checkSandboxed: fix so that cross-built scripts can be checked again

how did this work earlier? does lappy have binfmt enabled??

modules/programs/make-sandboxed.nix

@@ -1,5 +1,8 @@
 { lib
+, stdenv
 , buildPackages
+, file
+, gnugrep
 , runCommandLocal
 , runtimeShell
 , sanebox
@@ -230,7 +233,7 @@ let
     };
     passthru = (prevAttrs.passthru or {}) // extraPassthru // {
       checkSandboxed = runCommandLocal "${pkgName}-check-sandboxed" {
-        nativeBuildInputs = [ sanebox ];
+        nativeBuildInputs = [ file gnugrep sanebox ];
         buildInputs = builtins.map (out: finalAttrs.finalPackage."${out}") (finalAttrs.outputs or [ "out" ]);
       } ''
         set -e
@@ -243,7 +246,12 @@ let
           echo "checking if $dir/$binname is sandboxed"
           # XXX: call by full path because some binaries (e.g. util-linux) would otherwise
           # be shadowed by things the nix builder implicitly puts on PATH.
-          "$dir/$binname" --sanebox-replace-cli echo "printing for test" \
+          # additionally, call via qemu and manually specify the interpreter *if the file has one*.
+          # if the file doesn't have an interpreter, assume it's directly invokable by qemu (hence, the intentional lack of quotes around `interpreter`)
+          set -x
+          local realbin="$(realpath $dir/$binname)"
+          local interpreter=$(file "$realbin" | grep --only-matching "a /nix/.* script" | cut -d" " -f2 || echo "")
+          ${stdenv.hostPlatform.emulator buildPackages} $interpreter "$dir/$binname" --sanebox-replace-cli echo "printing for test" \
             | grep "printing for test"
           _numExec=$(( $_numExec + 1 ))
         }