Unbloat build config

- 10.5% reduction of o//depend dependency graph
- 8.8% reduction in latency of make command
- Fix issue with temporary file cleanup

There's a new -w option in compile.com that turns off the recent
Landlock output path workaround for "good commands" which do not
unlink() the output file like GNU tooling does.

Our new GNU Make unveil sandboxing appears to have zero overhead
in the grand scheme of things. Full builds are pretty fast since
the only thing that's actually slowed us down is probably libcxx

    make -j16 MODE=rel
    RL: took 85,732,063µs wall time
    RL: ballooned to 323,612kb in size
    RL: needed 828,560,521µs cpu (11% kernel)
    RL: caused 39,080,670 page faults (99% memcpy)
    RL: 350,073 context switches (72% consensual)
    RL: performed 0 reads and 11,494,960 write i/o operations

pledge() and unveil() no longer consider ENOSYS to be an error.
These functions have also been added to Python's cosmo module.

This change also removes some WIN32 APIs and System Five magnums
which we're not using and it's doubtful anyone else would be too

libc/calls/unveil.c

@@ -93,13 +93,15 @@ _Thread_local static struct {
 } State;
 
 static int unveil_final(void) {
-  int rc;
+  int e, rc;
   struct sock_fprog sandbox = {
       .filter = kUnveilBlacklist,
       .len = ARRAYLEN(kUnveilBlacklist),
   };
-  if ((rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) != -1 &&
-      (rc = landlock_restrict_self(State.fd, 0)) != -1 &&
+  e = errno;
+  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+  errno = e;
+  if ((rc = landlock_restrict_self(State.fd, 0)) != -1 &&
       (rc = sys_close(State.fd)) != -1 &&
       (rc = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &sandbox)) != -1) {
     State.fd = 0;
@@ -117,9 +119,11 @@ static int err_close(int rc, int fd) {
 static int unveil_init(void) {
   int rc, fd;
   State.fs_mask = UNVEIL_READ | UNVEIL_WRITE | UNVEIL_EXEC | UNVEIL_CREATE;
-  if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) <
-      0) {
-    if (errno == EOPNOTSUPP) errno = ENOSYS;
+  if ((rc = landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION)) ==
+      -1) {
+    if (errno == EOPNOTSUPP) {
+      errno = ENOSYS;
+    }
     return -1;
   }
   if (rc < 2) {
@@ -250,7 +254,7 @@ int sys_unveil_linux(const char *path, const char *permissions) {
 }
 
 /**
- * Restricts filesystem operations, e.g.
+ * Makes files accessible, e.g.
  *
  *     unveil(".", "r");     // current directory + children are visible
  *     unveil("/etc", "r");  // make /etc readable too
@@ -264,6 +268,10 @@ int sys_unveil_linux(const char *path, const char *permissions) {
  * should become unhidden. When you're finished, you call `unveil(0,0)`
  * which commits your policy.
  *
+ * This function requires OpenBSD or Linux 5.13+. We don't consider lack
+ * of system support to be an ENOSYS error, because the files will still
+ * become unveiled. Therefore we return 0 in such cases.
+ *
  * There are some differences between unveil() on Linux versus OpenBSD.
  *
  * 1. Build your policy and lock it in one go. On OpenBSD, policies take
@@ -333,8 +341,6 @@ int sys_unveil_linux(const char *path, const char *permissions) {
  *       the pledge promise "cpath".
  *
  * @return 0 on success, or -1 w/ errno
- * @raise ENOSYS if host os isn't Linux or OpenBSD
- * @raise ENOSYS if Landlock isn't supported on this kernel
  * @raise EINVAL if one argument is set and the other is not
  * @raise EINVAL if an invalid character in `permissions` was found
  * @raise EPERM if unveil() is called after locking
@@ -343,12 +349,17 @@ int sys_unveil_linux(const char *path, const char *permissions) {
  * @threadsafe
  */
 int unveil(const char *path, const char *permissions) {
-  int rc;
+  int e, rc;
+  e = errno;
   if (IsLinux()) {
     rc = sys_unveil_linux(path, permissions);
   } else {
     rc = sys_unveil(path, permissions);
   }
+  if (rc == -1 && errno == ENOSYS) {
+    errno = e;
+    rc = 0;
+  }
   STRACE("unveil(%#s, %#s) → %d% m", path, permissions, rc);
   return rc;
 }