sanebox: don't assume 'readlink' is available in the environment

pkgs/additional/sanebox/default.nix

@@ -31,6 +31,7 @@ stdenv.mkDerivation {
       --replace-fail '@iptables@' '${lib.getExe' iptables "iptables"}' \
       --replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \
       --replace-fail '@pasta@' '${lib.getExe' passt "pasta"}' \
+      --replace-fail '@readlink@' '${lib.getExe' coreutils "readlink"}' \
 
     runHook postBuild
   '';

pkgs/additional/sanebox/sanebox

@@ -9,6 +9,7 @@ IP_FALLBACK='@ip@'
 IPTABLES_FALLBACK='@iptables@'
 LANDLOCK_SANDBOXER_FALLBACK='@landlockSandboxer@'
 PASTA_FALLBACK='@pasta@'
+READLINK_FALLBACK='@readlink@'
 
 
 ## EARLY DEBUG HOOKS
@@ -316,7 +317,8 @@ readlinkOnce() {
     linkTarget=${linkCache[$path]}
   elif [ -L "$path" ]; then
     # path is a link, but not in the cache
-    linkTarget=$(readlink "$path")
+    locate _readlink "readlink" "$READLINK_FALLBACK"
+    linkTarget=$("$_readlink" "$path")
     # insert it into the cache, in case we traverse it again
     linkCache[$path]=$linkTarget
   else