accept4(2) isn't part of any standard (even though it'll be part in the future) and raises warnings on some linux distro. Moreover, we don't have thread that may fork at any time, so doing a mark_nonblock after isn't a big deal.

fatal logs to the correct place, err only on stderr.

these are required to run on arch linux (at least)

fedora 33 issue an epoll_wait instead of pwait.

add/remove syscalls from the BPF filter and move sandbox() after libevent initialisation

not a big deal, since the pledge prohibits us to exec, but nevertheless.

musl does a F_SETFD in its fdopendir