only unshare: Teach it not to unshare some bits

e.g.

	slapns -U/tmp:/run

will not unshare /tmp and /run from its parent namespace.

slapns.py

@@ -139,8 +139,11 @@ def idmap_trysetup_viashadow(kind, pid):
 def main():
     slappart = sys.argv[1]
 
-    unshareonly = (slappart == "-U")
+    unshareonly = slappart.startswith("-U")
+    share = set([])  # of path that not to unshare
     if unshareonly:
+        _ = slappart[2:]    # -U/tmp:/run -> /tmp:/run
+        share = set(_.split(":"))
         slappart = ""
     if not unshareonly:
         # create directories inside container
@@ -152,6 +155,12 @@ def main():
         for _ in dirv:
             mkdir_p(slappart + _)
 
+    # xmount mounts source to slappart/target
+    def xmount(source, target, fs):
+        if target in share:
+            return  # user asked us not to unshare this
+        mount(source, slappart + target, fs)
+
     # find out my uid/gid
     uid = os.getuid()
     gid = os.getgid()
@@ -209,11 +218,11 @@ def main():
 
 
     # mount new tmpfs'es
-    mount("none", slappart + "/tmp", "tmpfs")
-    mount("none", slappart + "/run", "tmpfs")
+    xmount("none", "/tmp", "tmpfs")
+    xmount("none", "/run", "tmpfs")
 
     # separate instance for pseudo terminals
-    mount("none", slappart + "/dev/pts", "devpts")
+    xmount("none", "/dev/pts", "devpts")
 
     if not unshareonly:
         # read-only bind mount bin, lib, ... from SR
@@ -236,8 +245,8 @@ def main():
         sys.exit(st >> 8)   # st = (exit << 8) | signal
 
     # child
-    mount("none", slappart + "/proc", "proc")
-    mount("none", slappart + "/sys", "sysfs")
+    xmount("none", "/proc", "proc")
+    xmount("none", "/sys", "sysfs")
 
     # TODO setup networking
     os.system("/sbin/ifconfig lo 127.0.0.1")    # XXX at least loopback works