unveil: Added truncate support on Linux 6.2+ (#803)

Right now, cosmopolitan uses Linux Landlock ABI version 2 on Linux,
meaning that the polyfill for unveil() cannot restrict operations such
as truncate() (a limitation of Landlock's ABI from then). This means
that to restrict truncation operations Cosmopolitan instead has to ban
the syscall through a SECCOMP BPF filter, meaning that completely
legitimate truncate() calls are blocked

However, the newest version of the Landlock ABI (version 3) introduced
in Linux 6.2, released in February 2023, implements support for controlling truncation
operations. As such, the previous SECCOMP BPF truncate() filtering is
no longer needed when the new ABI is available

This patch implements unveil truncate support for Linux Landlock ABI
version 3

test/libc/calls/unveil_test.c

@@ -68,6 +68,10 @@ void SetUp(void) {
   ASSERT_SYS(0, 0, stat("/zip/life.elf", &st));
 }
 
+bool HasTruncateSupport(void) {
+  return IsOpenbsd() || landlock_create_ruleset(0, 0, LANDLOCK_CREATE_RULESET_VERSION) >= 3;
+}
+
 TEST(unveil, api_differences) {
   SPAWN(fork);
   ASSERT_SYS(0, 0, mkdir("foo", 0755));
@@ -245,7 +249,7 @@ TEST(unveil, truncate_isForbiddenBySeccomp) {
   ASSERT_SYS(0, 0, xbarf("garden/secret.txt", "hello", 5));
   ASSERT_SYS(0, 0, unveil("jail", "rw"));
   ASSERT_SYS(0, 0, unveil(0, 0));
-  ASSERT_SYS(IsOpenbsd() ? ENOENT : EPERM, -1,
+  ASSERT_SYS(!HasTruncateSupport() ? EPERM : EACCES_OR_ENOENT, -1,
              truncate("garden/secret.txt", 0));
   if (IsLinux()) {
     ASSERT_SYS(0, 0, stat("garden/secret.txt", &st));