sandbox: Add support for the new seccomp() system call in kernel 3.17.

sandbox/linux/seccomp-bpf/sandbox_bpf.h

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.h
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index 32fe2a7d7480ca960021f9bff24b6c6c5e956a90..1a9ce43b920932ea51c96500f3f456cb665680ea 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -95,6 +95,10 @@ class SANDBOX_EXPORT SandboxBPF {
   // provided by the caller.
   static SandboxStatus SupportsSeccompSandbox(int proc_fd);
 
+  // Determines if the kernel has support for the seccomp() system call to
+  // synchronize BPF filters across a thread group.
+  static SandboxStatus SupportsSeccompThreadFilterSynchronization();

[jln (very slow on Chromium), 2014/08/20 21:34:20]

I think I would rather have this and SupportsSeccompSandbox() merged and return
a better status. WDYT?

No need to do it in this CL, there is a lot of stuff from the early days that I
want to remove / simplify here anyways.

[Robert Sesek, 2014/08/21 16:50:18]

I agree that SupportsSeccompSandbox should do this, but I do want this separate
method for use in tests, too. 
Yes, this code can probably be cleaned up a lot now that we have sys_seccomp().

+
   // The sandbox needs to be able to access files in "/proc/self". If this
   // directory is not accessible when "startSandbox()" gets called, the caller
   // can provide an already opened file descriptor by calling "set_proc_fd()".