Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.

libc/calls/syscall-sysv.internal.h

@@ -68,7 +68,6 @@ i32 sys_mincore(void *, u64, unsigned char *) hidden;
 i32 sys_mkdirat(i32, const char *, u32) hidden;
 i32 sys_mkfifo(const char *, u32) hidden;
 i32 sys_mknod(const char *, u32, u64) hidden;
-i32 sys_unmount(const char *, i32) hidden;
 i32 sys_mprotect(void *, u64, i32) hidden;
 i32 sys_msync(void *, u64, i32) hidden;
 i32 sys_munmap(void *, u64) hidden;
@@ -97,11 +96,13 @@ i32 sys_sigaltstack(const void *, void *) hidden;
 i32 sys_symlinkat(const char *, i32, const char *) hidden;
 i32 sys_sync(void) hidden;
 i32 sys_sync_file_range(i32, i64, i64, u32) hidden;
+i32 sys_syslog(i32, char *, i32) hidden;
 i32 sys_tgkill(i32, i32, i32) hidden;
 i32 sys_tkill(i32, i32, void *) hidden;
 i32 sys_truncate(const char *, u64, u64) hidden;
 i32 sys_uname(void *) hidden;
 i32 sys_unlinkat(i32, const char *, i32) hidden;
+i32 sys_unmount(const char *, i32) hidden;
 i32 sys_unveil(const char *, const char *) hidden;
 i64 sys_copy_file_range(i32, long *, i32, long *, u64, u32) hidden;
 i64 sys_getrandom(void *, u64, u32) hidden;