From 5e3c2636db5ee7c59582bcd1d04c9dc506e122a2 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 2 Feb 2024 22:38:36 +0000
Subject: [PATCH] programs: make-sandboxed: handle packages which use relative
 links in bin (like spotify)

---
 modules/programs/make-sandboxed.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index e7392ab2..99ea8fca 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -95,7 +95,14 @@ let
         # they work as expected without any special hacks.
         # if desired, makeWrapper-style naming could be achieved by leveraging `exec -a <original_name>`.
         mkdir -p "$out/bin/.sandboxed"
-        mv "$out/bin/$_name" "$out/bin/.sandboxed/"
+        if [[ "$(readlink $out/bin/$_name)" =~ ^\.\./ ]]; then
+          # relative links which ascend a directory (into a non-bin/ directory)
+          # won't point to the right place if we naively move them
+          ln -s "../$(readlink $out/bin/$_name)" "$out/bin/.sandboxed/$_name"
+          rm "$out/bin/$_name"
+        else
+          mv "$out/bin/$_name" "$out/bin/.sandboxed/"
+        fi
         cat <<EOF >> "$out/bin/$_name"
     #!${runtimeShell}
     exec ${sane-sandboxed'} \