Sort dirs before files in resolve_overlays

Glob results within a SENSITIVE_PATHS entry could return files before
their parent directory. When that happens the file gets a null-bind
while its siblings remain visible, because the parent hasn't been added
to tmpfs_dirs yet. Sorting dirs first removes this implicit ordering
dependency.

src/blacklist.rs

@@ -19,7 +19,9 @@ pub fn resolve_overlays(ctx: &PathContext) -> Result<BlacklistOverlays, SandboxE
 
     for raw in SENSITIVE_PATHS {
         let expanded = expand_path(raw, ctx);
-        for path in expand_glob(&expanded)? {
+        let mut paths = expand_glob(&expanded)?;
+        paths.sort_by_key(|p| !p.is_dir());
+        for path in paths {
             match classify_path(&path) {
                 PathKind::Dir => tmpfs_dirs.push(path),
                 PathKind::File => {