landlock sandboxing is too permissive in tests

[qkaiser]

We introduced landlock to sandbox the unblob process and limit what it can do on the filesystem.

However, during tests, we enable full R/W permissions with this function:

def is_sandbox_available():
    is_sandbox_available = True

    try:
        restrict_access(AccessFS.read_write("/"))
    except SandboxError:
        is_sandbox_available = False

    if platform.architecture == "x86_64" and platform.system == "linux":
        assert is_sandbox_available, "Sandboxing should work at least on Linux-x86_64"

    return is_sandbox_available

This is used in:

pytestmark = pytest.mark.skipif(
    not is_sandbox_available(), reason="Sandboxing only works on Linux"
)

This leads to a bunch of permission limitations not being caught during testing such as our inability to delete extraction directories (#1085) or handlers using tempfile lacking permissions to do anything under /tmp. These issues - had the sandbox settings during testing reflects the ones in normal usage - would have been caught by our integration tests suite.

is_sandbox_available should call restrict_access with a stricter ruleset, most probably imported from Sandbox.passthrough.

[qkaiser]

@martonilles made a good point, we should do sandboxing in test_all_handlers like we do when running unblob normally. Something like:

sandbox = Sandbox(config, log_path, report_file)
process_results = sandbox.run(process_file, config, file, report_file)

One issue we'll get into is coverage files generated by pytest, to be investigated.