seccomp: Allow filters to be removed transparently across execve

If a seccomp filter's role is to translate ABI rather than enforce
some security policy, then it does not always make sense for the
filter to persist across execve.

A seccomp filter that uses a SIGSYS handler will also have trouble
surviving execve, since even if the filter stays, the handler will
be history... leading to a sudden and undignified death.

Add a new seccomp mode SECCOMP_SET_MODE_FILTER_UNTIL_EXEC to handle
this possibility.  A filter registered with this mode will be
transparently removed at the next execve().

To avoid nasty interactions with regular filters, an _UNTIL_EXEC
filter must be the only filter registered.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>