policy has been freed. this allows us to enforce the kernel policy size
limit for users while users are still able to execute an arbitary number
of applications; the protocol change is backwards compatible.
- avoid race conditions by having seqno in ioctl
- better uid/gid tracking
- "replace" policy to replace args
- less diffs, as many of local changes were fed back to openbsd already
due to the 1st item, it was impossible for us to provide backward-compatibility
(new kernel + old bin/systrace won't work). upgrade both.