Improve pledge() and unveil()

The pledge.com command now supports the new [WIP] unveil() support. For
example, to strongly sandbox our command for listing directories.

    o//tool/build/assimilate.com o//examples/ls.com
    pledge.com -v /etc -p 'stdio rpath' o//examples/ls.com /etc

This file system sandboxing is going to be perfect for us, because APE
binaries are self-contained static executables that really don't use the
filesystem that much. On the other hand, with non-static executables,
sandboxing is going to be more difficult. For example, here's how to
sandbox the `ls` command on the latest Alpine:

    pledge.com -v rx:/lib -v /usr/lib -v /etc -p 'stdio rpath exec' ls /etc

This change fixes the `execpromises` API with pledge().

This change also adds unix.unveil() to redbean.

Fixes #494

libc/calls/syscall-sysv.internal.h

@@ -33,6 +33,7 @@ i32 sys_dup2(i32, i32) hidden;
 i32 sys_dup3(i32, i32, i32) hidden;
 i32 sys_execve(const char *, char *const[], char *const[]) hidden;
 i32 sys_faccessat(i32, const char *, i32, u32) hidden;
+i32 sys_faccessat2(i32, const char *, i32, u32) hidden;
 i32 sys_fadvise(i32, i64, i64, i32) hidden;
 i32 sys_fchdir(i32) hidden;
 i32 sys_fchmod(i32, u32) hidden;
@@ -95,6 +96,7 @@ i32 sys_tkill(i32, i32, void *) hidden;
 i32 sys_truncate(const char *, u64, u64) hidden;
 i32 sys_uname(char *) hidden;
 i32 sys_unlinkat(i32, const char *, i32) hidden;
+i32 sys_unveil(const char *, const char *) hidden;
 i64 sys_copy_file_range(i32, long *, i32, long *, u64, u32) hidden;
 i64 sys_getrandom(void *, u64, u32) hidden;
 i64 sys_pread(i32, void *, u64, i64, i64) hidden;
@@ -111,7 +113,6 @@ u32 sys_geteuid(void) hidden;
 u32 sys_getgid(void) hidden;
 u32 sys_getuid(void) hidden;
 u32 sys_umask(u32) hidden;
-i32 sys_unveil(const char *, const char *) hidden;
 void *__sys_mmap(void *, u64, u32, u32, i64, i64, i64) hidden;
 void *sys_mremap(void *, u64, u64, i32, void *) hidden;
 void sys_exit(int) hidden;