webkitgtk: Bind NixOS directories to sandbox last

Since WebKit/WebKit@31ac354,
bubblewrap gets called the following way on NixOS system,
when it has `share/fonts` in `environment.pathsToLink`:

    $ bwrap --ro-bind /nix/store /nix/store --ro-bind /run/current-system /run/current-system --ro-bind-try /run/current-system/sw/share/fonts /run/current-system/sw/share/fonts -- $(realpath $(which true))
    bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory

It fails because `/run/current-system/sw` is a symlink
so bubblewrap is not be able to add another mountpoint inside.

Ideally, we would remove the `/run/current-system/sw` bind mount
and mount only specific subdirectories we need, like the fonts.
Unfortunately, it is not clear what else is needed. For example,
in the past, Pipewire’s Jack module was loaded from `/run/current-system/sw/lib`
756e603

So, for now, let’s keep the and mount and move the binding of NixOS directories
to the end. Adding bindings starting at leaves and moving to root should be fine.

While at it, let’s also make the binding of `/run/current-system` conditional
since it will not be available outside of NixOS.

Fixes: #197085

pkgs/development/libraries/webkitgtk/fix-bubblewrap-paths.patch

@@ -1,16 +1,17 @@
-diff -ru old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
---- old/webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-09 04:47:07.000000000 -0400
-+++ webkitgtk-2.26.0/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2019-09-20 21:14:10.537921173 -0400
-@@ -724,6 +724,12 @@
-         "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index 0a201fe176..fa3690c12a 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -819,6 +819,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+         sandboxArgs.append("--unshare-ipc");
+     }
 
-         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
++    // Nix Directories
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind", "@storeDir@", "@storeDir@" }));
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "/run/current-system", "/run/current-system" }));
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "@driverLink@/lib", "@driverLink@/lib" }));
++    sandboxArgs.appendVector(Vector<CString>({ "--ro-bind-try", "@driverLink@/share", "@driverLink@/share" }));
 +
-+        // Nix Directories
-+        "--ro-bind", "@storeDir@", "@storeDir@",
-+        "--ro-bind", "/run/current-system", "/run/current-system",
-+        "--ro-bind-try", "@driverLink@/lib", "@driverLink@/lib",
-+        "--ro-bind-try", "@driverLink@/share", "@driverLink@/share",
-     };
-     // We would have to parse ld config files for more info.
-     bindPathVar(sandboxArgs, "LD_LIBRARY_PATH");
+ #if ENABLE(DEVELOPER_MODE)
+     const char* execDirectory = g_getenv("WEBKIT_EXEC_PATH");
+     if (execDirectory) {