Add a ForkWithFlags wrapper using the libc clone wrapper.
sys_clone directly invokes the syscall, which does not update
libc's PID cache in the child. Although the libc wrapper function
updates the PID cache, it unfortunately requires that the child run on a
different stack, even if CLONE_VM is not specified. We work around this
by briefly switching stacks in the child, then using longjmp to switch
back. This gives us a version of clone with fork-like behavior, which is
what we need for starting processes in new namespaces.
This is a 2nd attempt at crrev.com/801033002, which caused failures
under valgrind and FORTIFY_SOURCE.