flatpak: clean up icon validation

Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path.

When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through.

Also introduce a test for the icon validator to prevent future breakage.

Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.

pkgs/development/libraries/flatpak/bubblewrap-paths.patch

@@ -1,15 +0,0 @@
-diff --git a/icon-validator/validate-icon.c b/icon-validator/validate-icon.c
-index 9e885070..d02eeb8c 100644
---- a/icon-validator/validate-icon.c
-+++ b/icon-validator/validate-icon.c
-@@ -156,8 +156,8 @@ rerun_in_sandbox (const char *arg_width,
-             "--unshare-ipc",
-             "--unshare-net",
-             "--unshare-pid",
--            "--ro-bind", "/usr", "/usr",
--            "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache",
-+            "--ro-bind", "@storeDir@", "@storeDir@",
-+            "--ro-bind", "/run/current-system", "/run/current-system",
-             "--ro-bind", validate_icon, validate_icon,
-             NULL);
- 

pkgs/development/libraries/flatpak/default.nix

@@ -13,6 +13,7 @@
 , xmlto
 , appstream-glib
 , substituteAll
+, runCommand
 , bison
 , xdg-dbus-proxy
 , p11-kit
@@ -51,7 +52,7 @@
 , makeWrapper
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "flatpak";
   version = "1.12.7";
 
@@ -59,7 +60,7 @@ stdenv.mkDerivation rec {
   outputs = [ "out" "dev" "man" "doc" "devdoc" "installedTests" ];
 
   src = fetchurl {
-    url = "https://github.com/flatpak/flatpak/releases/download/${version}/${pname}-${version}.tar.xz";
+    url = "https://github.com/flatpak/flatpak/releases/download/${finalAttrs.version}/flatpak-${finalAttrs.version}.tar.xz";
     sha256 = "sha256-bbUqUxzieCgqx+v7mfZqC7PsyvROhkhEwslcHuW6kxY="; # Taken from https://github.com/flatpak/flatpak/releases/
   };
 
@@ -80,12 +81,6 @@ stdenv.mkDerivation rec {
       p11kit = "${p11-kit.bin}/bin/p11-kit";
     })
 
-    # Adapt paths exposed to sandbox for NixOS.
-    (substituteAll {
-      src = ./bubblewrap-paths.patch;
-      inherit (builtins) storeDir;
-    })
-
     # Allow gtk-doc to find schemas using XML_CATALOG_FILES environment variable.
     # Patch taken from gtk-doc expression.
     ./respect-xml-catalog-files-var.patch
@@ -94,8 +89,9 @@ stdenv.mkDerivation rec {
     # https://github.com/NixOS/nixpkgs/issues/53441
     ./unset-env-vars.patch
 
-    # But we want the GDK_PIXBUF_MODULE_FILE from the wrapper affect the icon validator.
-    ./validate-icon-pixbuf.patch
+    # The icon validator needs to access the gdk-pixbuf loaders in the Nix store
+    # and cannot bind FHS paths since those are not available on NixOS.
+    finalAttrs.passthru.icon-validator-patch
   ];
 
   nativeBuildInputs = [
@@ -187,8 +183,18 @@ stdenv.mkDerivation rec {
   '';
 
   passthru = {
+    icon-validator-patch = substituteAll {
+      src = ./fix-icon-validation.patch;
+      inherit (builtins) storeDir;
+    };
+
     tests = {
       installedTests = nixosTests.installed-tests.flatpak;
+
+      validate-icon = runCommand "test-icon-validation" { } ''
+        ${finalAttrs.finalPackage}/libexec/flatpak-validate-icon --sandbox 512 512 ${../../../applications/audio/zynaddsubfx/ZynLogo.svg} > "$out"
+        grep format=svg "$out"
+      '';
     };
   };
 
@@ -199,4 +205,4 @@ stdenv.mkDerivation rec {
     maintainers = with maintainers; [ jtojnar ];
     platforms = platforms.linux;
   };
-}
+})

pkgs/development/libraries/flatpak/fix-icon-validation.patch

@@ -0,0 +1,31 @@
+--- a/icon-validator/validate-icon.c
++++ b/icon-validator/validate-icon.c
+@@ -163,7 +163,7 @@ rerun_in_sandbox (const char *arg_width,
+                   const char *arg_height,
+                   const char *filename)
+ {
+-  const char * const usrmerged_dirs[] = { "bin", "lib32", "lib64", "lib", "sbin" };
++  const char * const usrmerged_dirs[] = { };
+   int i;
+   g_autoptr(GPtrArray) args = g_ptr_array_new_with_free_func (g_free);
+   char validate_icon[PATH_MAX + 1];
+@@ -183,8 +183,7 @@ rerun_in_sandbox (const char *arg_width,
+             "--unshare-ipc",
+             "--unshare-net",
+             "--unshare-pid",
+-            "--ro-bind", "/usr", "/usr",
+-            "--ro-bind-try", "/etc/ld.so.cache", "/etc/ld.so.cache",
++            "--ro-bind", "@storeDir@", "@storeDir@",
+             "--ro-bind", validate_icon, validate_icon,
+             NULL);
+ 
+@@ -227,6 +226,9 @@ rerun_in_sandbox (const char *arg_width,
+     add_args (args, "--setenv", "G_MESSAGES_DEBUG", g_getenv ("G_MESSAGES_DEBUG"), NULL);
+   if (g_getenv ("G_MESSAGES_PREFIXED"))
+     add_args (args, "--setenv", "G_MESSAGES_PREFIXED", g_getenv ("G_MESSAGES_PREFIXED"), NULL);
++  if (g_getenv ("GDK_PIXBUF_MODULE_FILE"))
++    add_args (args, "--setenv", "GDK_PIXBUF_MODULE_FILE", g_getenv ("GDK_PIXBUF_MODULE_FILE"), NULL);
++
+ 
+   add_args (args, validate_icon, arg_width, arg_height, filename, NULL);
+   g_ptr_array_add (args, NULL);

pkgs/development/libraries/flatpak/validate-icon-pixbuf.patch

@@ -1,13 +0,0 @@
-diff --git a/icon-validator/validate-icon.c b/icon-validator/validate-icon.c
-index 9e885070..44fea035 100644
---- a/icon-validator/validate-icon.c
-+++ b/icon-validator/validate-icon.c
-@@ -200,6 +200,8 @@ rerun_in_sandbox (const char *arg_width,
-     add_args (args, "--setenv", "G_MESSAGES_DEBUG", g_getenv ("G_MESSAGES_DEBUG"), NULL);
-   if (g_getenv ("G_MESSAGES_PREFIXED"))
-     add_args (args, "--setenv", "G_MESSAGES_PREFIXED", g_getenv ("G_MESSAGES_PREFIXED"), NULL);
-+  if (g_getenv ("GDK_PIXBUF_MODULE_FILE"))
-+    add_args (args, "--setenv", "GDK_PIXBUF_MODULE_FILE", g_getenv ("GDK_PIXBUF_MODULE_FILE"), NULL);
- 
-   add_args (args, validate_icon, arg_width, arg_height, filename, NULL);
-   g_ptr_array_add (args, NULL);