nixos/hardened profile: disable legacy virtual syscalls

This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism.  Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration.  Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.

For background on virtual syscalls see https://lwn.net/Articles/446528/

Closes https://github.com/NixOS/nixpkgs/pull/25289