gnu: make-torbrowser: Remove redundant phase.

Follow up to commit 6ee9cd170b10a52162e43abcdb1f7148da5d7f45 which added torbrowsers-add-store-to-rdd-allowlist.patch and implicitly made 'build-sandbox-whitelist phase unnecessary. Users are encouraged to use Guix Containers if they want to restrict browsers' access to their file systems. * gnu/packages/tor-browsers.scm (make-torbrowser) [arguments] <#:phases> 'build-sandbox-whitelist: Remove it; 'autoconfig: Remove step that adds the forementioned list to browser default preferences. * gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch: Add explanatory comment and refer to issues this patch addresses. Change-Id: Icc0ea4c2470e8bc82e3a2bf57966b46fd47a7cf8 Signed-off-by: Hilton Chain <hako@ultrarare.space>
author: André Batista <nandre@riseup.net> 2025-08-01 14:22:37 -0300
committer: Hilton Chain <hako@ultrarare.space> 2025-08-12 22:07:04 +0800
commit: 17cdf44ba16ae75c5428091b204b08bfa57ccab5 (patch)
tree: a520bdfa7835c9bb069fe6ed120e50379015e122 /gnu
parent: aad498d9272887738fffe4bfd8e67c57658122bb (diff)
2 files changed, 17 insertions, 28 deletions
diff --git a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
index 2e0e5009f40..ad648cbac4a 100644
--- a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
+++ b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
@@ -1,3 +1,20 @@
+By default Firefox sandbox security model allows browser components to
+access files under '/usr', '/etc' and user home directories.  However,
+similar to Nix, on Guix some of those file hierarchies are actually
+symlinks to '/gnu/store' paths, which then get denied, breaking some
+expected functionality on the browser.  Moreover, their final store
+paths are not available on the build environment and also expected to
+change.
+
+Guix users that are willing to further restrict browsers' access to their
+file systems and do not mind losing some funcionality are advised to use
+Guix Containers.
+
+See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
+<https://codeberg.org/guix/guix/issues/661>,
+<https://issues.guix.gnu.org/38045> and
+<https://issues.guix.gnu.org/77559>
+
 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
 +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
 @@ -452,6 +452,7 @@
diff --git a/gnu/packages/tor-browsers.scm b/gnu/packages/tor-browsers.scm
index fbcd9f933a7..116d25875ab 100644
--- a/gnu/packages/tor-browsers.scm
+++ b/gnu/packages/tor-browsers.scm
@@ -424,30 +424,6 @@ Browser.")
               (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
                 (("libavcodec\\.so")
                  (search-input-file inputs "lib/libavcodec.so")))))
-          (add-after 'fix-ffmpeg-runtime-linker 'build-sandbox-whitelist
-            (lambda* (#:key inputs #:allow-other-keys)
-              (define (runpath-of lib)
-                (call-with-input-file lib
-                  (compose elf-dynamic-info-runpath
-                           elf-dynamic-info
-                           parse-elf
-                           get-bytevector-all)))
-              (define (runpaths-of-input label)
-                (let* ((dir (string-append (assoc-ref inputs label) "/lib"))
-                       (libs (find-files dir "\\.so$")))
-                  (append-map runpath-of libs)))
-              ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
-              (let* ((whitelist
-                      (map (cut string-append <> "/")
-                           (delete-duplicates
-                            `(,(string-append (assoc-ref inputs "shared-mime-info")
-                                              "/share/mime")
-                              ,@(append-map runpaths-of-input
-                                            '("mesa" "ffmpeg"))))))
-                     (whitelist-string (string-join whitelist ",")))
-                (with-output-to-file "whitelist.txt"
-                  (lambda ()
-                    (display whitelist-string))))))
           (add-after 'patch-source-shebangs 'patch-cargo-checksums
             (lambda _
               (use-modules (guix build cargo-utils))
@@ -754,10 +730,6 @@ Browser.")
                     ;; Default is 5.
                     (format #t "pref(~s, ~a);~%"
                             "extensions.enabledScopes" "13")
-                    (format #t "pref(~s, ~s);~%"
-                            "security.sandbox.content.read_path_whitelist"
-                            (call-with-input-file "whitelist.txt"
-                              get-string-all))
                     ;; Add-ons pannel (see settings.js in Icecat source).
                     (format #t "pref(~s, ~s);~%"
                             "extensions.getAddons.search.browseURL"
author	André Batista <nandre@riseup.net>	2025-08-01 14:22:37 -0300
committer	Hilton Chain <hako@ultrarare.space>	2025-08-12 22:07:04 +0800
commit	17cdf44ba16ae75c5428091b204b08bfa57ccab5 (patch)
tree	a520bdfa7835c9bb069fe6ed120e50379015e122 /gnu
parent	aad498d9272887738fffe4bfd8e67c57658122bb (diff)