Restrict read access on the file system.

This should wait to go in until we are also testing the JS evaluator: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikiLambda/+/948669

Also, I'm not sure if this is even worth doing. Access to the SSL cert and /proc is needed to run the image, but those are the things we want to hide from users in the first place ...