Move the namespace creation so that it happens under the code-inspector.

This fixes a security issue where a toplevel evaluator could still use
things like `ffi/unsafe'.

collects/racket/sandbox.rkt

@@ -876,7 +876,6 @@
    (;; create a sandbox context first
     [current-custodian user-cust]
     [current-thread-group (make-thread-group)]
-    [current-namespace (make-evaluation-namespace)]
     ;; set up the IO context
     [current-input-port
      (let ([inp (sandbox-input)])
@@ -945,7 +944,10 @@
     ;; it will not use the new namespace.
     [current-eventspace (parameterize-break
                          #f
-                         (make-eventspace))])
+                         (make-eventspace))]
+    ;; Finally, create the namespace in the restricted environment (in
+    ;; particular, it must be created under the new code inspector)
+    [current-namespace (make-evaluation-namespace)])
    (define t (bg-run->thread (run-in-bg user-process)))
    (set! user-done-evt (handle-evt t (lambda (_) (terminate+kill! #t #t))))
    (set! user-thread t))

collects/tests/racket/sandbox.rktl

@@ -516,4 +516,16 @@
       #t))
   (test #t avoid-module-declare-name))
 
+(let ()
+  (define (try lang)
+    (define e (make-evaluator lang))
+    (e '(require ffi/unsafe))
+    (with-handlers ([exn? exn-message]) (e '(ffi-lib #f))))
+  (define r1 (try 'racket/base))
+  (define r2 (try '(begin)))
+  (test #t regexp-match?
+        #rx"access disallowed by code inspector to protected variable"
+        r1)
+  (test #t equal? r1 r2))
+
 (report-errs)