Disable private mounts in chroot'ed operation in the unshare plugin

mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) inside a chroot
fails with EINVAL. Apparently this is because "/" inside the chroot
is not (necessarily) an actual mount point and ... then it starts
getting more complicated. It should be possible to handle but
not something we want to attempt just before a release candidate.

Related: rpm-software-management#3187

docs/man/rpm-plugin-unshare.8.md

@@ -28,6 +28,8 @@ This plugin implements the following configurables:
     insecure temporary file usage inside scriptlets, and `/home` to
     prevent scriptlets from accessing user home directories.
 
+    Private mounts in chroot-operations is unimplemented.
+
 `%__transaction_unshare_nonet`
 
 :   Non-zero value disables network access during scriptlet execution.

plugins/unshare.c

@@ -19,8 +19,14 @@ static rpmRC unshare_init(rpmPlugin plugin, rpmts ts)
 {
     char *paths = rpmExpand("%{?__transaction_unshare_paths}", NULL);
     private_mounts = argvSplitString(paths, ":", ARGV_SKIPEMPTY);
-    if (private_mounts)
-	unshare_flags |= CLONE_NEWNS;
+    if (private_mounts) {
+	/* Remounting "/" inside chroot fails with EINVAL */
+	if (strcmp(rpmtsRootDir(ts), "/")) {
+	    rpmlog(RPMLOG_WARNING, "private mounts in chroot not implemented");
+	} else {
+	    unshare_flags |= CLONE_NEWNS;
+	}
+    }
     free(paths);
 
     if (rpmExpandNumeric("%{?__transaction_unshare_nonet}"))
@@ -47,7 +53,7 @@ static rpmRC unshare_scriptlet_fork_post(rpmPlugin plugin,
 	goto exit;
     }
 
-    if (private_mounts) {
+    if (unshare_flags & CLONE_NEWNS) {
 	if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
 	    rpmlog(RPMLOG_ERR, _("failed to mount private %s: %s\n"),
 		    "/", strerror(errno));