/dev/shm not available in sandbox (bwrap)

Summary

The build sandbox does not contain /dev/shm, which is expected by some build tools (looking at you, bazel), and is also expected for POSIX compliance. Of course, a plugin can add this into the sandbox using Sandbox.mark_directory(), but this passes the device through using --dev-bind, which means it uses the host.

Steps to reproduce

Try and access /dev/shm inside the build sandbox, it will not exist. Adding it using the available APIs will share the host one.

What is the current bug behavior?

Things fail when they try and access /dev/shm, or the host has access to the build through this.

What is the expected correct behavior?

A nice fresh tmpfs in place of /dev/shm.

Possible fixes

We can create a tmpfs in the correct location using the --tmpfs option to bwrap.

I'm unsure if this is a problem in other sandboxing backends.

Other relevant information

• BuildStream version affected: bst 1.91.2

---