Lock down /boot and /root

This adds nodev, noexec, and nosuid to the mount options for /boot.
/root just gets nodev since it doesn't seem unreasable to run an
executable from there.

Author: fhunleth

rootfs_overlay/etc/erlinit.config

@@ -49,8 +49,8 @@
 #       the history is loaded. If this mount fails due to corruption, etc.,
 #       nerves_runtime will auto-format it. Your applications will need to handle
 #       initializing any expected files and folders.
--m /dev/mmcblk0p4:/root:ext4::
--m /dev/mmcblk0p1:/boot:vfat:ro:
+-m /dev/mmcblk0p1:/boot:vfat:ro,nodev,noexec,nosuid:
+-m /dev/mmcblk0p4:/root:ext4:nodev:
 
 # Erlang release search path
 -r /srv/erlang