Linux sandbox: handle ENOSPC clone failure

Linux 4.9 adds /proc/sys/user/max_user_namespaces to limit the number
of concurrent user namespaces.  Sometimes the limit is set to 0 in
which case clone() will return ENOSPC.  This CL avoids PCHECK()ing in
that case.

BUG=715138
R=mdempsky@chromium.org

Review-Url: https://codereview.chromium.org/2842033002
Cr-Commit-Position: refs/heads/master@{#467271}
diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
index 4e47652..ba2cb7f 100644
--- a/sandbox/linux/services/credentials.cc
+++ b/sandbox/linux/services/credentials.cc
@@ -132,9 +132,10 @@
 void CheckCloneNewUserErrno(int error) {
   // EPERM can happen if already in a chroot. EUSERS if too many nested
   // namespaces are used. EINVAL for kernels that don't support the feature.
-  // Valgrind will ENOSYS unshare().
+  // Valgrind will ENOSYS unshare().  ENOSPC can occur when the system has
+  // reached its maximum configured number of user namespaces.
   PCHECK(error == EPERM || error == EUSERS || error == EINVAL ||
-         error == ENOSYS);
+         error == ENOSYS || error == ENOSPC);
 }
 
 // Converts a Capability to the corresponding Linux CAP_XXX value.