allow some socket syscalls in seccomp sandbox

allow some socket syscalls in seccomp sandbox

Allow getsockname(2), getpeername(2) and getsockopt(2).

Also allow setsockopt(2) but only IP_TOS and IPV6_TCLASS.

Note that systems that use the older socketcall(2) mux syscall will
not have IP_TOS and IPV6_TCLASS allowlisted. On these platforms,
these calls will be soft-blocked (i.e. will fail rather than
terminate the whole process with a sandbox violation).

Needed for upcoming IPQoS change; ok dtucker@