Support mounting the host filesystem read-only in the sandbox

It would be interesting to support bind-mounting the host filesystem read-only. This way instead of necessarily having to pull a root filesystem tarball (or an OSTree sysroot), it would be possible to reuse the development tools from the host. This is interesting in cases where one would want to build software to run in the host which gets built and installed by BuildStream in a prefix.

For example, right now for WebKitGTK+ development we currently use a custom jhbuild module set to ensure all developers use the same dependencies for testing, and we do want the build artifacts to be built with the host compiler and installed into a directory, because the rest of the WebKitGTK+ build system and the test runner expect to use host tools as well.