basic/memfd: fix memfd_map() seal test

basic/memfd: fix memfd_map() seal test

Private mappings are required when F_SEAL_WRITE is set on a memfd,
because otherwise you could end up with writable mappings through
mprotect() and other calls. This is a limitation of the kernel
implementation, and might be lifted by future extensions.

Regardless, the current code tests for the full `is_sealed()` before
using MAP_PRIVATE. This might end up using MAP_SHARED for write-sealed
memfds, which will be refused by the kernel.

Fix this and make memfd_map() check for exactly `F_SEAL_WRITE`.