Use the libc clone wrapper in sys_clone.

sandbox/linux/services/syscall_wrappers.h

Index: sandbox/linux/services/syscall_wrappers.h
diff --git a/sandbox/linux/services/syscall_wrappers.h b/sandbox/linux/services/syscall_wrappers.h
index 64028f7d0f6d61316566ad20b1f8a260128f3f8b..d2ee1028ce92ac6b8678b58a2f3ecd1b872e2422 100644
--- a/sandbox/linux/services/syscall_wrappers.h
+++ b/sandbox/linux/services/syscall_wrappers.h
@@ -16,7 +16,7 @@ namespace sandbox {
 
 // Provide direct system call wrappers for a few common system calls.
 // These are guaranteed to perform a system call and do not rely on things such
-// as caching the current pid (c.f. getpid()).
+// as caching the current pid (c.f. getpid()) unless otherwise specified.
 
 SANDBOX_EXPORT pid_t sys_getpid(void);
 
@@ -24,9 +24,15 @@ SANDBOX_EXPORT pid_t sys_gettid(void);
 
 SANDBOX_EXPORT long sys_clone(unsigned long flags);
 
-// |regs| is not supported and must be passed as nullptr.
+// |regs| is not supported and must be passed as nullptr. |child_stack| must be
+// nullptr, since otherwise this function cannot safely return.  As a
+// consequence, this function does not support CLONE_VM.
+//
+// This function uses the libc clone wrapper (which updates libc's pid cache)
+// internally, so callers may expect things like getpid() to work correctly
+// after in both the child and parent.
 SANDBOX_EXPORT long sys_clone(unsigned long flags,
-                              void* child_stack,
+                              decltype(nullptr) child_stack,
                               pid_t* ptid,
                               pid_t* ctid,
                               decltype(nullptr) regs);