Enabling non-executable memfds

IMO what we really want to do is extend the W^X philosophy into the filesystem by default; the Unix permissions can try to enforce this, though CAP_DAC_OVERRIDE ruins it (and it's a capability which is often propagated into containers).

Anyways, runc doesn't need to make a temporary copy of itself if it knows the underlying file can't be mutated. So runc could learn to query whether the underlying binary has fs-verity enabled or comes from a read-only mount.

It's kind of tempting though to try a LSM (or perhaps selinux control) which modifies CAP_DAC_OVERRIDE's semantics to not allow writing to an executable path.