Draft: Contain rewrite

This is a work in progress.

Contain can now handle multiple schemes. It can either do chroot on the file: scheme, or it can act as a filter, allowing access to only the schemes, directories and files that are named during startup. Most capabilities can be configured via command line.

There may be some overlap with the way relibc does canonicalization, but contain will also guard against improper use of symbolic links via direct syscall.

It is intended that we can use contain to guard against misuse of display: and pty: schemes, but I don't know enough about what should be allowed to complete that yet.

There is a mix of relibc, libredox and syscall interfaces. There seem to be some things missing from libredox, so that should be discussed once contain is closer to being ready.