Add that /var/run or subpaths cannot be exposed when symlinked on host

Flatpak internally sets up a /var/run to /run symlink https://github.com/flatpak/flatpak/blob/fd1b7e444016d1b44bdab7cb5642b0ac83bd4b9e/common/flatpak-run.c#L2281. If it is symlinked on host too, when using
`--filesystem=var/run/subpath` bwrap gets called twice to
create the same symlink and the second one will fail.

See also containers/bubblewrap@4109d59

Author: bbhtt

docs/sandbox-permissions.rst

@@ -222,7 +222,8 @@ to them with ``--filesystem`` will have no effect::
 
 The entire ``/run`` is not allowed and all subpaths of ``/run`` except
 ``/run/flatpak, /run/host`` is allowed to be exposed via
-``--filesystem``.
+``--filesystem``. Additionally, if ``/var/run`` on host is a symlink to
+``../run``, exposing it or a subpath of it, is not allowed.
 
 Additionally the following directories from host need to be explicitly
 requested with ``--filesystem`` and are not available with