helper: Bind mount /sys subset

Instead of mounting our own sysfs instance we bind mount in only
a subset of the /sys subdirectories from the host. This has several
advantages:

* If something was covered out in the host we will shadow that (i.e.
  the app will never see more of sysfs than non xdg-apps)
* We can avoid showing some weird parts of sysfs, focusing on the
  device descriptions needed for e.g. mesa
* Bind mounts are allowed in a non-root user-namespace, whereas
  the sysfs mount is not, taking us one step closer to that.

xdg-app-helper.c

@@ -423,7 +423,16 @@ static const create_table_t create[] = {
   { FILE_TYPE_BIND_RO, "proc/irq", 0755, "proc/irq"},
   { FILE_TYPE_BIND_RO, "proc/bus", 0755, "proc/bus"},
   { FILE_TYPE_DIR, "sys", 0755},
-  { FILE_TYPE_MOUNT, "sys"},
+  { FILE_TYPE_DIR, "sys/block", 0755},
+  { FILE_TYPE_BIND_RO, "sys/block", 0755, "/sys/block"},
+  { FILE_TYPE_DIR, "sys/bus", 0755},
+  { FILE_TYPE_BIND_RO, "sys/bus", 0755, "/sys/bus"},
+  { FILE_TYPE_DIR, "sys/class", 0755},
+  { FILE_TYPE_BIND_RO, "sys/class", 0755, "/sys/class"},
+  { FILE_TYPE_DIR, "sys/dev", 0755},
+  { FILE_TYPE_BIND_RO, "sys/dev", 0755, "/sys/dev"},
+  { FILE_TYPE_DIR, "sys/devices", 0755},
+  { FILE_TYPE_BIND_RO, "sys/devices", 0755, "/sys/devices"},
   { FILE_TYPE_DIR, "dev", 0755},
   { FILE_TYPE_MOUNT, "dev"},
   { FILE_TYPE_DIR, "dev/pts", 0755},
@@ -453,7 +462,6 @@ static const create_table_t create_post[] = {
 
 static const mount_table_t mount_table[] = {
   { "proc",      "proc",     "proc",  NULL,        MS_NOSUID|MS_NOEXEC|MS_NODEV           },
-  { "sysfs",     "sys",      "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV },
   { "tmpfs",     "dev",      "tmpfs", "mode=755",  MS_NOSUID|MS_STRICTATIME               },
   { "devpts",    "dev/pts",  "devpts","newinstance,ptmxmode=0666,mode=620,gid=5", MS_NOSUID|MS_NOEXEC },
   { "tmpfs",     "dev/shm",  "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME      },