security: switch from SecureJoin to libpathrs

[cyphar]

I'm currently working with upstream kernels to allow for safe, race-free protection against escapes with O_THISROOT. It's a fairly powerful mechanism which should entirely remove the need for securejoin.SecureJoin.

However since it's not merged yet (and we'd have to support older kernels anyway) we need to add some additional hardening to verify that SecureJoin paths don't become unsafe after their creation. In particular we can do this by checking the readlink of /proc/self/fd/$fd when we open a file -- though we'd need to add some additional complications like opening it O_PATH and similar fun things like that.

EDIT: The new project is called https://github.com/openSUSE/libpathrs.

[cyphar]

Depends on openSUSE/libpathrs#3 and god knows how many more things.