rootfs: prohibit symlinks that conflicts with readonlyPaths
and/or maskedPaths
to prevent CVE-2023-27561
#3756
+79
−2