Add riscv64 architecture support

[congwang-mk]

Ports sandlock to riscv64 (riscv64gc-unknown-linux-gnu).

Changes

• arch.rs: riscv64 syscall table + AUDIT_ARCH_RISCV64 for the seccomp filter. Like aarch64, riscv64 uses the generic syscall ABI (no legacy open/fork/etc.).
• sys/syscall.rs: raw ecall inline asm for the direct-syscall path.
• fork.rs: riscv64 has no fork(2), so use glibc fork() (clone with SIGCHLD), like aarch64.
• vdso.rs: hand-encoded RV64 vDSO time-offset stubs for clock_gettime/gettimeofday. The 64-bit offset is embedded in the stub and loaded PC-relative (auipc + two naturally-aligned lwu/lw loads, avoiding a misaligned 8-byte load); each entry is patched with a single j into the stub in the vDSO tail slack (the aarch64 trampoline approach).
• test_cow.rs: the legacy-open COW regression tests now use the openat ABI on riscv64 (there is no SYS_open), matching the existing aarch64 path.
• CI: a build-only riscv64 cross-compile job. GitHub has no riscv64 runner, and seccomp/Landlock do not emulate faithfully under qemu-user, so the suite is run on a real host; the CI job guards against compile regressions.

Verification on a real riscv64 host (Linux 6.7.9)

• Release build clean; --lib unit tests pass.
• test_port_remap, test_determinism (including time virtualization / test_time_start_frozen), test_cow, test_fork, test_chroot, test_extra_handlers (11/14) pass.
• Time virtualization confirmed end-to-end through the CLI: sandlock run --time-start 2000-01-01T00:00:00Z -- date reports the year 2000.

Note: that host's kernel lacks CONFIG_SECURITY_LANDLOCK, so Landlock-enforcement tests can't be exercised there (they pass on the x86_64/aarch64 runners). The riscv64 seccomp/user-notification machinery itself is verified.

🤖 Generated with Claude Code