fix(image): policy-rc.d so the kiosk (X11/chromium) installs in chroot

The live-usb kiosk stack (dbus, X11, chromium) aborted its postinst in the
init-less chroot ('Failed to connect to system message bus', invoke-rc.d
errors), failing the build. Add /usr/sbin/policy-rc.d (exit 101) before the
installs and remove it before squashfs, so packages don't try to start
services at build time but the booted system still does. Keep kiosk ON for
amd64 USB (extra_args=--kiosk). Do NOT disable kiosk.

.github/workflows/build-all-live-usb.yml

@@ -48,6 +48,7 @@ jobs:
             output_pattern: "secubox-live-amd64-*.img*"
             needs_qemu: false
             embed_image: false
+            extra_args: "--kiosk"
 
           # MOCHAbin (arm64) - U-Boot distroboot
           - platform: mochabin

image/build-live-usb.sh

@@ -1137,6 +1137,24 @@ mount_chroot_fs() {
 
 mount_chroot_fs
 
+# Make EVERY dpkg op in the chroot keep existing conffiles and never prompt.
+# secubox-mesh's mesh.toml is an auto-detected conffile; in the headless chroot
+# its prompt aborts with "end of file on stdin at conffile prompt", failing the
+# whole build. dpkg.cfg.d covers apt installs AND bare `dpkg --configure -a`.
+install -d "${ROOTFS}/etc/dpkg/dpkg.cfg.d"
+printf 'force-confold\nforce-confdef\n' > "${ROOTFS}/etc/dpkg/dpkg.cfg.d/90-secubox-confold"
+
+# Deny service start/stop/reload during install — the chroot has no running
+# init/dbus, so packages like dbus / the kiosk X11+chromium stack abort their
+# postinst ("Failed to connect to system message bus", invoke-rc.d errors),
+# which fails the whole build. Removed before squashfs so the real system
+# boots services normally (systemd starts enabled units regardless).
+cat > "${ROOTFS}/usr/sbin/policy-rc.d" <<'POLICY'
+#!/bin/sh
+exit 101
+POLICY
+chmod +x "${ROOTFS}/usr/sbin/policy-rc.d"
+
 cat > "${ROOTFS}/etc/apt/sources.list" <<EOF
 deb ${APT_MIRROR} ${SUITE} main contrib non-free non-free-firmware
 deb ${APT_MIRROR} ${SUITE}-updates main contrib non-free non-free-firmware
@@ -3341,6 +3359,9 @@ umount -lf "${ROOTFS}/sys" 2>/dev/null || true
 log "7/8 Creating SquashFS filesystem..."
 mkdir -p "${LIVE_DIR}/live"
 
+# Remove the build-time service-deny shim so the booted system starts services.
+rm -f "${ROOTFS}/usr/sbin/policy-rc.d"
+
 mksquashfs "${ROOTFS}" "${LIVE_DIR}/live/filesystem.squashfs" \
   -comp xz -b 1M -Xdict-size 100% -e boot/grub -e boot/efi