Improve pledge() usability and consistency

- We now kill the program on violations like OpenBSD
- We now print a message explaining which promise is needed
- This change also fixes a linkage bug with thread local storage
- Your sigaction() handlers should now be more thread safe

A new `__pledge_mode` global has been introduced to make pledge() more
customizable on Linux. For example:

    __attribute__((__constructor__)) static void init(void) {
      __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
    }

Can be used to restore our old permissive pledge() behavior.

tool/net/help.txt

@@ -259,7 +259,7 @@ SECURITY
 
     -S (online policy)
 
-      This causes unix.pledge("stdio rpath inet dns") to be called on
+      This causes unix.pledge("stdio rpath inet dns id") to be called on
       workers after fork() is called. This permits read-only operations
       and APIs like Fetch() that let workers send and receive data with
       private and public Internet hosts. Access to the unix module is
@@ -267,10 +267,12 @@ SECURITY
 
     -SS (offline policy)
 
-      This causes unix.pledge("stdio rpath") to be called on workers
+      This causes unix.pledge("stdio rpath id") to be called on workers
       after after fork() is called. This prevents workers from talking
       to the network (other than the client) and allows read-only file
-      system access (e.g. `-D DIR` flag).
+      system access (e.g. `-D DIR` flag). The `id` group helps you to
+      call other functions important to redbean security, such as the
+      unix.setrlimit() function.
 
     -SSS (contained policy)
 
@@ -281,6 +283,11 @@ SECURITY
       should only be able to serve from its own zip file in this mode.
       Lua script access to the unix module is highly restricted.
 
+  Unlike the unix.pledge() function, these sandboxing flags use a more
+  permissive policy on Linux. Rather than killing the process, they'll
+  cause system calls to fail with EPERM instead. Therefore these flags
+  should be gentler when you want security errors to be recoverable.
+
   See http://redbean.dev for further details.
 
 ────────────────────────────────────────────────────────────────────────────────
@@ -3834,8 +3841,11 @@ UNIX MODULE
     This can be used to sandbox your redbean workers. It allows finer
     customization compared to the `-S` flag.
 
-    Pledging causes most system calls to become unavailable. On Linux the
-    disabled calls will return EPERM whereas OpenBSD kills the process.
+    Pledging causes most system calls to become unavailable. If a
+    forbidden system call is used, then the process will be killed. In
+    that case, on OpenBSD, your system log will explain which promise
+    you need. On Linux, we report the promise to stderr, with one
+    exception: reporting is currently not possible if you pledge exec.
 
     Using pledge is irreversible. On Linux it causes PR_SET_NO_NEW_PRIVS
     to be set on your process.

tool/net/redbean.c

@@ -25,6 +25,7 @@
 #include "libc/calls/struct/flock.h"
 #include "libc/calls/struct/iovec.h"
 #include "libc/calls/struct/rusage.h"
+#include "libc/calls/struct/seccomp.h"
 #include "libc/calls/struct/sigaction.h"
 #include "libc/calls/struct/stat.h"
 #include "libc/calls/struct/termios.h"
@@ -32,6 +33,7 @@
 #include "libc/dns/dns.h"
 #include "libc/dns/hoststxt.h"
 #include "libc/dos.h"
+#include "libc/errno.h"
 #include "libc/fmt/conv.h"
 #include "libc/fmt/itoa.h"
 #include "libc/intrin/kprintf.h"
@@ -6585,17 +6587,18 @@ static void UnveilRedbean(void) {
 }
 
 static int EnableSandbox(void) {
+  __pledge_mode = SECCOMP_RET_ERRNO | EPERM;
   switch (sandboxed) {
     case 0:
       return 0;
     case 1:  // -S
       DEBUGF("(stat) applying '%s' sandbox policy", "online");
       UnveilRedbean();
-      return pledge("stdio rpath inet dns", 0);
+      return pledge("stdio rpath inet dns id", 0);
     case 2:  // -SS
       DEBUGF("(stat) applying '%s' sandbox policy", "offline");
       UnveilRedbean();
-      return pledge("stdio rpath", 0);
+      return pledge("stdio rpath id", 0);
     default:  // -SSS
       DEBUGF("(stat) applying '%s' sandbox policy", "contained");
       UnveilRedbean();