).
 class SANDBOX_EXPORT BaselinePolicy : public SandboxBPFPolicy {
  public:
   BaselinePolicy();
@@ -36,6 +38,7 @@ class SANDBOX_EXPORT BaselinePolicy : public SandboxBPFPolicy {
 
  private:
   int fs_denied_errno_;
+  pid_t current_pid_;
   DISALLOW_COPY_AND_ASSIGN(BaselinePolicy);
 };