A sandboxing tool for virtiofsd

Virtiofs is a shared file system that lets virtual machines access a directory tree on the host. Unlike existing approaches, it is designed to offer local file system semantics and performance. Currently, virtiofsd integrates the sandboxing code and the server code in a single binary. The goal is to extract that code and create an external tool that creates a sandbox environment and runs virtiofsd in it. This will make it easier to develop sandboxing features and virtiofsd side by side. In addition, that tool should be extended to be able to run virtiofsd in a restricted environment with Landlock. Landlock is a Linux kernel module that allows unprivileged processes to restrict their own access rights. This will enable the tool to apply access restrictions to virtiofsd without requiring privileged access, in a way that is enforced by the kernel, thereby increasing the protection of virtiofsd users. This will allow greater flexibility when integrating virtiofsd into a VMM or running it inside a container, due to how Landlock enforces access restriction rules as composable security layers that are compatible with system access controls.