Only allow host openat(2) syscalls with O_NOFOLLOW with directfs.

Updates the directfs seccomp filters to ensure that all openat(2) host syscalls
have O_NOFOLLOW bit set. This would ensure that we don't follow a symlink in
the host filesystem by mistake.

The gofer client currently always uses O_NOFOLLOW. But this will help prevent
any malicious usage of openat(2) if the sandbox is compromised somehow.

The container filesystem is well-isolated from the host filesystems using
pivot_root(2). So following a host symlink from sandbox context should still
not escape the container. But this provides an additional layer of security.

PiperOrigin-RevId: 523839219

runsc/boot/filter/config.go

@@ -416,7 +416,7 @@ func hostFilesystemFilters() seccomp.SyscallRules {
 			{
 				validFDCheck,
 				seccomp.MatchAny{},
-				seccomp.MatchAny{},
+				seccomp.MaskedEqual(unix.O_NOFOLLOW, unix.O_NOFOLLOW),
 				seccomp.MatchAny{},
 			},
 		},