Effective from Linux 6.3 onward, this creates the memfd without execute
permissions and prevents that setting from ever being changed. A
run-time fallback is made to not using MFD_NOEXEC_SEAL when a
libwayland-cursor compiled on Linux >= 6.3 is run on Linux < 6.3.

This is a defense-in-depth security measure and silences a respective
kernel warning; see: https://lwn.net/Articles/918106/



This implementation is adopted from dnkl's `foot` terminal emulator.

Signed-off-by: 6t8k <6t8k@noreply.codeberg.org>