feat(linux-sandbox): vendor bubblewrap and wire it with FFI (#10413)

## Summary

Vendor Bubblewrap into the repo and add minimal build plumbing in
`codex-linux-sandbox` to compile/link it.

## Why

We want to move Linux sandboxing toward Bubblewrap, but in a safe
two-step rollout:
1) vendoring/build setup (this PR),  
2) runtime integration (follow-up PR).

## Included

- Add `codex-rs/vendor/bubblewrap` sources.
- Add build-time FFI path in `codex-rs/linux-sandbox`.
- Update `build.rs` rerun tracking for vendored files.
- Small vendored compile warning fix (`sockaddr_nl` full init).

follow up in https://github.com/openai/codex/pull/9938

codex-rs/vendor/bubblewrap/release-checklist.md

@@ -0,0 +1,18 @@
+bubblewrap release checklist
+============================
+
+* Collect release notes in `NEWS`
+* Update version number in `meson.build` and release date in `NEWS`
+* Commit the changes
+* `meson dist -C ${builddir}`
+* Do any final smoke-testing, e.g. update a package, install and test it
+* `git evtag sign v$VERSION`
+    * Include the release notes from `NEWS` in the tag message
+* `git push --atomic origin main v$VERSION`
+* https://github.com/containers/bubblewrap/releases/new
+    * Fill in the new version's tag in the "Tag version" box
+    * Title: `$VERSION`
+    * Copy the release notes into the description
+    * Upload the tarball that you built with `meson dist`
+    * Get the `sha256sum` of the tarball and append it to the description
+    * `Publish release`