Mount a new tmpfs on /tmp and drop all capabilities

This mounts a new tmpfs on /tmp so any files residing there would be hidden
from the sandbox. Many programs store some files in there that might be useful
to an attacker.  It also drops all capabilities incase it is ever run with
extra capabilities for whatever reason.
10 jobs for master in 6 minutes and 2 seconds (queued for 2 seconds)
Status Job ID Name Coverage
  Linting
passed #110098
linting:bandit

00:00:23

passed #110099
linting:codespell

00:00:21

passed #110102
linting:mypy

00:00:23

passed #110101
linting:pyflakes

00:00:22

passed #110100
linting:pylint

00:00:32

 
  Test
passed #110103
tests:archlinux

00:01:46

passed #110104
tests:debian

00:01:28

passed #110105
tests:debian_with_bubblewrap

00:02:02

100.0%
passed #110106
tests:fedora

00:01:28

passed #110107
tests:gentoo

00:01:48