Bind mount the system Flatpak directory at runtime

For what it's worth, this does alter the mount propagation flags by
adding 'slave'.

Earlier with 'podman create --volume ...' it was:
$ findmnt -o OPTIONS,PROPAGATION /var/lib/flatpak
OPTIONS              PROPAGATION
ro,relatime,seclabel private

Now with 'mount --bind -o ro ...' it is:
$ findmnt -o OPTIONS,PROPAGATION /var/lib/flatpak
OPTIONS              PROPAGATION
ro,relatime,seclabel private,slave

This difference was ignored because it doesn't appear to cause any
real problem.

https://github.com/containers/toolbox/pull/327

toolbox

@@ -896,7 +896,6 @@ create()
 
     dbus_system_bus_address="unix:path=/var/run/dbus/system_bus_socket"
     home_link=""
-    flatpak_system_directory_bind=""
     kcm_socket=""
     kcm_socket_bind=""
     libvirt_system_directory_bind=""
@@ -912,10 +911,6 @@ create()
     dbus_system_bus_path=$(echo "$dbus_system_bus_address" | cut --delimiter = --fields 2 2>&3)
     dbus_system_bus_path=$(readlink --canonicalize "$dbus_system_bus_path" 2>&3)
 
-    if [ -d /var/lib/flatpak ] 2>&3; then
-        flatpak_system_directory_bind="--volume /var/lib/flatpak:/var/lib/flatpak:ro"
-    fi
-
     # Note that 'systemctl show ...' doesn't terminate with a non-zero exit
     # code when used with an unknown unit. eg.:
     #   $ systemctl show --value --property Listen foo
@@ -1073,7 +1068,6 @@ create()
             $ulimit_host \
             --userns=keep-id \
             --user root:root \
-            $flatpak_system_directory_bind \
             $kcm_socket_bind \
             $libvirt_system_directory_bind \
             $run_media_path_bind \
@@ -1198,6 +1192,10 @@ init_container()
                     return 1
                 fi
             fi
+
+            if ! mount_bind /run/host/var/lib/flatpak /var/lib/flatpak ro; then
+                return 1
+            fi
         fi
 
         if [ -d /run/host/monitor ] 2>&3; then