implement cwd and mount namespace/chroot tracking

[anonymouse64]

Currently, if a program issues a syscall like this:

20563 1592353877.755357 symlink("some-link", "/home/user/snap/chromium/1193/.config/chromium/SingletonLock") = 0

then we don't correctly track that the resultant file created is $CWD/some-link, because we only see "some-link" in the syscall. There are a few other syscalls like this that work with the AT_FDCWD special value as well that we are not resolving properly again due to the fact that we don't track current working directory changes.

The code to do this is not hard, we would probably just have to have a regexp that catches the chdir syscall and keep track of it as the loop progress through every syscall, and then also have another specific regexp that matches the set of syscalls that use this pattern as well as any syscall that uses AT_FDCWD with a non-absolute path as another syscall argument, and then do the replacement.

There's a related and similar problem about tracking mount namespace changes and chroots where we want to follow the changes into the mount namespace to see that a strictly confined snap accessing /lib/x86_64-linux-gnu/libc-2.27.so is really accessing the base snap's file i.e. /snap/core18/current/lib/x86_64-linux-gnu/libc-2.27.so

[anonymouse64]

A simple way to handle part of this actually for snaps is to enter the snap's mount namespace through i.e. snap run --shell or the /run/snapd/ns/... files so that we can at least see the size/existence of files from the base snap. That still isn't the full picture though