Add that /var/run or subpaths cannot be exposed when symlinked on host

bbhtt · bbhtt · commit 4233a58e16e4 · 2024-10-30T11:37:21.000+05:30
Flatpak internally sets up a /var/run to /run symlink https://github.com/flatpak/flatpak/blob/fd1b7e444016d1b44bdab7cb5642b0ac83bd4b9e/common/flatpak-run.c#L2281. If it is symlinked on host too, when using `--filesystem=var/run/subpath` bwrap gets called twice to create the same symlink and the second one will fail. See also containers/bubblewrap@4109d59
diff --git a/docs/sandbox-permissions.rst b/docs/sandbox-permissions.rst
@@ -216,7 +216,8 @@ to them with ``--filesystem`` will have no effect::
 
 The entire ``/run`` is not allowed and all subpaths of ``/run`` except
 ``/run/flatpak, /run/host`` is allowed to be exposed via
-``--filesystem``.
+``--filesystem``. Additionally, if ``/var/run`` on host is a symlink to
+``../run``, exposing it or a subpath of it, is not allowed.
 
 Additionally the following directories from host need to be explicitly
 requested with ``--filesystem`` and are not available with
