feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

## Summary

Vendor Bubblewrap into the repo and add minimal build plumbing in
`codex-linux-sandbox` to compile/link it.

## Why

We want to move Linux sandboxing toward Bubblewrap, but in a safe
two-step rollout:
1) vendoring/build setup (this PR),  
2) runtime integration (follow-up PR).

## Included

- Add `codex-rs/vendor/bubblewrap` sources.
- Add build-time FFI path in `codex-rs/linux-sandbox`.
- Update `build.rs` rerun tracking for vendored files.
- Small vendored compile warning fix (`sockaddr_nl` full init).

follow up in https://github.com/openai/codex/pull/9938

codex-rs/vendor/bubblewrap/demos/userns-block-fd.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import os, select, subprocess, sys, json
+
+pipe_info = os.pipe()
+userns_block = os.pipe()
+
+pid = os.fork()
+
+if pid != 0:
+    os.close(pipe_info[1])
+    os.close(userns_block[0])
+
+    select.select([pipe_info[0]], [], [])
+
+    data = json.load(os.fdopen(pipe_info[0]))
+    child_pid = str(data['child-pid'])
+
+    subprocess.call(["newuidmap", child_pid, "0", str(os.getuid()), "1"])
+    subprocess.call(["newgidmap", child_pid, "0", str(os.getgid()), "1"])
+
+    os.write(userns_block[1], b'1')
+else:
+    os.close(pipe_info[0])
+    os.close(userns_block[1])
+
+    os.set_inheritable(pipe_info[1], True)
+    os.set_inheritable(userns_block[0], True)
+
+    args = ["bwrap",
+            "bwrap",
+            "--unshare-all",
+            "--unshare-user",
+            "--userns-block-fd", "%i" % userns_block[0],
+            "--info-fd", "%i" % pipe_info[1],
+            "--bind", "/", "/",
+            "cat", "/proc/self/uid_map"]
+
+    os.execlp(*args)