Add limited capability for use of loop devices in non-root
containers via a loopfs psuedo fs. When mounted this filesystem
will contain only a loop-control device node. This can be used
to request free loop devices which will be "owned" by that mount.
Device nodes appear automatically for these devices, and the same
device will not be given to another loopfs mount. Privileged loop
ioctls (for encrypted loop) will be allowed within the namespace
which mounted the loopfs.

Privileged block ioctls are not permitted, so features such as
partitions are not supported for unprivileged users.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>