Add an operation, SECCOMP_CLONE_FILTER, that can copy the seccomp
filters from another process to the current process.

Changes from v1 to v2:
* Fixed locking issues.  Thanks Al, Alexei, and Kees :)
* Allow filters to be cloned if CAP_SYS_ADMIN or no new privs
  is set
  * I initially had only CAP_SYS_ADMIN, but I can't think of a
    way no new privs is harmful here, so I added it. Thanks, Kees
* Switch to passing in pidfd directly rather than a pointer to a
  pidfd
  * This more closely aligns with other pidfd syscalls
* Fixed warning in the sample code reported by the test robot
* Various cleanups and improvements in the selftest

Note that I left in the restriction that the target process
has no seccomp filters already loaded.  I could see this
limitation being removed in a later patchset, but there are
requests for this feature at present.

Finally, I re-ran the performance numbers and updated the patch
with the latest numbers.  The locking changes significantly sped
up the clone operation, and it's now ~1900x faster than the
current method.

Tom Hromatka (1):
  seccomp: Add SECCOMP_CLONE_FILTER operation

 .../userspace-api/seccomp_filter.rst          |  10 ++
 include/uapi/linux/seccomp.h                  |   1 +
 kernel/seccomp.c                              |  48 ++++++
 samples/seccomp/.gitignore                    |   1 +
 samples/seccomp/Makefile                      |   2 +-
 samples/seccomp/clone-filter.c                | 150 ++++++++++++++++++
 tools/include/uapi/linux/seccomp.h            |   1 +
 tools/testing/selftests/seccomp/seccomp_bpf.c | 114 +++++++++++++
 8 files changed, 326 insertions(+), 1 deletion(-)
 create mode 100644 samples/seccomp/clone-filter.c

-- 
2.47.3