Live CD: Implement gVisor support

[yveszoundi]

Background

gVisor is a container sandbox developed by Google that focuses on security, efficiency and ease of use.

gVisor has been preferred to a combination of seccomp (existing) and apparmor profiles:

• Additional software packages to install for apparmor support
• Boot loader changes for apparmor settings
• Switch from podman to nerdctl, as nerdctl supports apparmor with rootless containers
  • Increased Live CD boot time for preparing nerdctl rootless support
  • Less overall testing with nerdctl than podman
  • Additional considerations with rootfs option, for avoiding duplicate storage("containerd snapshotters")

Request

Enable gVisor on the Live CD as it provides a rather complete out of the box container security solution.

Overall changes

• [x] CI/CD pipeline updates
  • [x] Update the build scripts and GitHub Actions workflow to account for gVisor
  • [x] Update the entrusted-webservice systemd service for gVisor support
  • [x] Disable seccomp support via environment variables
  • [x] Enable gVisor support via environment variables
• [x] Update the entrusted-client component for gVisor support
  • [x] Setup a tmpfs filesystem (5 MB) to account for LibreOffice setup, as it needs to create data in XDG_CONFIG_HOME...). This excludes images and PDF files processing.
  • [x] Disable the userns flag when gVisor support is desired

[yveszoundi]

This is working just fine on amd64 and aarch64.