fix(builder): allow mnt + user namespaces for buildah layer extraction

RestrictNamespaces=yes denied every namespace syscall, which broke
buildah's layer-extract path with "creating mount namespace before
pivot: operation not permitted" on COPY steps.

Narrow the restriction to allow mnt + user (the two buildah actually
creates during `bud`) while still denying cgroup, net, uts, pid, ipc
— none of which a static build needs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: andrasbacsai

coold/src/builder/mod.rs

@@ -242,8 +242,11 @@ impl BuilderCtx {
             .arg("LockPersonality=yes")
             .arg("-p")
             .arg("RestrictRealtime=yes")
+            // buildah creates mount + user namespaces to extract image layers
+            // ("creating mount namespace before pivot"). Allow those two but
+            // continue denying cgroup/net/uts/pid/ipc that builds never need.
             .arg("-p")
-            .arg("RestrictNamespaces=yes")
+            .arg("RestrictNamespaces=mnt user")
             .arg("-p")
             .arg("SystemCallArchitectures=native")
             .arg("--")