Enable one PID namespace per process for NaCl processes.

components/nacl/loader/nacl_helper_linux.cc

Index: components/nacl/loader/nacl_helper_linux.cc
diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc
index 8206eca99b49f6776a528c34e6f68fde83f544bf..1bbe08c959205fe73a886e48f3d0842246b5ee24 100644
--- a/components/nacl/loader/nacl_helper_linux.cc
+++ b/components/nacl/loader/nacl_helper_linux.cc
@@ -41,7 +41,9 @@
 #include "crypto/nss_util.h"
 #include "ipc/ipc_descriptors.h"
 #include "ipc/ipc_switches.h"
+#include "sandbox/linux/services/credentials.h"
 #include "sandbox/linux/services/libc_urandom_override.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
 
 #if defined(OS_NACL_NONSFI)
 #include "native_client/src/public/nonsfi/irt_exception_handling.h"
@@ -190,7 +192,20 @@ bool HandleForkRequest(ScopedVector<base::ScopedFD> child_fds,
   }
 
   VLOG(1) << "nacl_helper: forking";
-  pid_t child_pid = fork();
+  pid_t child_pid;
+#if !defined(OS_NACL_NONSFI)
+  if (sandbox::NamespaceSandbox::InNewUserNamespace()) {

[jln (very slow on Chromium), 2015/05/28 09:02:33]

Hidehiko, Mark, what's missing for this to compile in OS_NACL_NONSFI?

One PID per NS is very desirable for NONSFI.

[hidehiko, 2015/05/29 05:46:58]

base::ForkWithFlags in base/process/launch_posix.cc.
It is not built in libbase_nacl_nonsfi.a now.

Supporting ForkWithFlags *only* would not be much difficult, IIUC.
Though, other code in the file would hit problems if we build with PNaCl
toolchain, especially around signals, so I just dropped the file at all, as we
didn't need it.

Also, in ForkInNewPidNamespace, we need to use LINUX_SIGCHLD instead of SIGCHLD
for the workaround of signal ABI problem.

[hidehiko, 2015/05/29 06:14:52]

FYI: Like this https://codereview.chromium.org/1161933003/

[rickyz (no longer on Chrome), 2015/05/29 23:16:39]

Thanks for the comments, Hidehiko - it sounds like there might be a little extra
work involved for nonsfi, so I'll start working on that in a separate CL.

+    // The NaCl runtime will install signal handlers for SIGINT, SIGTERM, etc.
+    // so we do not need to install termination signal handlers ourselves.
+    child_pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(
+        /*drop_capabilities_in_child=*/true);
+  } else {
+#endif
+    child_pid = fork();

[jln (very slow on Chromium), 2015/05/28 09:02:33]

We never drop all capabilities in this codepath!

[rickyz (no longer on Chrome), 2015/05/29 23:16:39]

The combination of keeping CAP_SYS_ADMIN and hitting this codepath is probably
impossible, but agreed, the separation of responsibility is really unclear :-(
What do you think about this change? I added a helper that forks and drops
capabilities, and call that instead of fork().

+#if !defined(OS_NACL_NONSFI)

[mdempsky, 2015/05/28 21:23:23]

nit: Having an #if block just for a } is kind of ugly.  I'd suggest either
reshuffling the "} else { #endif" to "} else #endif {" so you can have the close
brace unconditionally, or the more intrusive option of something like

    namespace {
    #if defined(OS_NACL_NONSFI)
    pid_t ForkChild() {
      return sandbox::NamespaceSandbox::ForkInNewPidNamespace(...);
    }
    #else
    pid_t ForkChild() {
      return fork();
    }
    #endif
    }  // namespace

Your call.

[rickyz (no longer on Chrome), 2015/05/29 23:16:39]

Done.

+  }
+#endif
+
   if (child_pid < 0) {
     PLOG(ERROR) << "*** fork() failed.";
   }