Support read-only root

BuildStream with the Bubblewrap backend currently keeps the sandbox root read-only and allows write access only to the build and install directories for build commands (everything is writable for integration commands). To match the current behavior with a BuildBox backend for BuildStream, BuildBox needs to support restricting write access to a list of directories specified as CLI options.