Apply a seccomp-BPF syscall allowlist by default

Derived from Podman's default profile, stripped of capability-conditional
rules (we never grant capabilities), argument filters, and the explicit
EPERM block. Dangerous syscalls (mount, unshare, ptrace, bpf,
perf_event_open, io_uring_*, keyctl, kexec_*, ...) fall through to the
default ENOSYS action, which also keeps glibc's clone3 -> clone fallback
working. x86_64 and aarch64 are supported; other archs error out.

Toggle with --seccomp / --no-seccomp or seccomp = <bool> in config.

src/errors.rs

@@ -26,6 +26,8 @@ pub enum SandboxError {
     ConfigPathNotAbsolute(PathBuf),
     InvalidBwrapArg(String),
     NoCommand,
+    Seccomp(String),
+    SeccompUnsupportedArch(String),
 }
 
 impl std::fmt::Display for SandboxError {
@@ -74,6 +76,11 @@ impl std::fmt::Display for SandboxError {
                 f,
                 "no command to run; specify a command via config, entrypoint, or pass one after --"
             ),
+            Self::Seccomp(msg) => write!(f, "failed to build seccomp filter: {msg}"),
+            Self::SeccompUnsupportedArch(arch) => write!(
+                f,
+                "seccomp filtering is not supported on this architecture: {arch} (use --no-seccomp to disable)"
+            ),
         }
     }
 }