Use IpTables::ExecvNonRoot for adding user-traffic mark rules

Previously, the iptables function
IpTables::ApplyRuleForUserTrafficWithVersion used a brillo::ProcessImpl
for adding rules to mark user traffic during IpTables::ApplyVpnSetup.
This commit replaces the ProcessImpl with a call to ExecvNonRoot so that
all ip related commands are issued with this function. This makes
handling and testing command failures in ApplyVpnSetup easier.

BUG=None
TEST=Openvpn: Manually connect and disconnect to CrOS_NetgearAC_Platform-5GHz
using openvpn client on veyron_minnie-cheets board.
Third-Party: Install Cisco AnyConnect. Connect to test lab network
CrOS_NetgearAC_Platform-5GHz. Hit "Add New Connection" button in
AnyConnect home screen. Enter wifi test lab openconnect server IP
(172.18.10.12). Select test connection in system VPN menu. Run
`route` in cros shell to get the IP address assigned to tun0. Pinging
this IP was successful on veyron_minnie-cheets.

Change-Id: I16ea79cac09a30fecb750832a7646b6d20c01ba4
Reviewed-on: https://chromium-review.googlesource.com/370759
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Ian Wyszynski <wyszynski@google.com>
Reviewed-by: Ian Wyszynski <wyszynski@google.com>
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
diff --git a/iptables.cc b/iptables.cc
index e8ca006..7fc96da 100644
--- a/iptables.cc
+++ b/iptables.cc
@@ -27,7 +27,6 @@
 #include <base/strings/string_util.h>
 #include <base/strings/stringprintf.h>
 #include <brillo/minijail/minijail.h>
-#include <brillo/process.h>
 
 namespace {
 
@@ -458,23 +457,25 @@
 
 bool IpTables::ApplyRuleForUserTrafficWithVersion(const std::string& ip_version,
                                                   bool add) {
-  brillo::ProcessImpl ip;
-  ip.AddArg(kIpPath);
+  std::vector<std::string> argv;
+  argv.push_back(kIpPath);
   if (ip_version == kIPv6)
-    ip.AddArg("-6");
-  ip.AddArg("rule");
-  ip.AddArg(add ? "add" : "delete");
-  ip.AddArg("fwmark");
-  ip.AddArg(kMarkForUserTraffic);
-  ip.AddArg("table");
-  ip.AddArg(kTableIdForUserTraffic);
+    argv.push_back("-6");
+  argv.push_back("rule");
+  argv.push_back(add ? "add" : "delete");
+  argv.push_back("fwmark");
+  argv.push_back(kMarkForUserTraffic);
+  argv.push_back("table");
+  argv.push_back(kTableIdForUserTraffic);
 
-  bool success = ip.Run() == 0;
+  bool success = ExecvNonRoot(argv, kIpTablesCapMask) == 0;
 
   if (!success) {
-    LOG(ERROR) << (add ? "Adding" : "Removing") << " rule for " << ip_version
-               << " user traffic failed";
+    LOG(ERROR) << (add ? "Adding" : "Removing")
+               << " rule failed for user traffic"
+               << " using '" << kIpPath << "'";
   }
+
   return success;
 }