Introduce Landlock isolation support

[n0toose]

Leaving this here for now, the most important design problem with this is how Landlock does not allow whitelisting files if they are not created. (So, we'd have to force the user to use a directory for that instead.)

We also need to avoid "parsing" the same --file-mapping inputs twice, as well as not use OnceLock for enforcing the whitelist when the kernel is actually being loaded. UhyveVm::new is called in a new thread because Landlock enforces the restrictions for the entire process and its children. We're not testing if the sandbox is applied correctly yet.

See: https://docs.kernel.org/userspace-api/landlock.html

Fixes #766

[n0toose]

Depends on #814.

[n0toose]

We need to move the split_guest_and_host functionality that is used during the initialization of UhyveFileMap::new away from that function for two reasons:

• We need to be able to "hard fail" if a file does not exist and/or its parent directory is not whitelisted and we use Landlock instead of running absolute. See feat(isolation): improve canonicalization of host paths #819.
• We are effectively parsing the --file-mapping arguments twice.

[n0toose]

TODO: Investigate landlock_path_beneath_attr

[n0toose]

uhyvefilemap_test works. The problem is that you can't run UhyveVm::run multiple times, as the Landlock restrictions have already been applied process-wide once. Additionally, the temporary directory gets dropped after the first instance of UhyveVm::run, so trying to re-enforce Landlock causes an error as the temporary directory has been dropped.

My approach to the problem of "not being able to whitelist files that don't exist yet" is just whitelisting the parent directory and letting UhyveFileMap contain file operations to that one specific file only (in the whitelisted directory). We do that by iterating over the file's parents and establishing whether they exist, once - but this could be made configurable, and it should be fine if we disclose to the user that whitelisting directories is safer.

However, whitelisting a directory is not always practical, because we can't map the entirety of /root to anything yet, as the /root component gets popped by Uhyve before a hypercall is executed (see fs-test.rs and create_file.rs for a workaround), see: https://github.com/hermit-os/kernel/blob/12d4854554f8ec48fa66a8d282ebcf46b7bf9499/src/fs/mod.rs#L160

[n0toose]

The change incorporates some changes from #844.

[n0toose]

hermit-os/kernel#1529 is now a hard requirement for this change. CC: @mkroening

[n0toose]

no idea why fs-related integration tests work locally but fail in the CI, will investigate later

[n0toose]

• This should work now as soon as feat(uhyve): use absolute paths kernel#1529 (review) is merged and a release on the Hermit kernel's side is made.

• On the contrary, temporary files will break on main, as joining an absolute path to another PathBuf will replace the PathBuf's contents with the absolute path that is being joined. This change introduces a bunch of changes that fixes this. See:

  uhyve/src/isolation/filemap.rs

  Line 106 in 8d2f7e5

  let host_path = self.tempdir.path().join(guest_path).into_os_string();

• This is otherwise ready for review, will need some rebases before being mergeable.

[n0toose]

This PR includes work that was split into separate PRs, #844 and #852, which should probably be merged first. This PR relies on hermit-os/kernel#1529. It includes some changes to our tests that reflect the changes made in hermit-os/kernel#1529.