Make per-app generated files read-only

We generate various configuration files for each sandbox instance,
and expose them to the sandbox using flatpak_bwrap_add_args_data,
which in the end passed --bind-data to bwrap. These files are not
sensitive or shared, but it still doesn't really make sense for
the sandbox to allow them to be modified, so lets switch them
to --ro-bind-data.

This affects these files in the sandbox:

 $HOME/.var/app/$APPID/config/user-dirs.dirs
 /etc/group
 /etc/ld.so.conf
 /etc/passwd
 /etc/pkcs11/modules/p11-kit-trust.module
 /etc/pkcs11/pkcs11.conf
 /etc/timezone
 /run/flatpak/ld.so.conf.d/*.conf
 /run/user/$UID/pulse/config
 /run/user/$UID/Xauthority

common/flatpak-bwrap.c

@@ -245,7 +245,7 @@ flatpak_bwrap_add_args_data (FlatpakBwrap *bwrap,
   if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&args_tmpf, name, content, content_size, error))
     return FALSE;
 
-  flatpak_bwrap_add_args_data_fd (bwrap, "--bind-data", glnx_steal_fd (&args_tmpf.fd), path);
+  flatpak_bwrap_add_args_data_fd (bwrap, "--ro-bind-data", glnx_steal_fd (&args_tmpf.fd), path);
   return TRUE;
 }
 

common/flatpak-run.c

@@ -207,7 +207,7 @@ flatpak_run_add_x11_args (FlatpakBwrap *bwrap,
                   g_autofree char *dest = g_strdup_printf ("/run/user/%d/Xauthority", getuid ());
 
                   write_xauth (d, output);
-                  flatpak_bwrap_add_args_data_fd (bwrap, "--bind-data", tmp_fd, dest);
+                  flatpak_bwrap_add_args_data_fd (bwrap, "--ro-bind-data", tmp_fd, dest);
 
                   flatpak_bwrap_set_env (bwrap, "XAUTHORITY", dest, TRUE);
                 }