seccomp: add a --no-seccomp option to disable dumping seccomp

Sometimes we may want to use CRIU on older kernels which don't support
dumping seccomp state where we don't actually care about the seccomp state.
Of course this is unsafe, but it does allow for c/r of things using
seccomp on these older kernels in some cases. When the task is in
SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER with filters that block the
syscalls criu's parasite code needs, the dump will still fail.

Note that we disable seccomp by simply feigning that we are in mode 0. This
is a little hacky, but avoids distributing ifs throughout the code and
keeps them in this one place.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
CC: Saied Kazemi <saied@google.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

lib/c/criu.c

@@ -700,6 +700,12 @@ err:
 	return -ENOMEM;
 }
 
+void criu_local_set_no_seccomp(criu_opts *opts, bool val)
+{
+	opts->rpc->has_no_seccomp = true;
+	opts->rpc->no_seccomp = val;
+}
+
 int criu_add_skip_mnt(char *mnt)
 {
 	return criu_local_add_skip_mnt(global_opts, mnt);
@@ -721,6 +727,11 @@ int criu_add_irmap_path(char *path)
 	return criu_local_add_irmap_path(global_opts, path);
 }
 
+void criu_set_no_seccomp(bool val)
+{
+	return criu_local_set_no_seccomp(global_opts, val);
+}
+
 static CriuResp *recv_resp(int socket_fd)
 {
 	unsigned char *buf = NULL;