Make a small change to the API. Instead of passing in a file

sandbox_impl.h

Index: sandbox_impl.h
===================================================================
--- sandbox_impl.h	(revision 179)
+++ sandbox_impl.h	(working copy)
@@ -72,18 +72,19 @@
   // This could be because the kernel does not support Seccomp mode, or it
   // could be because we fail to successfully rewrite all system call entry
   // points.
-  // "proc_fd" should be a file descriptor for "/proc", or -1 if not provided
-  // by the caller.
-  static int supportsSeccompSandbox(int proc_fd)
+  // "proc_self" should be a file descriptor for "/proc/self", or -1 if not
+  // provided by the caller.
+  static int supportsSeccompSandbox(int proc_self)
                                          asm("SupportsSeccompSandbox");
 
   // The sandbox needs to be able to access "/proc/self/maps". If this file
   // is not accessible when "startSandbox()" gets called, the caller can
-  // provide an already opened file descriptor by calling "setProcSelfMaps()".
+  // provide an already opened file descriptor by calling "setProcSelf()".
   // The sandbox becomes the newer owner of this file descriptor and will
-  // eventually close it when "startSandbox()" executes.
-  static void setProcSelfMaps(int proc_self_maps)
-                                         asm("SeccompSandboxSetProcSelfMaps");
+  // eventually close it when "startSandbox()" executes. But if the caller
+  // never ends up calling startSandbox(), then the caller must close the
+  // file descriptor.
+  static void setProcSelf(int proc_self) asm("SeccompSandboxSetProcSelf");
 
   // This is the main public entry point. It finds all system calls that
   // need rewriting, sets up the resources needed by the sandbox, and
@@ -642,6 +643,7 @@
   // Seccomp mode.
   static void  createTrustedThread(SecureMem::Args* secureMem);
 
+  static int   proc_self_;
   static int   proc_self_maps_;
   static enum SandboxStatus {
     STATUS_UNKNOWN, STATUS_UNSUPPORTED, STATUS_AVAILABLE, STATUS_ENABLED