Mount resolved varlink socket in sandbox if network access is allowed

If network access is allowed, then we should probably allow name
resolution too.

This should be enough to make nss-resolve work inside flatpak. However,
it cannot be tested with GNOME runtimes, because GNOME runtimes do not
contain systemd. It also cannot be tested with the Fedora 33 flatpak
runtime, because this runtime contains systemd 246, where nss-resolve
uses D-Bus rather than varlink to communicate with systemd-resolved. And
there is no rawhide runtime, and will be no Fedora 34 runtime until F34
is branched. So currently it's not possible to actually test this
without building a custom runtime, which I have not attempted to do. I
have built flatpak myself and verified the resolved socket is mounted
properly inside the sandbox, but it would be better to test if it
actually works with a runtime that contains systemd 247.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1912131

common/flatpak-run.c

@@ -602,6 +602,15 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap)
     flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL);
 }
 
+static void
+flatpak_run_add_resolved_args (FlatpakBwrap *bwrap)
+{
+  const char *resolved_socket = "/run/systemd/resolve/io.systemd.Resolve";
+
+  if (g_file_test (resolved_socket, G_FILE_TEST_EXISTS))
+    flatpak_bwrap_add_args (bwrap, "--bind", resolved_socket, resolved_socket, NULL);
+}
+
 static void
 flatpak_run_add_journal_args (FlatpakBwrap *bwrap)
 {
@@ -3886,6 +3895,9 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
                                          &exports, cancellable, error))
     return FALSE;
 
+  if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0)
+    flatpak_run_add_resolved_args (bwrap);
+
   flatpak_run_add_journal_args (bwrap);
   add_font_path_args (bwrap);
   add_icon_path_args (bwrap);