manifest: Disable all filesystem access in flatpak-builder --run sandbox

Just as any other build commands, add --nofilesystem=host:reset
to remove any filesystem permissions when running commands.

Closes: #348

Author: cxrvh

src/builder-manifest.c

@@ -4434,6 +4434,7 @@ builder_manifest_run (BuilderManifest *self,
   args = g_ptr_array_new_with_free_func (g_free);
   g_ptr_array_add (args, g_strdup ("flatpak"));
   g_ptr_array_add (args, g_strdup ("build"));
+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
   g_ptr_array_add (args, g_strdup ("--with-appdir"));
 
   build_dir_path = g_file_get_path (builder_context_get_build_dir (context));