Restrict syscalls for the download process whenever possible

This PR adds a list of Linux syscalls that a sandboxed download process is explicitly forbidden to call, to further restrict the risk of a compromised process being able to elevate privileges via a local privilege escalation flaw. As discussed a while ago, explicitly listing forbidden syscalls is a trade-off: good for usability (pretty much no risk of breakage) but less efficient in term of security. However it's not really possible to list all syscalls that might be used by third-party libraries in the future in a safe way: simply upgrading the libc could lead to a new syscall being used, causing a failure. The current list of forbidden syscalls is not perfect either, but it should be safe and it already removes a fair amount of attack surface.

I promise this is the last change I have in mind for the sandboxing code! It would be nice to also sandbox signature verification, of course, but I don't currently have the bandwidth to work on that.