Prepare a launcher: socketpair, map child end to SYNC_SOCK_CHILD_FD, child_setup installs filter. NOTIFY policy is read from #bubble in the child (see #child_seccomp_handshake).