Add --cgroup flag for mounting cgroups

[georgyo-js]

There is already --tmpfs, --dev, --proc, and --mqueue for creating mount points for commonly namespaced mount points for sandboxing.

There is also --unshare-cgroup which creates the cgroup namespace, but there is no option to mount cgroup controller over the exisiting one.

This is suprising as we must either mount the system one in, including all information from the host, or not have it available in the sandbox at all. Also suprising is that the pids inside the system cgroup do not match the ones inside the pid namespace.

But we could mount the cgroup filesystem inside the sandbox which would make the view of the world consistent. I believe this is impossible with bwrap today.

[rusty-snake]

Can you outline the advantages and drawbacks of mounting a new hierarchy (assuming you mean mount -t cgroup2 none PATH) with a command like --unshare-cgroup --cgroup /sys/fs/cgroup compared to just bind-mounting the current subtree to the root like --unshare-cgroup --bind /sys/fs/cgroup$(cut -d: -f3 /proc/self/cgroup) /sys/fs/cgroup?

[georgyo-js]

I'll admit that I am surprised that pids correctly got translated in the cgroup, so it is a viable option and solves my goals. The only value then is to just make it easier as string templating in the command arguments is not the most ergonomic.

Feel free to close this ticket if there is not a strong desire to implement this feature.