Add seccomp and rules imported from xdg-app/Sandstorm.io

seccomp is disabled by default for backwards compatibility.

This "v0" version is a basic blacklist that turns off some of the
known historical attack surface, initially imported from xdg-app.

I added a note about code sharing - we should share rules among
container implementations.