[$] eBPF seccomp() filters

The seccomp()mechanism allows a process to load a BPF program to restrict its future useof system calls; it is a simple but flexible sandboxing mechanism that iswidely used. Those filter programs, though, run on the "classic" BPF virtualmachine, rather than the extended BPF(eBPF) machine used elsewhere in the kernel. Moving seccomp() to eBPF has been an often-requestedchange, but security concerns have prevented that from happening. Thelatest attempt to enable eBPF is this patchset from YiFei Zhu; whether it will succeed where others have failedremains to be seen.