sandbox: Work around extra file descriptor opened by importing ctypes since python...

sandbox: Work around extra file descriptor opened by importing ctypes since python 3.14

Since python 3.14, importing ctypes opens an extra file descriptor which is used to allocate libffi
closures which are in turn used by ctypes to pass python functions as C callback function pointers. We
don't use this functionality, yet the file descriptor is still opened and messes with the file descriptor
packing logic since the file descriptor to libffi will be passed as a packed file descriptor to the
executable we're invoking. To avoid that from happening, we close libffi's file descriptor after importing
ctypes.

See https://github.com/python/cpython/issues/135893.