hst: optionally cover /run/ early

This works around awkward root permissions.

Signed-off-by: Ophestra <cat@gensokyo.uk>

hst/container.go

@@ -69,6 +69,8 @@ const (
 	// FDevice mount /dev/ from the init mount namespace as is in the container
 	// mount namespace.
 	FDevice
+	// FCoverRun covers /run/ in the container mount namespace early.
+	FCoverRun
 
 	// FShareRuntime shares XDG_RUNTIME_DIR between containers under the same identity.
 	FShareRuntime
@@ -101,6 +103,8 @@ func (flags Flags) String() string {
 		return "mapuid"
 	case FDevice:
 		return "device"
+	case FCoverRun:
+		return "cover_run"
 	case FShareRuntime:
 		return "runtime"
 	case FShareTmpdir:
@@ -196,6 +200,8 @@ type containerConfigJSON = struct {
 
 	// Corresponds to [FDevice].
 	Device bool `json:"device,omitempty"`
+	// Corresponds to [FCoverRun].
+	CoverRun bool `json:"cover_run,omitempty"`
 
 	// Corresponds to [FShareRuntime].
 	ShareRuntime bool `json:"share_runtime,omitempty"`
@@ -219,6 +225,7 @@ func (c *ContainerConfig) MarshalJSON() ([]byte, error) {
 		Multiarch:     c.Flags&FMultiarch != 0,
 		MapRealUID:    c.Flags&FMapRealUID != 0,
 		Device:        c.Flags&FDevice != 0,
+		CoverRun:      c.Flags&FCoverRun != 0,
 		ShareRuntime:  c.Flags&FShareRuntime != 0,
 		ShareTmpdir:   c.Flags&FShareTmpdir != 0,
 	})
@@ -262,6 +269,9 @@ func (c *ContainerConfig) UnmarshalJSON(data []byte) error {
 	if v.Device {
 		c.Flags |= FDevice
 	}
+	if v.CoverRun {
+		c.Flags |= FCoverRun
+	}
 	if v.ShareRuntime {
 		c.Flags |= FShareRuntime
 	}