In order to restore seccomp correctly, we need to do it before
restore_creds() in the restorer blob. But, if the seccomp policy forbids
e.g. prctl, if the task doesn't have SUSPEND_SECCOMP set it will die when
trying to restore creds. To solve this, we break attach_to_tasks up into
two parts: 1. we attach and set SUSPEND_SECCOMP (but let the tasks continue
normally), and then after the RESTORE_CREDS stage we 2. attach to the tasks
and stop them on the final sigreturn.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>