Service manager (via "catalog") exposes a Directory interface which maps access to base::DIR_MODULE to any capable service. This is a bit ham-fisted now that we no longer have isolated service directories, and in practice it's really only used to load resource paks with fixed filenames.

To address this we should add support for an explicit whitelist of accessible files in a service's manifest, with paths relative to the executable.

We can leave the Directory interface exposed as-is as long as we change the implementation to enforce the whitelist, or we can introduce a separate service manager API for requesting File interfaces. I would prefer the former option since it seems cleaner to me.