Supervisor-side Landlock enforcement for filesystem confinement

[jserv]

Problem

The supervisor process currently has unrestricted host filesystem access.
A compromised LKL instance or supervisor bug could read/write arbitrary host
files. Landlock syscalls are in the BPF deny list (seccomp-bpf.c), so
guests cannot self-restrict either.

Proposed Changes

Apply a Landlock ruleset in the supervisor during initialization (before
spawning the guest) to confine its own host-level access:

• Read-only: system dirs and dynamic loader paths (runtime-detected, not
  hardcoded)
• Read-write: workspace/rootfs ext4 image, temp dirs, sockets
• Network rules (TCP bind/connect deny): require Landlock ABI v4+, gated on
  runtime kernel probing via landlock_create_ruleset

Prerequisites:

• PR_SET_NO_NEW_PRIVS must be set before landlock_restrict_self()
• Graceful fallback when Landlock is unavailable or ABI is too old (log
  warning, continue without confinement)

Guest Landlock passthrough is explicitly out of scope: guest FDs are LKL FDs,
and the host kernel would misinterpret them, applying rules to the wrong host
files.

Considerations

• Landlock restriction is irreversible for the process tree. The supervisor
  must retain access to the ext4 image, seccomp notification FDs, and
  minislirp sockets after confinement.
• Path list must be broader than /usr and /lib: include /lib64, /bin,
  /sbin, /etc, and architecture-specific loader paths.
• Interaction with LKL-backed vs host-backed paths (see path.c path
  classification) must be audited to ensure Landlock rules align with the
  supervisor's actual host access patterns.
• Keep Landlock syscalls in the BPF deny list for the guest.

Affected Files

• src/seccomp-bpf.c (keep Landlock in deny list for guest)
• Supervisor initialization code (new Landlock setup before guest spawn)