webkitgtk: Bind NixOS directories to sandbox last

Since https://github.com/WebKit/WebKit/commit/31ac354cbeecf866f9a38f7b2f8f59f7975d3f6a,
bubblewrap gets called the following way on NixOS system,
when it has `share/fonts` in `environment.pathsToLink`:

    $ bwrap --ro-bind /nix/store /nix/store --ro-bind /run/current-system /run/current-system --ro-bind-try /run/current-system/sw/share/fonts /run/current-system/sw/share/fonts -- $(realpath $(which true))
    bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory

It fails because `/run/current-system/sw` is a symlink
so bubblewrap is not be able to add another mountpoint inside.

Ideally, we would remove the `/run/current-system/sw` bind mount
and mount only specific subdirectories we need, like the fonts.
Unfortunately, it is not clear what else is needed. For example,
in the past, Pipewire’s Jack module was loaded from `/run/current-system/sw/lib`
https://github.com/NixOS/nixpkgs/commit/756e60344fd83427148d8acf416c63573404a2e9

So, for now, let’s keep the and mount and move the binding of NixOS directories
to the end. Adding bindings starting at leaves and moving to root should be fine.

While at it, let’s also make the binding of `/run/current-system` conditional
since it will not be available outside of NixOS.

Fixes: https://github.com/NixOS/nixpkgs/issues/197085
(cherry picked from commit f930ba6aba43853d1f1733a9718585c6c80d890d)

1 files changed, 15 insertions, 14 deletions

diff --git a/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch b/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
index d502958f4f1a..9be2d74af1bd 100644
--- a/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
+++ b/pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch
@@ -1,16 +1,17 @@
-diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
---- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-09 04:47:07.000000000 -0400
-+++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-20 21:14:10.537921173 -0400
-@@ -724,6 +724,12 @@
-         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index 0a201fe176..fa3690c12a 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -819,6 +819,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+         sandboxArgs.append("--unshare-ipc");
+     }
  
-         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
++    // Nix Directories
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind", "@storeDir@", "@storeDir@" }));
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "/run/current-system", "/run/current-system" }));
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "@driverLink@/lib", "@driverLink@/lib" }));
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "@driverLink@/share", "@driverLink@/share" }));
 +
-+        // Nix Directories
-+        "--ro-bind", "@storeDir@", "@storeDir@",
-+        "--ro-bind", "/run/current-system", "/run/current-system",
-+        "--ro-bind-try", "@driverLink@/lib", "@driverLink@/lib",
-+        "--ro-bind-try", "@driverLink@/share", "@driverLink@/share",
-     };
-     // We would have to parse ld config files for more info.
-     bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
+ #if ENABLE(DEVELOPER_MODE)
+     const char* execDirectory = g_getenv("WEBKIT_EXEC_PATH");
+     if (execDirectory) {