sandbox tweak - late seccomp
The seccomp code should be split out of sandbox() Then it can be called late in the initialization when built with --enable-early-droproot
The idea is that we don't have to allow whatever OpenSSL does during initializatin.