gnu: linux-container: Make it more suitable for derivation-building.

* gnu/build/linux-container.scm (mount-file-systems): First remount all
  filesystems in the current mount namespace as private (by mounting / with
  MS_PRIVATE and MS_REC), so that the set of mounts cannot increase except
  from within the container. Also, the tmpfs mounted over the chroot directory
  now inherits the chroot directory's permissions (p11-kit, for example, has a
  test that assumes that the root directory is not writable for the current
  user, and tmpfs is by default 1777 when created).

* guix/build/syscalls.scm (MS_PRIVATE, MS_REC): new variables.

gnu/build/linux-container.scm

@@ -99,7 +99,14 @@ (define* (mount* source target type #:optional (flags 0) options
 
   ;; The container's file system is completely ephemeral, sans directories
   ;; bind-mounted from the host.
-  (mount "none" root "tmpfs")
+  ;; Make this private in the container namespace so everything mounted under
+  ;; it is local to this namespace.
+  (mount "none" "/" "none" (logior MS_REC MS_PRIVATE))
+  (let ((current-perms (stat:perms (stat root))))
+    (mount "none" root "tmpfs" 0 (string-append "mode="
+                                                (number->string current-perms
+                                                                8))))
+
 
   ;; A proc mount requires a new pid namespace.
   (when mount-/proc?

guix/build/syscalls.scm

@@ -45,6 +45,8 @@ (define-module (guix build syscalls)
             MS_MOVE
             MS_STRICTATIME
             MS_LAZYTIME
+            MS_PRIVATE
+            MS_REC
             MNT_FORCE
             MNT_DETACH
             MNT_EXPIRE
@@ -452,6 +454,8 @@ (define MS_REMOUNT           32)
 (define MS_NOATIME         1024)
 (define MS_BIND            4096)
 (define MS_MOVE            8192)
+(define MS_REC            16384)
+(define MS_PRIVATE       262144)
 (define MS_STRICTATIME 16777216)
 (define MS_LAZYTIME    33554432)