jail: add support for running OCI bundle
Prepare ujail for running OCI bundled Linux containers.
This adds handling of most of the JSON schema defined by the
Open Container Initiative Runtime Specification.
What is supported by this commits:
* basic OCI process definition
* seccomp filters (no args yet)
* capabilities (100%)
* namespaces (100%)
* uid/gid mappings for userns (100%)
* mounts (no free form mounts yet)
* env (100%, limited to a low number entries)
* hostname (100%)
* terminal (no consoleSize yet)
What is still missing:
* complex mounts
* maskedPaths, readonlyPaths
* referencing existing namespaces
* all hooks
* rlimits
* oomScoreAdj
* additionalGids
* cgroups
* devices
* sysctl
* rootfsPropagation
* personality and bi-arch (ie. 32-bit container on 64-bit host)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>