oci/defaults_linux.go: mask /sys/firmware

On typical x86_64 machines, /sys/firmware can contain SMBIOS and ACPI tables.
There is no need to expose the directory to containers.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

oci/defaults_linux.go

@@ -83,6 +83,7 @@ func DefaultSpec() specs.Spec {
 			"/proc/timer_list",
 			"/proc/timer_stats",
 			"/proc/sched_debug",
+			"/sys/firmware",
 		},
 		ReadonlyPaths: []string{
 			"/proc/asound",