seccomp: add a --no-seccomp option to disable dumping seccomp

Sometimes we may want to use CRIU on older kernels which don't support
dumping seccomp state where we don't actually care about the seccomp state.
Of course this is unsafe, but it does allow for c/r of things using
seccomp on these older kernels in some cases. When the task is in
SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER with filters that block the
syscalls criu's parasite code needs, the dump will still fail.

Note that we disable seccomp by simply feigning that we are in mode 0. This
is a little hacky, but avoids distributing ifs throughout the code and
keeps them in this one place.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
CC: Saied Kazemi <saied@google.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

lib/c/criu.h

@@ -89,6 +89,7 @@ int criu_add_enable_fs(char *fs);
 int criu_add_skip_mnt(char *mnt);
 void criu_set_ghost_limit(unsigned int limit);
 int criu_add_irmap_path(char *path);
+void criu_set_no_seccomp(bool no_seccomp);
 
 /*
  * The criu_notify_arg_t na argument is an opaque
@@ -191,6 +192,7 @@ int criu_local_add_enable_fs(criu_opts *opts, char *fs);
 int criu_local_add_skip_mnt(criu_opts *opts, char *mnt);
 void criu_local_set_ghost_limit(criu_opts *opts, unsigned int limit);
 int criu_local_add_irmap_path(criu_opts *opts, char *path);
+void criu_local_set_no_seccomp(criu_opots *opts, bool val);
 
 void criu_local_set_notify_cb(criu_opts *opts, int (*cb)(char *action, criu_notify_arg_t na));