units: set nodev,nosuid,noexec flags for various secondary API VFS

A couple of API VFS we mount via .mount units. Let's set the three flags
for those too, just in case.

This is just paranoia, nothing else, but shouldn't hurt.

units/dev-mqueue.mount

@@ -20,3 +20,4 @@ ConditionCapability=CAP_SYS_ADMIN
 What=mqueue
 Where=/dev/mqueue
 Type=mqueue
+Options=nosuid,nodev,noexec

units/proc-sys-fs-binfmt_misc.mount

@@ -17,3 +17,4 @@ DefaultDependencies=no
 What=binfmt_misc
 Where=/proc/sys/fs/binfmt_misc
 Type=binfmt_misc
+Options=nosuid,nodev,noexec

units/sys-fs-fuse-connections.mount

@@ -22,3 +22,4 @@ Before=sysinit.target
 What=fusectl
 Where=/sys/fs/fuse/connections
 Type=fusectl
+Options=nosuid,nodev,noexec

units/sys-kernel-config.mount

@@ -21,3 +21,4 @@ Before=sysinit.target
 What=configfs
 Where=/sys/kernel/config
 Type=configfs
+Options=nosuid,nodev,noexec

units/sys-kernel-debug.mount

@@ -20,3 +20,4 @@ Before=sysinit.target
 What=debugfs
 Where=/sys/kernel/debug
 Type=debugfs
+Options=nosuid,nodev,noexec