bunpen: dont make /tmp a new tmpfs in the sandboxed environment

this makes fs use more visible, e.g. Signal is storing 60+MB in /tmp

hosts/common/programs/signal-desktop.nix

@@ -3,6 +3,8 @@
 # - it may hang on exit (?), characterized by these log messages:
 #     Dec 03 13:46:23 moby signal-desktop[4097]: [4097:1203/134623.906367:ERROR:ozone_platform_x11.cc(240)] Missing X server or $DISPLAY
 #     Dec 03 13:46:23 moby signal-desktop[4097]: [4097:1203/134623.909667:ERROR:env.cc(255)] The platform failed to initialize.  Exiting.
+#
+# TODO(2024-12-16): electron writes 60+MB to /tmp (`.org.chromium.Chromium.*`): consider persisting Signal's tmpdir to ephemeral storage
 { config, lib, pkgs, ... }:
 let
   cfg = config.sane.programs.signal-desktop;

pkgs/by-name/bunpen/restrict/ns/mount_ns.ha

@@ -30,6 +30,7 @@ fn isolate_paths(what: *restrict::resources) void = {
   // 2. create a new rootfs at `new` and bind stuff into it.
   // 3. then pivot a 2nd time, into `new` (and drop `old` altogether)
 
+  // errors::ext::check("[namespace] mount /tmp /tmp", rt::ext::mount("/tmp", "/tmp", "", rt::ext::mount_flag::BIND));
   errors::ext::check("[namespace] mount -t tmpfs tmpfs /tmp", rt::ext::mount("tmpfs", "/tmp", "tmpfs", rt::ext::mount_flag::NODEV | rt::ext::mount_flag::NOSUID, null));
 
   pivot_into("/tmp", "old");
@@ -77,7 +78,9 @@ fn isolate_paths(what: *restrict::resources) void = {
 
   // provide a new `/tmp` too.
   errors::ext::swallow("[namespace] mkdir new/tmp", rt::mkdir("new/tmp", 0o777));
-  errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null));
+  // it doesn't actually *need* to be its own fs, since `/` is already a tmpfs.
+  // actually, keeping /tmp on the rootfs makes ram-usage debugging easier.
+  // errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null));
 
   // some apps (e.g. signal-desktop) require /dev/shm.
   // /dev/shm is an ordinary tmpfs.