Fix application files/runtime permissions scheme


Fix application files/runtime permissions scheme

Introduces new lives configuration that provides the name/UID/GID of
the user that will own application files and installed dependencies.
This new configuration is distinct from runs in that the former
determines application file location ownership and the latter now only
determines runtime process ownership. Default configuration has also
been introduced for both config sections.

In addition to the new configuration, a new build.CopyAs instruction
has been introduced that ensures correct UID/GID ownership of files
copied into the container image, and all unqualified build.Copy
instructions are wrapped by the new build.CopyAs instruction using the
UID/GID appropriate for the current build phase. A new build.User
instruction is also introduced and injected into the build at the start
of certain phases to enforce ownership of build.Run processes.

This effective process/file ownership model is:

PhasePrivileged - "root"
PhasePrivilegedDropped - lives.as
PhasePreInstall - lives.as
PhaseInstall - lives.as
PhasePostInstall - runs.as

Fixes T187372

Test Plan: Run go test ./....

Reviewers: thcipriani, hashar, demon, Release-Engineering-Team

Reviewed By: thcipriani, Release-Engineering-Team

Subscribers: mmodell

Tags: Release-Engineering-Team

Maniphest Tasks: T187372

Differential Revision: https://phabricator.wikimedia.org/D984