upstream kernel hardening: pidfd_open("exe")

[cyphar]

We need to have a pidfd-based interface to grab the equivalent of /proc/self/exe. Because it's possible to bind-mount over magic-links we can't trust /proc/self/exe and thus need a proc-less way to do this.

This is a prerequisite of #7 (while we don't use /proc/self/exe it's needed by container runtimes and thus is related to the feature-completeness of #15).

NOTE: #42 solves this problem for privileged users and regular users where an attacker cannot create mounts to exploit the TOCTOU check, but it would be nice for us to solve this completely.