nixos/systemd-stage-1: Use chroot-realpath

nixos/modules/system/boot/systemd/initrd.nix

@@ -482,6 +482,9 @@ in {
 
         # so NSS can look up usernames
         "${pkgs.glibc}/lib/libnss_files.so.2"
+
+        # Resolving sysroot symlinks without code exec
+        "${pkgs.chroot-realpath}/bin/chroot-realpath"
       ] ++ optionals cfg.package.withCryptsetup [
         # fido2 support
         "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"
@@ -522,7 +525,7 @@ in {
 
         script = /* bash */ ''
           set -uo pipefail
-          export PATH="/bin:${cfg.package.util-linux}/bin"
+          export PATH="/bin:${cfg.package.util-linux}/bin:${pkgs.chroot-realpath}/bin"
 
           # Figure out what closure to boot
           closure=
@@ -543,7 +546,7 @@ in {
 
           # Resolve symlinks in the init parameter. We need this for some boot loaders
           # (e.g. boot.loader.generationsDir).
-          closure="$(chroot /sysroot ${pkgs.coreutils}/bin/realpath "$closure")"
+          closure="$(chroot-realpath /sysroot "$closure")"
 
           # Assume the directory containing the init script is the closure.
           closure="$(dirname "$closure")"

nixos/modules/system/etc/etc-activation.nix

@@ -139,10 +139,10 @@
 
                 closure="$(realpath /nixos-closure)"
 
-                metadata_image="$(chroot /sysroot ${lib.getExe' pkgs.coreutils "realpath"} "$closure/etc-metadata-image")"
+                metadata_image="$(${pkgs.chroot-realpath}/bin/chroot-realpath /sysroot "$closure/etc-metadata-image")"
                 ln -s "/sysroot$metadata_image" /etc-metadata-image
 
-                basedir="$(chroot /sysroot ${lib.getExe' pkgs.coreutils "realpath"} "$closure/etc-basedir")"
+                basedir="$(${pkgs.chroot-realpath}/bin/chroot-realpath /sysroot "$closure/etc-basedir")"
                 ln -s "/sysroot$basedir" /etc-basedir
               '';
             };