pinning all system calls

Theo de Raadt (deraadt@)postedto tech@ regarding restrictions on theaddresses from which system calls can be made.

In addition to providing background,the post contains information (and a patch)for an imminent change - the introduction of a newsyscall,pinsyscalls(2)[link not working at the time of writing because change not yet committed],which specifies the addresses from which individualsystem calls are permitted.

pinsyscalls(2) will be called only fromthe shared library linker,ld.so(1).