syscall: add Landlock support for execve() on Linux

[gnoack]

• Extend SysProcAttr on Linux to optionally store the ruleset FD and
  flag arguments for landlock_restrict_self(2).
• Extend forkAndExecInChild1() to invoke the system call.
• Before enabling Landlock, we also unconditionally set the
  PR_SET_NO_NEW_PRIVS flag, which is a prerequisite for enforcing any
  Landlock ruleset.
• Define the necessary constants unexported as _PR_SET_NO_NEW_PRIVS
  and _SYS_landlock_restrict_self.
• The test case exercises the logic and demonstrates that it works
  (provided that the host Linux system has the Landlock LSM enabled).

As it is customary in forkAndExecInChild1(), system calls need to be
invoked with RawSyscall(), and their system call numbers are defined
in the same package. (Depending on internal/syscall/unix would create
an import loop.)

The Landlock API is described in
https://docs.kernel.org/userspace-api/landlock.html

Updates landlock-lsm/go-landlock#45
Fixes #68595

[gnoack]

For a rationale on why I updated these generated files that way, please see #68595 (comment) -- the previously suggested approach to put these constants in internal/syscall/unix was not feasible, and I am under the impression that re-generation of the full files in syscall is not intended at this point either?

I'm happy to implement it either way, please let me know what you prefer.

[gopherbot]

This PR (HEAD: f4cd8f1) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Günther Noack:

Patch Set 1:

(2 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Günther Noack:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Günther Noack:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: ed40a01) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

This PR (HEAD: 6269c26) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Günther Noack:

Patch Set 2:

(2 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!