Fix: Address multiple critical vulnerabilities and bugs

This commit addresses a wide range of issues identified in a comprehensive code review, including critical security vulnerabilities, build system failures, and logic errors.

Key changes include:

- **Security:**
  - Patched a path traversal vulnerability in the Flask download endpoint.
  - Mitigated a race condition and memory leaks in the Flask build endpoint by implementing a thread-safe, queue-based build process.
  - Replaced the use of the `--privileged` Docker flag with more granular capabilities (`--cap-add=SYS_ADMIN --cap-add=MKNOD`) to reduce container security risks.
  - Implemented atomic file writes in `entrypoint.sh` to prevent configuration file corruption.
  - Added input validation for directory paths and package list syntax.

- **Build System:**
  - Corrected the XZ compression options in `profiledef.sh` for `mksquashfs`.
  - Improved the `select-mirrors.sh` script to handle failures in `reflector` gracefully.
  - Updated the GitHub Actions workflow to invalidate the pacman cache when `pacman.conf` changes.
  - Fixed an issue in the `no-beep.service` file where it would try to write to a non-existent sysfs path.

- **Logic and Reliability:**
  - Enhanced the `validate` function in `entrypoint.sh` to perform more comprehensive checks on configuration files.
  - Corrected a typo in a variable name within the build script.
  - Updated the `bootmodes` array in `profiledef.sh` to use simplified, general options.

- **Pull Request Feedback:**
  - Fixed a YAML syntax error in `.github/workflows/gui-build-test.yml`.
  - Corrected the `mksquashfs` compression options in `profiledef.sh` to use `-processors` instead of the invalid `-Xthreads` option.
  - Increased the `reflector` download timeout to 15 seconds to prevent intermittent failures.
  - Corrected the `-processors` option for `mksquashfs` to be passed as a number instead of a string.

Author: google-labs-jules[bot]

profiledef.sh

@@ -15,27 +15,20 @@ pacman_conf="pacman.conf"
 airootfs_image_type="squashfs"
 bootstrap_tarball_compression=('zstd' '-c' '-T0' '--auto-threads=logical' '--long' '-19')
 
-# Correctly formatted compression options for mksquashfs with XZ
-# -b (block size) must be a power of 2, max 1M (1048576)
-# -Xdict-size (dictionary size) should be a power of 2, max 1M
-# Use the -processors option to control the number of CPUs to use
+# Base compression options for mksquashfs
+airootfs_image_tool_options=(
+  '-comp' 'xz'
+  '-Xbcj' 'x86'
+  '-b' '1M'
+  '-Xdict-size' '1M'
+)
+
+# Determine the number of processors to use for compression
 if [ "$(nproc)" -ge 4 ]; then
-  # For systems with 4 or more cores, use multi-threading and larger dictionary
-  airootfs_image_tool_options=(
-    '-comp' 'xz'
-    '-Xbcj' 'x86'
-    '-b' '1M'
-    '-Xdict-size' '1M'
-  )
+  # Use all available cores for systems with 4 or more cores
   airootfs_image_tool_options+=('-processors' "$(nproc)")
 else
-  # For systems with fewer than 4 cores, use a single thread and smaller dictionary
-  airootfs_image_tool_options=(
-    '-comp' 'xz'
-    '-Xbcj' 'x86'
-    '-b' '512K'
-    '-Xdict-size' '512K'
-  )
+  # Use a single thread for systems with fewer than 4 cores
   airootfs_image_tool_options+=('-processors' '1')
 fi