go/runtime/host/sandbox: Properly handle clone3 in seccomp policy

[kostko]

We need to handle the clone3 syscall in a special manner as there are
several complications to its handling:

• Newer glibc versions will try clone3 first and if they see EPERM they
  will instantly fail making the program unable to spawn threads.

• The clone3 syscall is much more complex than clone and so we can't
  simply inspect its flags as above for clone.

Therefore we need to reject the syscall with ENOSYS, causing fallback to
clone.

[codecov]

Codecov Report

Merging #4687 (3faa628) into master (6387e86) will decrease coverage by 0.21%.
The diff coverage is 33.33%.

@@            Coverage Diff             @@
##           master    #4687      +/-   ##
==========================================
- Coverage   67.27%   67.06%   -0.22%     
==========================================
  Files         436      436              
  Lines       48905    48911       +6     
==========================================
- Hits        32902    32801     -101     
- Misses      11957    12072     +115     
+ Partials     4046     4038       -8     

Impacted Files	Coverage Δ
go/runtime/host/sandbox/process/seccomp_linux.go	46.15% <33.33%> (-3.85%)	⬇️
go/ias/http/http.go	20.33% <0.00%> (-44.07%)	⬇️
go/keymanager/api/policy_sgx.go	33.33% <0.00%> (-13.34%)	⬇️
...onsensus/tendermint/apps/beacon/state/state_vrf.go	73.33% <0.00%> (-13.34%)	⬇️
go/runtime/host/sandbox/sandbox.go	66.54% <0.00%> (-9.51%)	⬇️
go/worker/common/committee/p2p.go	70.00% <0.00%> (-6.67%)	⬇️
go/oasis-node/cmd/ias/auth.go	71.87% <0.00%> (-6.25%)	⬇️
go/worker/common/p2p/dispatch.go	71.52% <0.00%> (-5.56%)	⬇️
go/common/cbor/codec.go	78.37% <0.00%> (-5.41%)	⬇️
go/worker/beacon/tx_retry.go	90.47% <0.00%> (-4.77%)	⬇️
... and 34 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6387e86...3faa628. Read the comment docs.