Serialize writes to slice of precompiled seccomp programs.

I'm not sure if this is necessary but the lack of synchronization here
makes me nervous.

PiperOrigin-RevId: 788781248

Author: EtiennePerot

runsc/boot/filter/config/BUILD

@@ -38,6 +38,7 @@ go_library(
         "//pkg/sentry/platform/platforms",
         "//pkg/sentry/socket/hostinet",
         "//pkg/sentry/socket/plugin",
+        "//pkg/sync",
         "//pkg/tcpip/link/fdbased",
         "@org_golang_x_sync//errgroup:go_default_library",
         "@org_golang_x_sys//unix:go_default_library",

runsc/boot/filter/config/config_precompiled.go

@@ -23,6 +23,7 @@ import (
 	"gvisor.dev/gvisor/pkg/seccomp/precompiledseccomp"
 	"gvisor.dev/gvisor/pkg/sentry/devices/nvproxy/nvconf"
 	"gvisor.dev/gvisor/pkg/sentry/platform"
+	"gvisor.dev/gvisor/pkg/sync"
 
 	// Import platforms that we need to precompile filters for.
 	_ "gvisor.dev/gvisor/pkg/sentry/platform/platforms"
@@ -136,6 +137,7 @@ func PrecompiledPrograms() ([]precompiledseccomp.Program, error) {
 		return nil, err
 	}
 	programs := make([]precompiledseccomp.Program, len(opts))
+	var programsMu sync.Mutex
 	var errGroup errgroup.Group
 	for i, opt := range opts {
 		i, opt := i, opt
@@ -165,6 +167,8 @@ func PrecompiledPrograms() ([]precompiledseccomp.Program, error) {
 			if err != nil {
 				return fmt.Errorf("cannot precompile seccomp program for options %v: %w", opt.ConfigKey(), err)
 			}
+			programsMu.Lock()
+			defer programsMu.Unlock()
 			programs[i] = program
 			return nil
 		})