test: Add a test for mountpoint policy violations

Users cannot create a mountpoint on /ostree, make sure that an error is
returned when this happens.

test/test_manifest.py

@@ -1,4 +1,5 @@
 import json
+import pathlib
 import subprocess
 
 import pytest
@@ -22,3 +23,45 @@ def test_manifest_smoke(build_container):
     # just some basic validation
     assert manifest["version"] == "2"
     assert manifest["pipelines"][0]["name"] == "build"
+
+
+def test_mount_ostree_error(tmpdir_factory, build_container):
+    CFG = {
+        "blueprint": {
+            "customizations": {
+                "filesystem": [
+                    {
+                        "mountpoint": "/",
+                        "minsize": "12GiB"
+                    },
+                    {
+                        "mountpoint": "/var/log",
+                        "minsize": "1GiB"
+                    },
+                    {
+                        "mountpoint": "/ostree",
+                        "minsize": "10GiB"
+                    }
+                ]
+            },
+        },
+    }
+
+    output_path = pathlib.Path(tmpdir_factory.mktemp("data")) / "output"
+    output_path.mkdir(exist_ok=True)
+    config_json_path = output_path / "config.json"
+    config_json_path.write_text(json.dumps(CFG), encoding="utf-8")
+
+    try:
+        subprocess.check_output([
+            "podman", "run", "--rm",
+            "--privileged",
+            "--security-opt", "label=type:unconfined_t",
+            "-v", f"{output_path}:/output",
+            f'--entrypoint=["/usr/bin/bootc-image-builder", "manifest", "{container_to_build_ref()}"]',
+            build_container,
+            "--config", "/output/config.json",
+        ], stderr=subprocess.PIPE)
+        assert False, "Did not raise a CalledProcessError when mounting /ostree"
+    except subprocess.CalledProcessError as err:
+        assert 'The following custom mountpoints are not supported ["/ostree"]' in err.stderr.decode("utf-8")