gnu: librewolf: Add the store to the RDD allowlist.

* gnu/packages/librewolf.scm (librewolf): [patches]: Add librewolf-add-store-to-rdd-allowlist.patch. [phase 'wrap-program]: Remove rdd allowlist manipulation. * gnu/packages/patches/librewolf-add-store-to-rdd-allowlist.patch: Add.
author: Ian Eure <ian@retrospec.tv> 2025-04-19 17:03:39 -0700
committer: Ian Eure <ian@retrospec.tv> 2025-04-20 19:52:55 -0700
commit: ab24e2ebe51720f332215b110c1bb151718d16bd (patch)
tree: af1bb0f2bc70eed49f83a0d23fcd60a4e95ddf0f
parent: 674880d12220fa47ed9676ff219fc4a7d8f78321 (diff)
download: guix-ab24e2ebe51720f332215b110c1bb151718d16bd.tar.gz
guix-ab24e2ebe51720f332215b110c1bb151718d16bd.zip
2 files changed, 39 insertions, 19 deletions
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index cfa315071c..7cb47ba0ad 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -192,7 +192,8 @@
       (patches
        (search-patches
         "torbrowser-compare-paths.patch"
-        "librewolf-use-system-wide-dir.patch")))))
+        "librewolf-use-system-wide-dir.patch"
+        "librewolf-add-store-to-rdd-allowlist.patch")))))
 
 ;;; Define the versions of rust needed to build firefox, trying to match
 ;;; upstream.  See table at [0], `Uses' column for the specific version.
@@ -541,28 +542,11 @@
                               "pulseaudio"
                               "libpciaccess")))
 
-                     ;; VA-API is run in the RDD (Remote Data Decoder) sandbox
-                     ;; and must be explicitly given access to files it needs.
-                     ;; Rather than adding the whole store (as Nix had
-                     ;; upstream do, see
-                     ;; <https://github.com/NixOS/nixpkgs/pull/165964> and
-                     ;; linked upstream patches), we can just follow the
-                     ;; runpaths of the needed libraries to add everything to
-                     ;; LD_LIBRARY_PATH.  These will then be accessible in the
-                     ;; RDD sandbox.
-                     (rdd-whitelist
-                      (map (cut string-append <> "/")
-                           (delete-duplicates
-                            (append-map runpaths-of-input
-                                        '("mesa"
-                                          "ffmpeg"
-                                          "libpciaccess")))))
                      (gtk-share (string-append (assoc-ref inputs
                                                           "gtk+")
                                                "/share")))
                 (wrap-program (car (find-files lib "^librewolf$"))
-                  `("LD_LIBRARY_PATH" prefix
-                    (,@libs ,@rdd-whitelist))
+                  `("LD_LIBRARY_PATH" prefix ,libs)
                   `("XDG_DATA_DIRS" prefix
                     (,gtk-share))
                   `("MOZ_LEGACY_PROFILES" =
diff --git a/gnu/packages/patches/librewolf-add-store-to-rdd-allowlist.patch b/gnu/packages/patches/librewolf-add-store-to-rdd-allowlist.patch
new file mode 100644
index 0000000000..4bdaa7ddee
--- /dev/null
+++ b/gnu/packages/patches/librewolf-add-store-to-rdd-allowlist.patch
@@ -0,0 +1,36 @@
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+index 4eff5e6..42171eb 100644
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+   // Various places where fonts reside
+   policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts");
+   policy->AddTree(rdonly, "/nix/store");
++  policy->AddTree(rdonly, "/gnu/store");
+   // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
+   policy->AddTree(rdonly, "/run/host/fonts");
+   policy->AddTree(rdonly, "/run/host/user-fonts");
+@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+   // Bug 1848615
+   policy->AddPath(rdonly, "/usr");
+   policy->AddPath(rdonly, "/nix");
++  policy->AddPath(rdonly, "/gnu");
+ 
+   AddLdconfigPaths(policy);
+   AddLdLibraryEnvPaths(policy);
+@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
+   policy->AddTree(rdonly, "/usr/lib64");
+   policy->AddTree(rdonly, "/run/opengl-driver/lib");
+   policy->AddTree(rdonly, "/nix/store");
++  policy->AddTree(rdonly, "/gnu/store");
+ 
+   // Bug 1647957: memory reporting.
+   AddMemoryReporting(policy.get(), aPid);
+@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
+   // Required to make sure ffmpeg loads properly, this is already existing on
+   // Content and RDD
+   policy->AddTree(rdonly, "/nix/store");
++  policy->AddTree(rdonly, "/gnu/store");
+ 
+   // glibc will try to stat64("/") while populating nsswitch database
+   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396
author	Ian Eure <ian@retrospec.tv>	2025-04-19 17:03:39 -0700
committer	Ian Eure <ian@retrospec.tv>	2025-04-20 19:52:55 -0700
commit	ab24e2ebe51720f332215b110c1bb151718d16bd (patch)
tree	af1bb0f2bc70eed49f83a0d23fcd60a4e95ddf0f
parent	674880d12220fa47ed9676ff219fc4a7d8f78321 (diff)
download	guix-ab24e2ebe51720f332215b110c1bb151718d16bd.tar.gz guix-ab24e2ebe51720f332215b110c1bb151718d16bd.zip