[bug#72265] [PATCH 1/1] gnu: librewolf: Add guix drivers paths to RDD whitelist

[Nikita Domnitskii]

Change-Id: I5aaf590b625dfbacb19b6dc54d7f83f73bea1fda
---
 gnu/packages/librewolf.scm                    | 20 ++++---------------
 ...librewolf-add-paths-to-rdd-whitelist.patch | 11 ++++++++++
 2 files changed, 15 insertions(+), 16 deletions(-)
 create mode 100644 
gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 3e46477724..b34e29d9db 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -203,7 +203,9 @@ (define librewolf-source
                (invoke "make" "all")
                (copy-file (string-append "librewolf-" #$version
                                          ".source.tar.gz")
-                          #$output))))))))
+                          #$output)))))
+      (patches
+       (search-patches "librewolf-add-paths-to-rdd-whitelist.patch")))))
 
 ;; Define the versions of rust needed to build librewolf, trying to match
 ;; upstream.  See the file taskcluster/ci/toolchain/rust.yml at
@@ -573,26 +575,12 @@ (define-public librewolf
                                        ;; For U2F and WebAuthn
                                        "eudev")))
 
-                              ;; VA-API is run in the RDD (Remote Data 
Decoder) sandbox
-                              ;; and must be explicitly given access to files 
it needs.
-                              ;; Rather than adding the whole store (as Nix had
-                              ;; upstream do, see
-                              ;; 
<https://github.com/NixOS/nixpkgs/pull/165964> and
-                              ;; linked upstream patches), we can just follow 
the
-                              ;; runpaths of the needed libraries to add 
everything to
-                              ;; LD_LIBRARY_PATH.  These will then be 
accessible in the
-                              ;; RDD sandbox.
-                              (rdd-whitelist (map (cut string-append <> "/")
-                                                  (delete-duplicates 
(append-map
-                                                                      
runpaths-of-input
-                                                                      '("mesa"
-                                                                        
"ffmpeg")))))
                               (gtk-share (string-append (assoc-ref inputs
                                                                    "gtk+")
                                                         "/share")))
                          (wrap-program (car (find-files lib "^librewolf$"))
                            `("LD_LIBRARY_PATH" prefix
-                             (,@libs ,@rdd-whitelist))
+                             (,@libs))
                            `("XDG_DATA_DIRS" prefix
                              (,gtk-share))
                            `("MOZ_LEGACY_PROFILES" =
diff --git a/gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch 
b/gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch
new file mode 100644
index 0000000000..1bee0bddf5
--- /dev/null
+++ b/gnu/packages/patches/librewolf-add-paths-to-rdd-whitelist.patch
@@ -0,0 +1,11 @@
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -920,6 +920,8 @@
+   policy->AddDir(rdonly, "/usr/lib64");
+   policy->AddDir(rdonly, "/run/opengl-driver/lib");
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
++  policy->AddDir(rdonly, "/run/current-system/profile/lib");
+
+   // Bug 1647957: memory reporting.
+   AddMemoryReporting(policy.get(), aPid);


-- 
Best Regards,
Nikita Domnitskii