helpers: avoid triggering a kernel warning

In kernels ≥ 6.3 there's a warning generated when you create a memfd without
setting one of `MFD_NOEXEC_SEAL` or `MFD_EXEC`. Since we don't need to be
able to execute our shm buffers, set `MFD_NOEXEC_SEAL` when:
* We're built against sufficiently new kernel headers, and
* The kernel we're running on is sufficiently new.

`memfd_create` will return `EINVAL` if it doesn't understand
`MFD_NOEXEC_SEAL` (ie: if it's too old), so it's easy to fallback.