Consider additional validation of rootfs and drive mount paths

[sipsma]

@nmeyerhans brought up during a review that we currently we only do fairly limited validation of various paths provided to firecracker-containerd. For example, the paths provided for the container rootfs and the paths provided via DriveMounts will just follow any symlinks in the path and expose them to the Firecracker jail.

Right now, it's just up to users to ensure those paths are safe to use (and follow if they are symlinks), but it's worth considering whether we could provide additional value by optionally doing more validation. For instance, could we have an optional flag that prevents our code from following any symlinks for drive mounts? Or is it worth refusing to use paths under certain directories like /proc? This issue is just to discuss/track any potential ideas on this front.