uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948
this can do it nicely.

Signed-off-by: Anton Arapov <anton@deadbeef.mx>

pkgs/os-specific/linux/firejail/default.nix

@@ -0,0 +1,109 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, pkg-config
+, libapparmor
+, which
+, xdg-dbus-proxy
+, nixosTests
+}:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.68";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    libapparmor
+    which
+  ];
+
+  configureFlags = [
+    "--enable-apparmor"
+  ];
+
+  patches = [
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
+
+    # NixOS specific whitelist to resolve binary paths in user environment
+    # Fixes https://github.com/NixOS/nixpkgs/issues/170784
+    # Upstream fix https://github.com/netblue30/firejail/pull/5131
+    # Upstream hopefully fixed in later versions > 0.9.68
+   ./whitelist-nix-profile.patch
+
+    # Fix OpenGL support for various applications including Firefox
+    # Issue: https://github.com/NixOS/nixpkgs/issues/55191
+    # Upstream fix: https://github.com/netblue30/firejail/pull/5132
+    # Hopefully fixed upstream in version > 0.9.68
+    ./fix-opengl-support.patch
+  ];
+
+  prePatch = ''
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
+  '';
+
+  preConfigure = ''
+    sed -e 's@/bin/bash@${stdenv.shell}@g' -i $( grep -lr /bin/bash .)
+    sed -e "s@/bin/cp@$(which cp)@g" -i $( grep -lr /bin/cp .)
+  '';
+
+  preBuild = ''
+    sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
+  '';
+
+  # The profile files provided with the firejail distribution include `.local`
+  # profile files using relative paths. The way firejail works when it comes to
+  # handling includes is by looking target files up in `~/.config/firejail`
+  # first, and then trying `SYSCONFDIR`. The latter normally points to
+  # `/etc/filejail`, but in the case of nixos points to the nix store. This
+  # makes it effectively impossible to place any profile files in
+  # `/etc/firejail`.
+  #
+  # The workaround applied below is by creating a set of `.local` files which
+  # only contain respective includes to `/etc/firejail`. This way
+  # `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
+  # be searched in second order. This replicates the behaviour from
+  # non-nixos platforms.
+  #
+  # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
+  # for the profile file lookup implementation.
+  postInstall = ''
+    for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*{.inc,.profile} | awk '{print $2}' | sort | uniq)
+    do
+      echo "include /etc/firejail/$local" >$out/etc/firejail/$local
+    done
+  '';
+
+  # At high parallelism, the build sometimes fails with:
+  # bash: src/fsec-optimize/fsec-optimize: No such file or directory
+  enableParallelBuilding = false;
+
+  passthru.tests = nixosTests.firejail;
+
+  meta = {
+    description = "Namespace-based sandboxing tool for Linux";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
+    homepage = "https://firejail.wordpress.com/";
+  };
+}

pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch

@@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
++++ b/src/fbuilder/build_profile.c
+@@ -48,7 +48,7 @@
+ 	// build command
+ 	char *cmd[len];
+ 	unsigned curr_len = 0;
+-	cmd[curr_len++] = BINDIR "/firejail";
++	cmd[curr_len++] = "firejail";
+ 	cmd[curr_len++] = "--quiet";
+ 	cmd[curr_len++] = "--noprofile";
+ 	cmd[curr_len++] = "--caps.drop=all";

pkgs/os-specific/linux/firejail/fix-opengl-support.patch

@@ -0,0 +1,7 @@
+--- a/etc/inc/whitelist-run-common.inc.org	2022-05-07 11:27:32.264849186 +0200
++++ b/etc/inc/whitelist-run-common.inc	2022-05-07 11:27:55.577778211 +0200
+@@ -13,3 +13,4 @@
+ whitelist /run/systemd/resolve/resolv.conf
+ whitelist /run/systemd/resolve/stub-resolv.conf
+ whitelist /run/udev/data
++whitelist /run/opengl-driver	# NixOS

pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch

@@ -0,0 +1,27 @@
+--- a/src/firejail/fs_overlayfs.c
++++ b/src/firejail/fs_overlayfs.c
+@@ -327,6 +327,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
++	// mount-bind /nix
++	if (arg_debug)
++		printf("Mounting /nix\n");
++	char *nix;
++	if (asprintf(&nix, "%s/nix", oroot) == -1)
++		errExit("asprintf");
++	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
++		errExit("mounting /nix");
++	fs_logger("whitelist /nix");
++
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -384,6 +394,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
++	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }

pkgs/os-specific/linux/firejail/whitelist-nix-profile.patch

@@ -0,0 +1,9 @@
+--- a/etc/inc/whitelist-common.inc.org	2022-05-06 13:57:17.294206339 +0200
++++ b/etc/inc/whitelist-common.inc	2022-05-06 13:58:00.108655548 +0200
+@@ -83,3 +83,6 @@
+ whitelist ${HOME}/.kde4/share/config/oxygenrc
+ whitelist ${HOME}/.kde4/share/icons
+ whitelist ${HOME}/.local/share/qt5ct
++
++# NixOS specific to resolve binary paths
++whitelist ${HOME}/.nix-profile