It's great that we provide fallback values, but if we got one of those wrong,
it could be a long time before anyone noticed. So let's add asserts that the
our internal defines actually match the official ones, when the latter are
available.
I did not add '#include "macro.h"' to missing_{audit,capability}, because
those are processed by an awk script that would need additional include
directories and could be confused by the additional lines. We don't include
those headers standalone anyway, so this is not necessary anyway.
This adds support for KSM (kernel samepage merging). It adds a new
boolean parameter called MemoryKSM to enable the feature. The feature
can only be enabled with newer kernels.
On some ARM platforms, the dynamic linker could use PROT_BTI memory protection
flag with `mprotect(..., PROT_BTI | PROT_EXEC)` to enable additional memory
protection for executable pages. But `MemoryDenyWriteExecute=yes` blocks this
with seccomp filter denying all `mprotect(..., x | PROT_EXEC)`.
Newly preferred method is to use prctl(PR_SET_MDWE) on supported kernels. Then
in-kernel implementation can allow PROT_BTI as necessary, without weakening
MDWE. In-kernel version may also be extended to more sophisticated protections
in the future.
