cursor: memfd_create: try MFD_NOEXEC_SEAL

From Linux 6.3 onward, if the sysctl setting vm.memfd_noexec is 0, which I assume is widely used by default, libwayland-cursor causes the kernel to emit a warning once per boot that looks like this:

[ 21.992745] foot[802]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set

(Using dnkl's foot terminal emulator in this case.)

This PR proposes to set the new MFD_NOEXEC_SEAL flag when possible, creating the memfd without execute permissions and making that setting permanent, as a defense-in-depth security measure. Compare the LWN article on enabling non-executable memfds for an overview.

A run-time fallback is made to not using MFD_NOEXEC_SEAL when a libwayland-cursor compiled on Linux >= 6.3 is run on Linux < 6.3, as latter kernels reject memfd_create() calls that set it.

The implementation is adopted from foot.