seccomp: add spawn argument to command line

This patch adds [,spawn=deny] argument to `-sandbox on' option. It
blacklists fork and execve system calls, avoiding Qemu to spawn new
threads or processes.

Signed-off-by: Eduardo Otubo <otubo@redhat.com>
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 978d66b..f3878a5 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -78,6 +78,10 @@
     { SCMP_SYS(setresgid),              QEMU_SECCOMP_SET_PRIVILEGED },
     { SCMP_SYS(setfsuid),               QEMU_SECCOMP_SET_PRIVILEGED },
     { SCMP_SYS(setfsgid),               QEMU_SECCOMP_SET_PRIVILEGED },
+    /* spawn */
+    { SCMP_SYS(fork),                   QEMU_SECCOMP_SET_SPAWN },
+    { SCMP_SYS(vfork),                  QEMU_SECCOMP_SET_SPAWN },
+    { SCMP_SYS(execve),                 QEMU_SECCOMP_SET_SPAWN },
 };