Run scripts on the host by default

Run scripts on the host by default

Scripts currently run chrooted in the image. This is not great because
it means the tool you want to run from a script has to be installed in
the image, even if it has --root support to run from outside the image.

Specifically, to install extra packages from a script, you currently
have to install the package manager inside the image itself. Even then,
it might be completely different than the package manager on the host
(both in version and in build options), possibly leading to all kinds
of weird issues.

To allow users to install extra packages from scripts, we now default
to running scripts on the host. Additionally, to make life easy for
users, we provide a set of scripts in the PATH for the package managers
we support that call them with the necessary options to install packages
in the same way mkosi installs packages into the root directory. This
means all that users have to do is "dnf install xxx" from the script to
install a new package into the root directory.

Because some tools do not have a --root option and to provide an easy
migration for users that depend on scripts running in the image, we
also put a script "mkosi-chroot" in the PATH which uses bubblewrap to chroot
into the image as we did before. Users can keep their old scripts working
by simply adding the following to the top of their script:

```
if [ "$container" != "mkosi" ]; then
    exec mkosi-chroot $SCRIPT "$@"
fi
```

When running scripts on the host, no APIVFS directories are mounted into
the image. When using the "mkosi-chroot" and package manager scripts, the APIVFS
directories are automatically mounted before executing the corresponding
command. The apivfs_cmd() function is introduced to make implementing this
easier.

Additionally, we now always consider the current working directory a
BuildSources= directory. BuildSources= is now used to declare additional
source directories. The current working directory can always be overmounted
with another directory by simply specifying a source directory in BuildSources=
without a target directory.

To allow scripts running on the host to find the image, we set the
BUILDROOT variable for all scripts.

To prevent scripts on the host from messing with the host system when mkosi
is running as root, we extend the sandboxing to cover many more directories
which are all mounted read-only while a script is executing.

This change also allows scripts to be written in python or other scripting
languages without having to install python into the image itself.