* deps: alcove 0.40.5/prx 0.16.3

* process: support net: :none on linux

  Experiment with disabling network access for normal processes on linux
  by entering a new user/network namespace.

  The alternative is seccomp()'ing system calls for opening network file
  descriptors. The behaviour differs from an unconfigured network (errno
  is returned) but is closer to what can be done on OpenBSD (pledge)
  and FreeBSD (capscicum): maybe a new `net: :deny` option.