viber: wrap with bubblewrap to disable $HOME access

packages/viber/default.nix

@@ -3,6 +3,9 @@
   brotli,
   cups,
   curl,
+  bubblewrap,
+  bash,
+  writeShellScriptBin,
   dbus,
   dpkg,
   expat,
@@ -112,7 +115,16 @@ stdenv.mkDerivation {
     xorg.libxkbfile
   ];
 
-  installPhase = ''
+  installPhase = let
+    viberWrap = writeShellScriptBin "viberWrap" ''
+      ${bubblewrap}/bin/bwrap --bind / / \
+      --dev /dev \
+      --tmpfs $HOME \
+      --bind  $HOME/.ViberPC/ $HOME/.ViberPC \
+      --bind  $HOME/Downloads/ $HOME/Downloads \
+      $@
+    '';
+  in ''
     dpkg-deb -x $src $out
     mkdir -p $out/bin
 
@@ -130,7 +142,10 @@ stdenv.mkDerivation {
       --set QT_XKB_CONFIG_ROOT "${xorg.xkeyboardconfig}/share/X11/xkb" \
       --set QTCOMPOSE "${xorg.libX11.out}/share/X11/locale" \
       --set QML2_IMPORT_PATH "$out/opt/viber/qml"
-    ln -s $out/opt/viber/Viber $out/bin/viber
+
+    echo "#!${bash}/bin/bash" > $out/bin/viber
+    echo "${viberWrap}/bin/viberWrap $out/opt/viber/Viber" >> $out/bin/viber
+    chmod +x $out/bin/viber
 
     mv $out/usr/share $out/share
     rm -rf $out/usr
@@ -140,7 +155,6 @@ stdenv.mkDerivation {
       --replace /opt/viber/Viber $out/opt/viber/Viber \
       --replace /usr/share/ $out/share/
   '';
-
   dontStrip = true;
   dontPatchELF = true;