Fix the access of symlinks to host files in the sandbox

https://github.com/NixOS/nix/pull/10456 fixed the addition of symlink
store paths to the sandbox, but also made it so that the hardcoded
sandbox paths (like `/etc/hosts`) were now bind-mounted without
following the possible symlinks. This made these files unreadable if
there were symlinks (because the sandbox would now contain a symlink to
an unreachable file rather than the underlying file).
In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a
symlink there.

Fix that by canonicalizing all these hardcoded sandbox paths before
adding them to the sandbox.

(cherry picked from commit acbb1523c1)

tests/functional/linux-sandbox.sh

@@ -60,7 +60,11 @@ testCert () {
 
 nocert=$TEST_ROOT/no-cert-file.pem
 cert=$TEST_ROOT/some-cert-file.pem
+symlinkcert=$TEST_ROOT/symlink-cert-file.pem
+symlinkDir=$TEST_ROOT/symlink-dir
 echo -n "CERT_CONTENT" > $cert
+ln -s $cert $symlinkcert
+ln -s $TEST_ROOT $symlinkDir
 
 # No cert in sandbox when not a fixed-output derivation
 testCert missing normal       "$cert"
@@ -74,5 +78,13 @@ testCert missing fixed-output "$nocert"
 # Cert in sandbox when ssl-cert-file is set to an existing file
 testCert present fixed-output "$cert"
 
+# Cert in sandbox when ssl-cert-file is set to a symlink to an existing file
+testCert present fixed-output "$symlinkcert"
+
 # Symlinks should be added in the sandbox directly and not followed
-nix-sandbox-build symlink-derivation.nix
+nix-sandbox-build symlink-derivation.nix -A depends_on_symlink
+nix-sandbox-build symlink-derivation.nix -A test_sandbox_paths \
+    --option extra-sandbox-paths "/file=$cert" \
+    --option extra-sandbox-paths "/dir=$TEST_ROOT" \
+    --option extra-sandbox-paths "/symlinkDir=$symlinkDir" \
+    --option extra-sandbox-paths "/symlink=$symlinkcert"