Merge the two patches and prevent symlinking `/usr` subdirs and binding `/run/current-system` paths. The `wrapGAppsHook` already sets the `GDK_PIXBUF_MODULE_FILE` environment variable pointing to a hermetic store path.
When we re-exec the wrapped program (obtained from `/proc/self/exe`) in a sandbox, we need to pass the environment variable through.
Also introduce a test for the icon validator to prevent future breakage.
Expose the patch in passthru so that we can re-use it in xdg-desktop-portal.
