Enable one PID namespace per process for NaCl processes.

components/nacl/loader/nacl_helper_linux.cc

Index: components/nacl/loader/nacl_helper_linux.cc
diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc
index 8206eca99b49f6776a528c34e6f68fde83f544bf..999201ae3067a7922f3102fe7b46aebb8df16cb7 100644
--- a/components/nacl/loader/nacl_helper_linux.cc
+++ b/components/nacl/loader/nacl_helper_linux.cc
@@ -41,7 +41,9 @@
 #include "crypto/nss_util.h"
 #include "ipc/ipc_descriptors.h"
 #include "ipc/ipc_switches.h"
+#include "sandbox/linux/services/credentials.h"
 #include "sandbox/linux/services/libc_urandom_override.h"
+#include "sandbox/linux/services/namespace_sandbox.h"
 
 #if defined(OS_NACL_NONSFI)
 #include "native_client/src/public/nonsfi/irt_exception_handling.h"
@@ -190,7 +192,19 @@ bool HandleForkRequest(ScopedVector<base::ScopedFD> child_fds,
   }
 
   VLOG(1) << "nacl_helper: forking";
-  pid_t child_pid = fork();
+  pid_t child_pid;
+#if !defined(OS_NACL_NONSFI)
+  if (sandbox::NamespaceSandbox::InNewUserNamespace()) {
+    // The NaCl runtime will install signal handlers for SIGINT, SIGTERM, etc.
+    // so we do not need to install termination signal handlers ourselves.
+    child_pid = sandbox::NamespaceSandbox::ForkInNewPidNamespace(
+        /*drop_capabilities_in_child=*/true);
+  } else
+#endif
+  {
+    child_pid = sandbox::Credentials::ForkAndDropCapabilitiesInChild();
+  }
+
   if (child_pid < 0) {
     PLOG(ERROR) << "*** fork() failed.";
   }