Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.

test/tool/net/lunix_test.lua

@@ -16,6 +16,10 @@
 gotsigusr1 = false
 tmpdir = "o/tmp/lunix_test.%d" % {unix.getpid()}
 
+function string.starts(String,Start)
+   return string.sub(String,1,string.len(Start))==Start
+end
+
 function OnSigUsr1(sig)
    gotsigusr1 = true
 end
@@ -67,15 +71,18 @@ function UnixTest()
    -- 2. sandbox the process
    -- 3. then violate its security
    if GetHostOs() == "LINUX" then
+      reader, writer = assert(unix.pipe())
       if assert(unix.fork()) == 0 then
+         assert(unix.dup(writer, 2))
          assert(unix.pledge("stdio"))
-         _, err = unix.socket()
-         assert(err:errno() == unix.EPERM)
+         unix.socket()
          unix.exit(0)
       end
+      unix.close(writer)
+      unix.close(reader)
       pid, ws = assert(unix.wait())
-      assert(unix.WIFEXITED(ws))
-      assert(unix.WEXITSTATUS(ws) == 0)
+      assert(unix.WIFSIGNALED(ws))
+      assert(unix.WTERMSIG(ws) == unix.SIGSYS)
    elseif GetHostOs() == "OPENBSD" then
       if assert(unix.fork()) == 0 then
          assert(unix.pledge("stdio"))