Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.

libc/log/getsicodename.c

@@ -158,6 +158,11 @@ const char *GetSiCodeName(int sig, int si_code) {
     } else if (si_code == POLL_HUP) {
       strcpy(b + 5, "HUP"); /* device disconnected */
     }
+  } else if (sig == SIGSYS) {
+    NameIt(b, "SYS_", si_code);
+    if (si_code == SYS_SECCOMP) {
+      strcpy(b + 4, "SECCOMP");
+    }
   }
   return b;
 }

libc/log/oncrashthunks.S

@@ -90,13 +90,13 @@ __oncrash_sigbus:
 	.endfn	__oncrash_sigbus,globl
 
 	.org	11*7
-__oncrash_sigsys:
+__oncrash_sigurg:
 	push	%rbp
 	mov	%rsp,%rbp
 	call	__oncrash
 	pop	%rbp
 	ret
-	.endfn	__oncrash_sigsys,globl
+	.endfn	__oncrash_sigurg,globl
 
 //	</SYNC-LIST>: showcrashreports.c, oncrashthunks.S, oncrash.c, internal.h
 

libc/log/showcrashreports.c

@@ -111,7 +111,7 @@ void ShowCrashReports(void) {
   kCrashSigs[4] = SIGTRAP; /* bad system call */
   kCrashSigs[5] = SIGABRT; /* abort() called */
   kCrashSigs[6] = SIGBUS;  /* misaligned, noncanonical ptr, etc. */
-  kCrashSigs[7] = SIGSYS;  /* bad system call */
+  kCrashSigs[7] = SIGURG;  /* placeholder */
   /* </SYNC-LIST>: showcrashreports.c, oncrashthunks.S, oncrash.c */
   if (!IsWindows()) {
     bzero(&ss, sizeof(ss));