Hmm, if the linked source code is indeed the sandbox they use in Chrome, then this is really weird code.
- They appear the create a file system namespace, but then use old chroot() instead of overmounting the root dir inside it. This is a weird combination. Either you chroot() or you use fs namespaces+bind mounts but mixing both half-way is weird.
- The try to dynamically allocate an "unused" UID. In Linux we really don't have any sane infrastructure for that and trying to do that independently of any low-level infrastructure that can ensure we don't end up in UID clashes is just risky business.
- They are not setting the capability bounding set but the other sets even though the bounding set is probably the most interesting one.