Add option to expose remote execution services to the sandbox

[abderrahim]

Context: https://lists.apache.org/thread/scsz1ybc25d3x1oy33onfmm8rhr0kddg

We want to add an option to allow exposing subset of the remote execution services on a unix socket in the sandbox (similar to #1772 / #1945). This would allow REAPI aware clients (such as bazel or RECC) to take advantage of it.

As discussed on the mailing list, we only want to allow CAS, Remote Execution and Action Cache. We don't want to expose Remote Asset or Local CAS in the sandbox.

Ideally this would be implemented in buildbox-run (filed https://gitlab.com/BuildGrid/buildbox/buildbox/-/issues/183 for this) and buildstream only needs to pass the correct parameters to enable it.

Either way, this also needs sandbox configuration in buildstream to enable it.