firecracker: drop sudo sh -c, race chown against SDK probe in Go

Replace the shell-string launcher in buildProcessRunner with a direct
exec.Command. The previous sh -c wrapper relied on shellQuote escaping
for every MachineConfig field that flowed into the launch script; any
future field that ever carried an attacker-controlled value would have
become RCE-as-root. The new path passes binary path and flags as
separate argv entries, so there is no shell to interpret anything.

The wrapper also did two things the shell can no longer do for us:

  1. umask 077 — moved to syscall.Umask in cmd/bangerd/main.go so every
     firecracker child (and any other file the daemon creates) inherits
     0600 by default. Single-user dev sandbox state should be private.

  2. chown_watcher — the SDK's HTTP probe inside Machine.Start connects
     to the API socket the moment it appears. Under sudo the socket is
     created root-owned and the daemon's connect(2) gets EACCES, so the
     post-Start EnsureSocketAccess never runs. The shell papered over
     this with a backgrounded chown loop. Replaced by
     fcproc.EnsureSocketAccessForAsync: same race-window guarantee, in
     pure Go, kicked off in LaunchFirecracker right before Start and
     awaited right after.

Tests updated: shell-substring assertions replaced with cmd-arg
assertions, plus a new fcproc test pinning the async chown sequence.
Smoke (full systemd two-service install + KVM scenarios) passes.

internal/daemon/fcproc/fcproc_test.go

@@ -180,6 +180,58 @@ func TestEnsureSocketAccessTimesOutBeforeTouchingRunner(t *testing.T) {
 	}
 }
 
+// TestEnsureSocketAccessForAsyncReturnsImmediatelyWhenNoPaths pins the
+// fast-path: callers can hand the helper an empty list (e.g. when VSockPath
+// is unset) and get a no-op channel back without spinning a goroutine.
+func TestEnsureSocketAccessForAsyncReturnsImmediatelyWhenNoPaths(t *testing.T) {
+	runner := &scriptedRunner{t: t} // any runner call would fail the test
+	mgr := New(runner, Config{}, slog.Default())
+
+	done := mgr.EnsureSocketAccessForAsync(context.Background(), []string{"", "   "}, 1000, 1000)
+	select {
+	case err := <-done:
+		if err != nil {
+			t.Fatalf("got %v, want nil for empty input", err)
+		}
+	case <-time.After(time.Second):
+		t.Fatal("EnsureSocketAccessForAsync did not signal completion")
+	}
+}
+
+// TestEnsureSocketAccessForAsyncWaitsForSocketThenChowns pins the boot-time
+// race fix: while Machine.Start spins up firecracker, the helper polls for the
+// socket and runs chmod + chown the moment it appears. If this drifts, the
+// SDK's HTTP probe gets EACCES on a root-owned socket and Start times out.
+func TestEnsureSocketAccessForAsyncWaitsForSocketThenChowns(t *testing.T) {
+	socketPath := filepath.Join(t.TempDir(), "delayed.sock")
+	go func() {
+		time.Sleep(50 * time.Millisecond)
+		_ = os.WriteFile(socketPath, []byte{}, 0o600)
+	}()
+
+	runner := &scriptedRunner{
+		t: t,
+		sudos: []scriptedCall{
+			{}, // chmod 600
+			{}, // chown uid:gid
+		},
+	}
+	mgr := New(runner, Config{}, slog.Default())
+
+	done := mgr.EnsureSocketAccessForAsync(context.Background(), []string{socketPath}, 4242, 4242)
+	select {
+	case err := <-done:
+		if err != nil {
+			t.Fatalf("EnsureSocketAccessForAsync: %v", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("EnsureSocketAccessForAsync did not signal completion")
+	}
+	if len(runner.sudos) != 0 {
+		t.Fatalf("expected both chmod and chown to run, %d sudo calls remaining", len(runner.sudos))
+	}
+}
+
 func contains(s, sub string) bool {
 	for i := 0; i+len(sub) <= len(s); i++ {
 		if s[i:i+len(sub)] == sub {