CloneBinary creates a "sealed" clone of a given binary, which can be used to thwart attempts by the container process to gain access to host binaries through procfs magic-link shenanigans.

CloneSelfExe makes a clone of the current process's binary (through /proc/self/exe).

IsCloned returns whether the given file can be guaranteed to be a safe exe.

IsSelfExeCloned returns whether /proc/self/exe is a cloned binary that can be guaranteed to be safe.

Memfd creates a sealable executable memfd (supported since Linux 3.17).