Start all children in their own PID namespace.

content/common/sandbox_linux/sandbox_linux.cc

Index: content/common/sandbox_linux/sandbox_linux.cc
diff --git a/content/common/sandbox_linux/sandbox_linux.cc b/content/common/sandbox_linux/sandbox_linux.cc
index 5eee4e1d6c14d47e785a0ac42e4c8a77a93d6383..7ac5ccad483328fa9f92c81f09dc0c0951fc2eb2 100644
--- a/content/common/sandbox_linux/sandbox_linux.cc
+++ b/content/common/sandbox_linux/sandbox_linux.cc
@@ -186,7 +186,12 @@ void LinuxSandbox::EngageNamespaceSandbox() {
   // Note: this requires SealSandbox() to be called later in this process to be
   // safe, as this class is keeping a file descriptor to /proc/.
   CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_));
-  CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_));
+
+  // We do not drop CAP_SYS_ADMIN because we need it to place each child process
+  // in its own PID namespace later on.
+  std::vector<sandbox::Credentials::Capability> caps;
+  caps.push_back(sandbox::Credentials::Capability::kCapSysAdmin);
+  CHECK(sandbox::Credentials::SetCapabilities(proc_fd_, caps));
 
   // This needs to happen after moving to a new user NS, since doing so involves
   // writing the UID/GID map.