crosvm: handle '--disable-sandbox' after other sandboxing options

The '--disable-sandbox' argument has the effect of setting the jail
configuration to `None`, but other sandboxing options can potentially
recreate it afterwards if they are also specified.

Fix this by handling '--disable-sandbox' after all other sandboxing
options, so the jail configuration always ends up being `None` if that
option is specified.

Reported and fix proposed by Dmitrii Osipenko.

TEST=cargo run with and without --disable-sandbox

Change-Id: I57bed8a3a4fdd543c7f7a24d778ecc16a3ad0d8a
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/3893545
Reviewed-by: Dmitrii Osipenko <dmitry.osipenko@collabora.corp-partner.google.com>
Commit-Queue: Alexandre Courbot <acourbot@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Auto-Submit: Alexandre Courbot <acourbot@chromium.org>

src/crosvm/cmdline.rs

@@ -1620,10 +1620,6 @@ impl TryFrom<RunCommand> for super::config::Config {
 
         cfg.initrd_path = cmd.initrd_path;
 
-        if cmd.disable_sandbox {
-            cfg.jail_config = None;
-        }
-
         if let Some(p) = cmd.bios {
             if cfg.executable_path.is_some() {
                 return Err(format!(
@@ -1855,6 +1851,12 @@ impl TryFrom<RunCommand> for super::config::Config {
             cfg.vfio_isolate_hotplug = cmd.vfio_isolate_hotplug;
         }
 
+        // `--disable-sandbox` has the effect of disabling sandboxing altogether, so make sure
+        // to handle it after other sandboxing options since they implicitly enable it.
+        if cmd.disable_sandbox {
+            cfg.jail_config = None;
+        }
+
         // Now do validation of constructed config
         super::config::validate_config(&mut cfg)?;