Userspace network stack

sandlock's network enforcement validates IPs/ports at the seccomp notif layer, but the actual TCP/IP processing still runs in the host kernel. gVisor's netstack means a bug in TCP parsing can't reach the host. A Rust userspace stack (e.g. smoltcp) behind the supervisor would close this gap.