Remove seccomp policy files from container filesystem

[dma]

Right now seccomp policy files are hand-whitelisted in the oz profile document. This was a temporary hack for a time when there was no oz-seccomp support at all in Oz.

Ideally the seccomp policy is read from outside of the Oz sandbox filesystem entirely, as is the JSON Oz profile, which is passed to oz-init via stdin.