feat(sandbox): Landlock TCP port restriction for mandatory proxy enforcement

[Ladas]

Summary

Add Landlock ABI v4 TCP port restriction to Platform mode. When active,
the kernel restricts connect() to only the proxy port (default 3128).
Any connect() to another port returns EACCES at the kernel level.

This closes the cooperative proxy gap: without this, a process ignoring
HTTP_PROXY can connect directly (caught only by K8s NetworkPolicy at
the CNI level). With this, enforcement is at the kernel LSM layer -- no
userspace bypass possible.

Depends on: #12 (Platform mode base)

What changes

• Import AccessNet, NetPort from the landlock crate (already v0.4, supports network rules)
• In prepare(): handle AccessNet::ConnectTcp and add NetPort rule for the proxy port when Platform mode
• Graceful degradation: if kernel ABI < v4, network rules silently skipped (cooperative proxy + NetworkPolicy fallback)

How it works

Agent → connect(evil.com:443) → Landlock EACCES (port 443 not in allowlist)
Agent → connect(127.0.0.1:3128) → Landlock allows → proxy → OPA domain check

Property	Value
Capabilities required	None
restricted-v2 compatible	Yes
Enforcement level	Tier 1 (kernel LSM hook)
Performance overhead	Negligible (in-kernel, no context switch)
RHEL 9.6 support	Yes (ABI v4 backported)
Graceful degradation	Yes (skips on ABI < v4)

Related

• Analysis: docs/research/openshell-network-enforcement-analysis.md
• Upstream: feat: Support restricted SecurityContextConstraints for managed Kubernetes platforms NVIDIA/OpenShell#899

Assisted-By: Claude Code