guix/gnu/packages/patches/glycin-sandbox-Adapt-bwrap-invocation.patch

From 628066901e473c185da6f0aaf26ee826d2b4bd31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?No=C3=A9=20Lopez?= <noelopez@free.fr>
Date: Tue, 14 Oct 2025 22:20:42 +0200
Subject: [PATCH] glycin/sandbox: Adapt bwrap invocation to Guix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Firstly, we use @bwrap@ so that we can substitute it with an absolute
path to the bwrap binary.

Next, we change the /usr bind to be optional since there can be no
/usr in a Guix system (especially in the build daemon).

Lastly, we add /gnu/store. I don’t think this is needed, but it is the
upstream author’s wish with adding /nix/store. See also
<https://gitlab.gnome.org/GNOME/glycin/-/issues/224>.

Upstream-status: Not applicable.
---
 glycin/src/sandbox.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/glycin/src/sandbox.rs b/glycin/src/sandbox.rs
index 916a8f0..350ece3 100644
--- a/glycin/src/sandbox.rs
+++ b/glycin/src/sandbox.rs
@@ -271,7 +271,7 @@ impl Sandbox {
     }
 
     async fn bwrap_command(&self, seccomp_memfd: &Memfd) -> Result<Command, Error> {
-        let mut command = Command::new("bwrap");
+        let mut command = Command::new("@bwrap@");
 
         command.args([
             "--unshare-all",
@@ -280,7 +280,7 @@ impl Sandbox {
             "--chdir",
             "/",
             // Make /usr available as read only
-            "--ro-bind",
+            "--ro-bind-try",
             "/usr",
             "/usr",
             // Make tmpfs dev available
@@ -294,6 +294,10 @@ impl Sandbox {
             "--ro-bind-try",
             "/nix/store",
             "/nix/store",
+            // Add /gnu/store on systems with Guix
+            "--ro-bind-try",
+            "@storedir@",
+            "@storedir@",
             // Create a fake HOME for glib to not throw warnings
             "--tmpfs",
             "/tmp-home",
-- 
2.51.0