add suppport for stopping applications from using certain ports

[beh-10257]

spotify in flatpak does this and to be honest I just got this idea of this feature request is there a way to stop spotify from using this port so it doesn't break avahi-daemon

[rusty-snake]

1. You can use --seccomp to block any attempt to bind any socket to any address.
2. You can use --unshare-net and use pasta/slirp4netns.
3. You can use eBPF (requires CAP_BPF on newer kernels or CAP_SYS_ADMIN on older kernels).

[smcv]

As far as I'm aware, there is no simple way to achieve this. (Of course, contributors are welcome to prove me wrong by finding one and implementing it as a merge request.)

@rusty-snake has described the non-simple ways to achieve this, all of which seem like they are outside the scope of bubblewrap.

Because bubblewrap is setuid root on some systems, every line of code and every dependency that we add to it could potentially be a root security vulnerability, so in general the recommendation is for bubblewrap to only do the things that are either critical functionality, or so simple that their implementation is obviously correct; and then move non-critical functionality to a larger framework outside bubblewrap (Flatpak is one example of a larger framework like this).

For example, bubblewrap intentionally does not know how to compile seccomp filters, but it is able to accept a pre-compiled seccomp filter from whatever larger framework is running it; and when Flatpak runs bubblewrap, it compiles a seccomp filter and provides it to bubblewrap.