Seccomp syscall filtering was recently added, and it's a nice feature. Some of the system call restrictions do need to be lifted in certain scenarios (e.g., some compilers lock files, and this require 4 not to be set, the PL/I toolchain is 32-bit, so it requires 16 not to be set (thanks for adding that setting, turned out to be useful! :)).

Currently, syscall_flags are globally configured for an isolate installation in the config file. This PR makes it so that they can be given as a command-line option when starting an isolate run. This allows us to only permit dangerous system calls more dynamically. For instance, I'm less worried about file locks during compilation than during a run. And similarly, while we need to support an esoteric language with a 32-bit compiler, I prefer not allowing 32-bit binaries in all my sandboxes.

I initially wrote this as a feature request issue, but figured that the patch was so small and simple, I may as well just turn the feature request into a PR. Obviously, feel free to just close if I got the style wrong/this is a bad idea/you prefer to build it yourself. I struggled a bit with naming the option to not make isolate --help ugly, --syscall-flags=<flags> would feel more natural, but is too long.