gitlab_runner: try to protect the VM runner kernel from the root user

Enable kernel lockdown in confidentiality mode to restrict how the root user can interact with the kernel. See https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode and https://man.archlinux.org/man/kernel_lockdown.7

gitlab_runner: try to protect the VM runner kernel from the root user
50434793 · nl6720 · 009aa707 · 50434793
Unverified Commit 50434793 authored 2 years ago by nl6720
--- a/roles/gitlab_runner/files/libvirt-executor-update-base-image
+++ b/roles/gitlab_runner/files/libvirt-executor-update-base-image
@@ -37,6 +37,8 @@ arch-chroot mnt pacman -Sy --noconfirm --needed archlinux-keyring
 arch-chroot mnt pacman -Syu --noconfirm --needed git git-lfs gitlab-runner
 sed -E 's/^#(IgnorePkg *=)/\1 linux/' -i mnt/etc/pacman.conf
 arch-chroot mnt userdel -r arch
+sed 's/^\(GRUB_CMDLINE_LINUX="\).*"$/\1 lockdown=confidentiality"/' -i mnt/etc/default/grub
+arch-chroot mnt /usr/bin/grub-mkconfig -o /boot/grub/grub.cfg
 install -d -m0700 mnt/root/.ssh
 install -m0600 /etc/libvirt-executor/id_ed25519.pub mnt/root/.ssh/authorized_keys
 rm -f mnt/etc/machine-id