gnu: make-torbrowser: Add store to rdd allowlist.

Without this patch, some extensions break when the browsers are built with
system nss and livestreams are broken on these browsers due to a default
deny sandboxing rule.

See commit ab24e2ebe51720f332215b110c1bb151718d16bd and issues #546 on
codeberg and #77559 on debbugs.

* gnu/packages/tor-browsers.scm (make-torbrowser) [arguments] <#:phases>
'apply-guix-specific-patches: Add torbrowsers-add-store-to-rdd-allowlist.patch.
* gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch: Add it.
* gnu/local.mk: Register it.

Change-Id: I4c9cb514131eae35db6149492e0ee1c4916bcfde

3 files changed, 38 insertions, 0 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 4e448e86ea0..cd46215b32b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -2346,6 +2346,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/tlf-support-hamlib-4.2+.patch		\
   %D%/packages/patches/tofi-32bit-compat.patch			\
   %D%/packages/patches/torbrowser-compare-paths.patch           \
+  %D%/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch     \
   %D%/packages/patches/tpetra-remove-duplicate-using.patch	\
   %D%/packages/patches/transcode-ffmpeg.patch	\
   %D%/packages/patches/transmission-4.0.6-fix-build.patch	\
diff --git a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
new file mode 100644
index 00000000000..2e0e5009f40
--- /dev/null
+++ b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
@@ -0,0 +1,34 @@
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -452,6 +452,7 @@
+   // Various places where fonts reside
+   policy->AddDir(rdonly, "/usr/X11R6/lib/X11/fonts");
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
+   // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
+   policy->AddDir(rdonly, "/run/host/fonts");
+   policy->AddDir(rdonly, "/run/host/user-fonts");
+@@ -461,6 +462,7 @@
+   // Bug 1848615
+   policy->AddPath(rdonly, "/usr");
+   policy->AddPath(rdonly, "/nix");
++  policy->AddPath(rdonly, "/gnu");
+ 
+   AddLdconfigPaths(policy);
+   AddLdLibraryEnvPaths(policy);
+@@ -920,6 +922,7 @@
+   policy->AddDir(rdonly, "/usr/lib64");
+   policy->AddDir(rdonly, "/run/opengl-driver/lib");
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
+ 
+   // Bug 1647957: memory reporting.
+   AddMemoryReporting(policy.get(), aPid);
+@@ -1043,6 +1046,7 @@
+   // Required to make sure ffmpeg loads properly, this is already existing on
+   // Content and RDD
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
+ 
+   // glibc will try to stat64("/") while populating nsswitch database
+   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396
diff --git a/gnu/packages/tor-browsers.scm b/gnu/packages/tor-browsers.scm
index df29a149b1a..e9bced2789e 100644
--- a/gnu/packages/tor-browsers.scm
+++ b/gnu/packages/tor-browsers.scm
@@ -385,6 +385,9 @@ Browser.")
                (lambda (file) (invoke "patch" "--force" "-p1" "-i" file))
                '(#$(local-file
                     (search-patch "torbrowser-compare-paths.patch"))
+		 #$(local-file
+		    (search-patch
+		     "torbrowsers-add-store-to-rdd-allowlist.patch"))
                  #$(local-file
                     (search-patch "icecat-use-system-wide-dir.patch"))))))
           (add-after 'apply-guix-specific-patches 'remove-bundled-libraries