Add seccomp filter to limit system calls

[conankun]

Example: https://unix.stackexchange.com/questions/404016/computing-sandbox-with-ptrace-inspecting

System calls table: https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md

Default seccomp doesn't work since any program with malloc will be terminated.

[conankun]

Also, useful document

https://tech.liuchao.me/2017/11/online-judge-from-scratch-3/