today some init scripts want access to DNS/resolver and timezone settings.  that means people need to know that in CrOS:
  - /etc/localtime is a symlink to /var/lib/timezone/ path
  - have to set up /var mount base path for writing
  - bind mount /var/lib/timezone
  - do *not* bind mount /etc/localtime

and for resolver:
  - /etc/resolv.conf is a symlink to /run/shill/ path
  - have to set up /run mount base path for writing
  - bind mount /run/shill
  - do *not* bind mount /etc/resolv.conf

it'd be better if minijail had an option to hide these knobs so init scripts can just say "enable timezone support" and "enable resolver".  we don't want to hardcode these details in minijail though, so might need to leverage config files or build-time settings to manage it.