[$] Constant-action bitmaps for seccomp()

The seccomp()system call allows user space to load one or more (classic) BPF programsto be run whenever the calling process invokes a system call. Thoseprograms can examine (to an extent) thearguments to each call and inform the kernel whether the call should beallowed to proceed or not. This feature is used in a number ofcontainerization solutions (and beyond) as a way of reducing the kernel'sattack surface. In some situations, though, using seccomp() can resultin a significant performance reduction. There are currently two patch setsin circulation that are aimed at reducing the overhead ofseccomp() for one common use case.