stdenv/patchelf hook: filter any RPATHs outside $NIX_STORE

[vcunat]

I can't imagine any use case for keeping such RPATHs by default, and at least our sandboxed builds on Linux would complain:
RPATH of binary /nix/store/FOO contains a forbidden reference to /build/

It's not rare that invidual nix expressions had to work around such unwanted references to build dirs, e.g. see commit 3af97fc or lots of "-DCMAKE_SKIP_BUILD_RPATH=ON" (and probably more I've missed)

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[vcunat]

So far I'm opening just to get initial feedback. I haven't done any testing yet, etc.

I can imagine conditioning this like "${IN_NIX_SHELL:-}" != "impure", for example.