[Linux] Use PR_SET_NO_NEW_PRIVS by default in base/process/launch.h.

sandbox/linux/suid/sandbox.c

Index: sandbox/linux/suid/sandbox.c
diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c
index f6e6c495d9d3557857268c555b32bd550074dfe7..d91c147daeaa495aa4d9dac507ba17a7339ce042 100644
--- a/sandbox/linux/suid/sandbox.c
+++ b/sandbox/linux/suid/sandbox.c
@@ -303,13 +303,14 @@ static bool MoveToNewNamespaces() {
     // something went wrong, hence we bail with an error message rather then
     // provide less security.
     if (errno != EINVAL) {
+      fprintf(stderr, "Failed to move to new namespace:");
       if (kCloneExtraFlags[i] & CLONE_NEWPID) {
-        fprintf(stderr, " PID namespaces supported");
+        fprintf(stderr, " PID namespaces supported,");
       }
       if (kCloneExtraFlags[i] & CLONE_NEWNET) {
-        fprintf(stderr, " Network namespace supported");
+        fprintf(stderr, " Network namespace supported,");
       }
-      fprintf(stderr, "but failed: errno = %s\n", strerror(clone_errno));
+      fprintf(stderr, " but failed: errno = %s\n", strerror(clone_errno));
       return false;
     }
   }
@@ -486,6 +487,13 @@ int main(int argc, char **argv) {
     return 1;
   }
 
+  if (geteuid() != 0) {
+    fprintf(stderr,
+        "The setuid sandbox is not running as root. Common causes:\n"
+        "  * An unprivileged process using ptrace on it, like a debugger.\n"
+        "  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)\n");
+  }
+
   if (!MoveToNewNamespaces())
     return 1;
   if (!SpawnChrootHelper())