gnome3.gnome_desktop: fix sandboxing

pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch

@@ -0,0 +1,19 @@
+--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
++++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
+@@ -504,14 +504,10 @@
+   g_return_val_if_fail (script->s_infile != NULL, FALSE);
+ 
+   add_args (array,
+-	    "bwrap",
+-	    "--ro-bind", "/usr", "/usr",
+-	    "--ro-bind", "/lib", "/lib",
+-	    "--ro-bind", "/lib64", "/lib64",
++	    "@BUBBLEWRAP_BIN@",
++      "--ro-bind", "/nix/store", "/nix/store",
+ 	    "--proc", "/proc",
+ 	    "--dev", "/dev",
+-	    "--symlink", "usr/bin", "/bin",
+-	    "--symlink", "usr/sbin", "/sbin",
+ 	    "--chdir", "/",
+ 	    "--setenv", "GIO_USE_VFS", "local",
+ 	    "--unshare-all",

pkgs/desktops/gnome-3/core/gnome-desktop/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pkgconfig, python, libxml2Python, libxslt, which, libX11, gnome3, gtk3, glib
 , intltool, gnome_doc_utils, libxkbfile, xkeyboard_config, isocodes, itstool, wayland
-, libseccomp, gobjectIntrospection }:
+, libseccomp, bubblewrap, gobjectIntrospection }:
 
 stdenv.mkDerivation rec {
   inherit (import ./src.nix fetchurl) name src;
@@ -13,12 +13,21 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     pkgconfig which itstool intltool libxslt gnome_doc_utils gobjectIntrospection
   ];
-  buildInputs = [ python libxml2Python libX11
+  buildInputs = [ python libxml2Python libX11 bubblewrap
                   xkeyboard_config isocodes wayland
                   gtk3 glib libxkbfile libseccomp ];
 
   propagatedBuildInputs = [ gnome3.gsettings_desktop_schemas ];
 
+  patches = [
+    ./bubblewrap-paths.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libgnome-desktop/gnome-desktop-thumbnail-script.c --subst-var-by \
+      BUBBLEWRAP_BIN "${bubblewrap}/bin/bwrap"
+  '';
+
   meta = with stdenv.lib; {
     platforms = platforms.linux;
     maintainers = gnome3.maintainers;