crosvm: 104.0 -> 107.1

crosvm now includes a Cargo.lock again, so we don't need to vendor it
into Nixpkgs.

Its build system now compiles the seccomp policies into the binary, so
we don't need to build and install those ourselves any more.

pkgs/applications/virtualization/crosvm/default-seccomp-policy-dir.diff

@@ -1,15 +0,0 @@
-diff --git i/src/crosvm.rs w/src/crosvm.rs
-index ab7c466b..636dc140 100644
---- i/src/crosvm.rs
-+++ w/src/crosvm.rs
-@@ -345,7 +345,9 @@ impl Default for JailConfig {
-     fn default() -> Self {
-         JailConfig {
-             pivot_root: PathBuf::from(option_env!("DEFAULT_PIVOT_ROOT").unwrap_or("/var/empty")),
--            seccomp_policy_dir: PathBuf::from(SECCOMP_POLICY_DIR),
-+            seccomp_policy_dir: PathBuf::from(
-+                option_env!("DEFAULT_SECCOMP_POLICY_DIR").unwrap_or(SECCOMP_POLICY_DIR),
-+            ),
-             seccomp_log_failures: false,
-         }
-     }

pkgs/applications/virtualization/crosvm/default.nix

@@ -1,60 +1,56 @@
-{ stdenv, lib, rustPlatform, fetchgit
-, minijail-tools, pkg-config, protobuf, wayland-scanner
+{ stdenv, lib, rust, rustPlatform, fetchgit, fetchpatch
+, clang, pkg-config, protobuf, python3, wayland-scanner
 , libcap, libdrm, libepoxy, minijail, virglrenderer, wayland, wayland-protocols
 }:
 
 rustPlatform.buildRustPackage rec {
   pname = "crosvm";
-  version = "104.0";
+  version = "107.1";
 
   src = fetchgit {
     url = "https://chromium.googlesource.com/chromiumos/platform/crosvm";
-    rev = "265aab613b1eb31598ea0826f04810d9f010a2c6";
-    sha256 = "OzbtPHs6BWK83RZ/6eCQHA61X6SY8FoBkaN70a37pvc=";
+    rev = "5a49a836e63aa6e9ae38b80daa09a013a57bfb7f";
+    sha256 = "F+5i3R7Tbd9xF63Olnyavzg/hD+8HId1duWm8bvAmLA=";
     fetchSubmodules = true;
   };
 
   separateDebugInfo = true;
 
   patches = [
-    ./default-seccomp-policy-dir.diff
+    # Backport seccomp sandbox update for recent Glibc.
+    # fetchpatch is not currently gerrit/gitiles-compatible, so we
+    # have to use the mirror.
+    # https://github.com/NixOS/nixpkgs/pull/133604
+    (fetchpatch {
+      url = "https://github.com/google/crosvm/commit/aae01416807e7c15270b3d44162610bcd73952ff.patch";
+      sha256 = "nQuOMOwBu8QvfwDSuTz64SQhr2dF9qXt2NarbIU55tU=";
+    })
   ];
 
-  cargoLock.lockFile = ./Cargo.lock;
+  cargoSha256 = "1jg9x5adz1lbqdwnzld4xg4igzmh90nd9xm287cgkvh5fbmsjfjv";
 
-  nativeBuildInputs = [ minijail-tools pkg-config protobuf wayland-scanner ];
+  nativeBuildInputs = [ clang pkg-config protobuf python3 wayland-scanner ];
 
   buildInputs = [
     libcap libdrm libepoxy minijail virglrenderer wayland wayland-protocols
   ];
 
-  arch = stdenv.hostPlatform.parsed.cpu.name;
-
-  postPatch = ''
-    cp ${cargoLock.lockFile} Cargo.lock
-    sed -i "s|/usr/share/policy/crosvm/|$PWD/seccomp/$arch/|g" \
-        seccomp/$arch/*.policy
+  preConfigure = ''
+    patchShebangs third_party/minijail/tools/*.py
+    substituteInPlace build.rs --replace '"clang"' '"${stdenv.cc.targetPrefix}clang"'
   '';
 
-  preBuild = ''
-    export DEFAULT_SECCOMP_POLICY_DIR=$out/share/policy
+  "CARGO_TARGET_${lib.toUpper (builtins.replaceStrings ["-"] ["_"] (rust.toRustTarget stdenv.hostPlatform))}_LINKER" =
+    "${stdenv.cc.targetPrefix}cc";
 
-    for policy in seccomp/$arch/*.policy; do
-        compile_seccomp_policy \
-            --default-action trap $policy ''${policy%.policy}.bpf
-    done
-
-    substituteInPlace seccomp/$arch/*.policy \
-      --replace "@include $(pwd)/seccomp/$arch/" "@include $out/share/policy/"
-  '';
+  # crosvm mistakenly expects the stable protocols to be in the root
+  # of the pkgdatadir path, rather than under the "stable"
+  # subdirectory.
+  PKG_CONFIG_WAYLAND_PROTOCOLS_PKGDATADIR =
+    "${wayland-protocols}/share/wayland-protocols/stable";
 
   buildFeatures = [ "default" "virgl_renderer" "virgl_renderer_next" ];
 
-  postInstall = ''
-    mkdir -p $out/share/policy/
-    cp -v seccomp/$arch/*.{policy,bpf} $out/share/policy/
-  '';
-
   passthru.updateScript = ./update.py;
 
   meta = with lib; {