core: restore port-remap transparency and tighten bind path

[congwang-mk]

Summary

• Restore port-remap transparency: handle_getsockname now performs getsockname on-behalf and rewrites real ports back to the virtual port the child requested, and connect_on_behalf uses the cached real port for loopback dials. Previously the supervisor read child memory before the kernel filled the buffer, so the rewrite was a no-op and the remap was silently broken in the conflict path.
• Replace the racy probe-and-close port allocator with a direct bind on the child's dup_fd; on EADDRINUSE retry with port 0 so the kernel atomically picks a free real port. record_bind runs only after the bind succeeds, so a failed bind leaves no stale mapping. Stale cached real ports (reclaimed by another host process while the sandbox's prior socket was closed) also fall through to the bind 0 retry.
• Propagate the actual errno from dup_fd_from_pid at six callsites instead of always returning ENOSYS. ENOSYS remains accurate for kernel-too-old failures; EBADF/ESRCH/EPERM now surface honestly for runtime failures (child exited, child closed the fd, permission).
• New integration tests assert that getsockname returns the virtual port under host conflict (test_port_remap_conflict tightened from starts_with("BOUND:") to exact match) and that a loopback bind/listen/connect round-trip works end-to-end under forced remap (test_port_remap_loopback_under_conflict).

Test plan

• cargo test -p sandlock-core passes (490 tests: 275 unit + 213 integration + 2 sandbox_validate)
• pytest python/tests passes (247 tests)
• CI green