Handle kernels which lack CONFIG_USER_NS

The error raised is "Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems." Ensuring that the bwrap binary is setuid does not solve this problem.

Since the sandbox implementation won't work without being able to do user namespaces, the most appropriate course of action seems to be to raise that error a lot sooner, and in a less confusing way.