docs(design): SEC-1.p Landlock LSM as defense-in-depth for daemon receiver

[oferchen]

Summary

Audit + design doc evaluating Linux Landlock LSM (via the landlock crate from https://github.com/landlock-lsm/rust-landlock) as a kernel-enforced allowlist layered ABOVE the SEC-1 *at syscall chain. No code changes.

• Documents the gaps the *at helpers do not close on their own (missed call sites, normalization bugs in single_component_leaf, out-of-tree operand expansion, inherited hook processes).
• Identifies the single integration point at crates/daemon/src/daemon/sections/module_access/transfer.rs:352, right after apply_module_privilege_restrictions returns.
• Lays out the kernel-version matrix (5.13 v1 / 5.19 v2 / 6.2 v3) with ABI::set_best_effort(true) downgrade and per-tier security analysis.
• Mirrors the Linux-only opt-in gating precedent established by iouring-send-zc (crates/fast_io/Cargo.toml:110-117).
• Specifies a 3-test integration plan, decision criteria, re-open triggers, and a ~310 LoC single-PR implementation estimate.

Recommendation: PROCEED.

Test plan

• No code changes; documentation only.
• cargo fmt --all no-op for .md files.
• Doc contains no em-dashes / en-dashes (hyphens only per writing-style rule).
• Doc references upstream Landlock crate by URL, kernel ABI levels, and the exact *at helper exports already shipped (crates/fast_io/src/dir_sandbox/at_syscalls.rs, at_syscalls_metadata.rs, at_syscalls_rename.rs).