sys_linux: allow lstat and readlink in seccomp filter

These syscalls seem to be needed when gnutls is loading system trusted
certificates due to p11-kit >= 0.23.21 getting the program name from
/proc/self/exe.

sys_linux.c

@@ -533,7 +533,10 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
     SCMP_SYS(getdents),
     SCMP_SYS(getdents64),
     SCMP_SYS(lseek),
+    SCMP_SYS(lstat),
+    SCMP_SYS(lstat64),
     SCMP_SYS(newfstatat),
+    SCMP_SYS(readlink),
     SCMP_SYS(rename),
     SCMP_SYS(renameat),
     SCMP_SYS(renameat2),