Enable one PID namespace per process for NaCl processes.

components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc

Index: components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
diff --git a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
index 869658f9f8b4eddec6efdd545b89c966626b0440..79f4f7783a136981a8b1ef600f78340e6058eebd 100644
--- a/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
+++ b/components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc
@@ -142,7 +142,13 @@ void NaClSandbox::InitializeLayerOneSandbox() {
     // This relies on SealLayerOneSandbox() to be called later since this
     // class is keeping a file descriptor to /proc/.

[jln (very slow on Chromium), 2015/05/28 09:02:33]

Doesn't this comment apply to both the setuid sandbox case and the userNS case?

[rickyz (no longer on Chrome), 2015/05/29 23:16:39]

Yeah, removed this comment, it made more sense in the place I copy/pasted it
from.

     CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_.get()));
-    CHECK(sandbox::Credentials::DropAllCapabilities(proc_fd_.get()));
+
+    // We do not drop CAP_SYS_ADMIN because we need it to place each child
+    // process in its own PID namespace later on.

[jln (very slow on Chromium), 2015/05/28 09:02:33]

This is unfortunate. This should be dropped as part of a mandatory mechanism
like SealLayerOneSandbox. Except that the layer 2 sandbox will prevent us from
doing it. Perhaps do it as part of engaging the layer 2 sandbox? (And also as
part of SealLayerOneSandbox when layer 2 is not engaged).

We need to be careful to make all of this clear and not look like spaghetti.

+    std::vector<sandbox::Credentials::Capability> caps;
+    caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN);
+    CHECK(sandbox::Credentials::SetCapabilities(proc_fd_.get(), caps));
+
     CHECK(IsSandboxed());
     layer_one_enabled_ = true;
   }