fix: overhaul how we spawn commands under seccomp/landlock on Linux

codex-rs/linux-sandbox/README.md

@@ -0,0 +1,8 @@
+# codex-linux-sandbox
+
+This crate is responsible for producing:
+
+- a `codex-linux-sandbox` standalone executable for Linux that is bundled with the Node.js version of the Codex CLI
+- a lib crate that exposes the business logic of the executable as `run_main()` so that
+  - the `codex-exec` CLI can check if its arg0 is `codex-linux-sandbox` and, if so, execute as if it were `codex-linux-sandbox`
+  - this should also be true of the `codex` multitool CLI