Add BPF LSM

[matthewdevenny]

Consider adding eBPF Linux Security Modules to cargowall capabilities:

Execution control — bprm_check_security hook:

• Block execution of any binary with the SUID/SGID bit set (for the runner UID)
• Or go further: allowlist which binaries the runner user can execute at all
• This kills the SUID privesc vector at the kernel level — no need to strip bits from the filesystem

File integrity — file_open / inode_permission hooks:

• Deny writes to /etc/sudoers.d/, /etc/passwd, /etc/shadow, /etc/ld.so.preload
• Even if something escalates to root through an unknown vector, it can't persist or modify auth config
• Pairs well with the existing sudo lockdown — belt and suspenders

Privilege transition blocking — task_fix_setuid hook:

• Block any process from changing its effective UID to 0, except cargowall's own PID
• This is the nuclear option against kernel privesc — even if an exploit gains code execution in kernel context, the eBPF program fires before the credential change completes

Kernel module loading — kernel_read_file hook:

• Block insmod/modprobe — prevents loading a malicious kernel module
• Equivalent to kernel.modules_disabled=1 but reversible on teardown

Mount restrictions — sb_mount hook:

• Block mounting proc/sysfs/devtmpfs in unexpected locations (common container escape primitive)