Drop CAP_SYS_ADMIN for non-broker non-zygote processes

Bug: 887783
Test: /proc/{network process pid}/status shows no capabilities

Change-Id: I08c7d6665c520b361a1a48bcd2f1a5812dadce52
Reviewed-on: https://chromium-review.googlesource.com/1229363Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593264}

services/service_manager/sandbox/linux/sandbox_linux.cc

@@ -502,10 +502,13 @@ bool SandboxLinux::EngageNamespaceSandboxInternal(bool from_zygote) {
   // safe, as this class is keeping a file descriptor to /proc/.
   CHECK(sandbox::Credentials::DropFileSystemAccess(proc_fd_));
 
-  // We do not drop CAP_SYS_ADMIN because we need it to place each child process
-  // in its own PID namespace later on.
+  // Now we drop all capabilities that we can. In the zygote process, we need
+  // to keep CAP_SYS_ADMIN, to place each child in its own PID namespace
+  // later on.
   std::vector<sandbox::Credentials::Capability> caps;
-  caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN);
+  if (from_zygote) {
+    caps.push_back(sandbox::Credentials::Capability::SYS_ADMIN);
+  }
   CHECK(sandbox::Credentials::SetCapabilities(proc_fd_, caps));
   return true;
 }