Sandbox elftool

[cfcs]

Since mfttool (EDIT: now elftool) is designated to be used as the default means of learning about a unikernels MFT (from an orchestration system perspective, for example) (see discussion in https://github.com/Solo5/solo5/issues/372#issuecomment-525272670 ), it will be parsing untrusted input in the host.

Sandboxing this with seccomp/pledge/capsicum/whatever would seem to make sense to me.

While I would of course prefer a high-level implementation doing this, using the C executable has two benefits:

• It's using the exact same code as the actual loader, which means parser discrepancies are less of an issue.
• Incidentally(?), a stand-alone executable is a lot easier to sandbox than the tender, or library function, since its scope of operation is pretty limited (can basically be reduced to read/write/flush/exit). That means mfttool can be our first line of defense against malicious input. An exploit targeting the MFT handling code would have to be written to not trigger during the first (sandboxed) mfttool stage (or at least not crash that), while also exploiting the actual (less sandboxed) tender.