Don't allow NIX_LD on setuid binaries

In the unlikely event if someone has NIX_LD set and an setuid binary using `/lib64/ld-linux-x86-64.so.2`, an attacker might be able to diverge execution by pointing to a untrusted patched libc. This should never happen in normal usage of nixos.