kola: Force exclusive: false tests to use ProtectSystem=strict

Part of my war against duplicative comments in our kola tests.
We have a few tests that write a comment like this:

```
 # - exclusive: false
 #   - This test doesn't make meaningful changes to the system and
 #     should be able to be combined with other tests.
```
Of course, this comment is already redundant because the
meaning of the `exclusive` tag is defined canonically in coreos-assembler
(here) and copy-pasting that into every test that uses it would
be pointlessly verbose.

But - we can do one better.  Instead of having this flag be an
"I promise not to mutate the system" field, we can *enforce* it.
Then it doesn't need to be commented - if someone later tries
to change an `exclusive: false` test to mutate things, the test
will *fail*.  The behavior is hence more self-documenting and
enforcing.

Some tests need adjustment for this.

Author: cgwalters

mantle/kola/harness.go

@@ -980,6 +980,12 @@ Environment=KOLA_TEST_EXE=%s
 Environment=%s=%s
 ExecStart=%s
 `, unitName, testname, base, kolaExtBinDataEnv, destDataDir, remotepath)
+	// Force exclusive tests to not affect the system
+	if !targetMeta.Exclusive {
+		unit += (`ProtectSystem=strict
+PrivateTmp=yes
+`)
+	}
 	if targetMeta.InjectContainer {
 		if CosaBuild == nil {
 			return fmt.Errorf("test %v uses injectContainer, but no cosa build found", testname)