Introduce sysctl health checks for sandboxed Nix

[Thesola10]

This PR adds environment checks to ensure that the Nix sandbox will work properly on Linux, before any obscure failures occur.

This fixes #20 by warning users to Ubuntu's aggressive AppArmor policy.

In the future, this could lead to falling back on system bwrap/proot, like nix-portable does.