Share /gnu/store in the BubbleWrap container and remove FHS mounts.

This is a Guix-specific patch not meant to be upstreamed.
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
index f0a5e4b05dff..88b11f806968 100644
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
@@ -854,27 +854,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
         "--ro-bind", "/sys/dev", "/sys/dev",
         "--ro-bind", "/sys/devices", "/sys/devices",
 
-        "--ro-bind-try", "/usr/share", "/usr/share",
-        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
         "--ro-bind-try", DATADIR, DATADIR,
-
-        // We only grant access to the libdirs webkit is built with and
-        // guess system libdirs. This will always have some edge cases.
-        "--ro-bind-try", "/lib", "/lib",
-        "--ro-bind-try", "/usr/lib", "/usr/lib",
-        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
         "--ro-bind-try", LIBDIR, LIBDIR,
-#if CPU(ADDRESS64)
-        "--ro-bind-try", "/lib64", "/lib64",
-        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
-        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
-#else
-        "--ro-bind-try", "/lib32", "/lib32",
-        "--ro-bind-try", "/usr/lib32", "/usr/lib32",
-        "--ro-bind-try", "/usr/local/lib32", "/usr/local/lib32",
-#endif
-
         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+
+        // Bind mount the store inside the WebKitGTK sandbox.
+        "--ro-bind", "@storedir@", "@storedir@",
     };
 
     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {
on>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=453189e3640526dbc86a44bc4022ffbb5eb93bfb'>root</a>/<a href='/guix/log/gnu?id=453189e3640526dbc86a44bc4022ffbb5eb93bfb'>gnu</a>/<a href='/guix/log/gnu/tests?id=453189e3640526dbc86a44bc4022ffbb5eb93bfb'>tests</a>/<a href='/guix/log/gnu/tests/base.scm?id=453189e3640526dbc86a44bc4022ffbb5eb93bfb'>base.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/tests/base.scm?id=453189e3640526dbc86a44bc4022ffbb5eb93bfb&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-10-24 14:50:09 +0200'>2024-10-24</span></td><td><a href='/guix/commit/gnu/tests/base.scm?id=cc67a0b71d4a7d98a3732c3edf2eb340c2799697'>gnu: system: Privilege programs after creating accounts.</a><span class='msg-avail'>...<span class='msg-tooltip'>Ensure that users and groups are already created when the privileging script
runs. The order these scripts appear in the folded activation-service depends
on the order these services are instantiated in the operating-system.

Fixes &lt;https://issues.guix.gnu.org/73680&gt;.

* gnu/system.scm (operating-system-default-essential-services): Move
privileged-program-service above account-service.
(hurd-default-essential-services): Likewise.
* gnu/tests/base.scm (%activation-os): New variable.
(run-activation-test): New procedure.
(%test-activation): New variable.

Change-Id: I59a191c5519475f256e81bdf2dc4cb01b96c31fe
Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Dariqq</td></tr>
<tr><td><span title='2024-09-25 17:53:53 +0200'>2024-09-25</span></td><td><a href='/guix/commit/gnu/tests/base.scm?id=f92151133da4b98f98e755ce0996e8be59acac72'>services: cleanup: Reintroduce explicit ‘chmod’ calls.</a><span class='msg-avail'>...<span class='msg-tooltip'>This reverts commit e74d05db53fdf02956ccee0950896c6ca9f10573.

* gnu/services.scm (cleanup-gexp): Introduce explicit ‘chmod’ calls
after ‘mkdir’ calls.
* gnu/tests/base.scm (run-basic-test)[test]("permissions on /tmp"):
New test.

Reported-by: Hilton Chain &lt;hako@ultrarare.space&gt;
Change-Id: I1e14dbe52eac526d2ed4ec1dd9c6fd9036f96a63
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-07-18 17:31:18 +0200'>2024-07-18</span></td><td><a href='/guix/commit/gnu/tests/base.scm?id=a9d8ad6595b5501e3b257266370591759b5bd82e'>tests: base: Compare all the service provisions, not just canonical names.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/tests/base.scm (run-basic-test)["shepherd services"]: Use
‘append-map’ on live service provisions to match what
‘operating-system-shepherd-service-names’ does.

Change-Id: Ie54082eed6c7b8d37d3428711e71c11e80940235
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2024-01-22 13:24:20 -0500'>2024-01-22</span></td><td><a href='/guix/commit/gnu/tests/base.scm?id=10a193596368443f441077525ebbddf787d91e4b'>gnu: Remove linux-libre 4.14.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/linux.scm (linux-libre-4.14-version,
linux-libre-4.14-gnu-revision, deblob-scripts-4.14,
linux-libre-4.14-pristine-source, linux-libre-4.14-source,
linux-libre-headers-4.14, linux-libre-4.14, linux-libre-arm-generic-4.14,
linux-libre-arm-omap2plus-4.14): Remove variables.
* gnu/packages/aux-files/linux-libre/4.14-arm.conf,
gnu/packages/aux-files/linux-libre/4.14-i686.conf,
gnu/packages/aux-files/linux-libre/4.14-x86_64.conf: Delete files.
* Makefile.am (AUX_FILES): Remove aforementioned .conf files.
* gnu/tests/base.scm (%test-linux-libre-4.14): Remove variable.

Change-Id: I40393b5f46b989848d569c929f1d9c986736553e
</span></span></td><td>Wilko Meyer</td></tr>
<tr><td><span title='2023-04-21 16:16:38 +0200'>2023-04-21</span></td><td><a href='/guix/commit/gnu/tests/base.scm?id=fb32e226ce3d3cd9bf12989850b2dd719266d583'>tests: Use the client 'start-service' procedure.</a><span class='msg-avail'>...<span class='msg-tooltip'>The previous code worked "by chance": 'start' from (shepherd service)
happened to be in scope because the marionette REPL is created by a mere
'primitive-fork', and 'start' happened to kinda work.

* gnu/tests/base.scm (run-basic-test): Use 'start-service' from (gnu
services herd), not 'start' from (shepherd service), which is not
supposed to work.
* gnu/tests/install.scm (run-install): Likewise.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2023-03-03 17:55:35 +0100'>2023-03-03</span></td><td><a href='/guix/commit/gnu/tests/base.scm?id=2799ad44234be675f018115f99be98d2c9fd565d'>services: dbus: Deprecate 'dbus-service' procedure.</a><span class='msg-avail'>...<span class='msg-tooltip'>* doc/guix.texi (Desktop Services): Replace with 'dbus-root-service-type'.
Document dbus-configuration.
* gnu/services/dbus.scm (dbus-service): Define with 'define-deprecated'.
* gnu/services/desktop.scm (desktop-services-for-system): Replace with
dbus-root-service-type.
* gnu/system/install.scm (%installation-services): Ditto.
* gnu/tests/base.scm (%avahi-os): Ditto.
* gnu/tests/docker.scm (%docker-os): Ditto.
* gnu/tests/lightdm.scm (minimal-desktop-services): Ditto.
* gnu/tests/virtualization.scm (%libvirt-os): Ditto.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Bruno Victal</td></tr>
<tr>