2 files changed, 17 insertions, 28 deletions

diff --git a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
index 2e0e5009f40..ad648cbac4a 100644
--- a/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
+++ b/gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch
@@ -1,3 +1,20 @@
+By default Firefox sandbox security model allows browser components to
+access files under '/usr', '/etc' and user home directories.  However,
+similar to Nix, on Guix some of those file hierarchies are actually
+symlinks to '/gnu/store' paths, which then get denied, breaking some
+expected functionality on the browser.  Moreover, their final store
+paths are not available on the build environment and also expected to
+change.
+
+Guix users that are willing to further restrict browsers' access to their
+file systems and do not mind losing some funcionality are advised to use
+Guix Containers.
+
+See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
+<https://codeberg.org/guix/guix/issues/661>,
+<https://issues.guix.gnu.org/38045> and
+<https://issues.guix.gnu.org/77559>
+
 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
 +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
 @@ -452,6 +452,7 @@
diff --git a/gnu/packages/tor-browsers.scm b/gnu/packages/tor-browsers.scm
index fbcd9f933a7..116d25875ab 100644
--- a/gnu/packages/tor-browsers.scm
+++ b/gnu/packages/tor-browsers.scm
@@ -424,30 +424,6 @@ Browser.")
               (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
                 (("libavcodec\\.so")
                  (search-input-file inputs "lib/libavcodec.so")))))
-          (add-after 'fix-ffmpeg-runtime-linker 'build-sandbox-whitelist
-            (lambda* (#:key inputs #:allow-other-keys)
-              (define (runpath-of lib)
-                (call-with-input-file lib
-                  (compose elf-dynamic-info-runpath
-                           elf-dynamic-info
-                           parse-elf
-                           get-bytevector-all)))
-              (define (runpaths-of-input label)
-                (let* ((dir (string-append (assoc-ref inputs label) "/lib"))
-                       (libs (find-files dir "\\.so$")))
-                  (append-map runpath-of libs)))
-              ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
-              (let* ((whitelist
-                      (map (cut string-append <> "/")
-                           (delete-duplicates
-                            `(,(string-append (assoc-ref inputs "shared-mime-info")
-                                              "/share/mime")
-                              ,@(append-map runpaths-of-input
-                                            '("mesa" "ffmpeg"))))))
-                     (whitelist-string (string-join whitelist ",")))
-                (with-output-to-file "whitelist.txt"
-                  (lambda ()
-                    (display whitelist-string))))))
           (add-after 'patch-source-shebangs 'patch-cargo-checksums
             (lambda _
               (use-modules (guix build cargo-utils))
@@ -754,10 +730,6 @@ Browser.")
                     ;; Default is 5.
                     (format #t "pref(~s, ~a);~%"
                             "extensions.enabledScopes" "13")
-                    (format #t "pref(~s, ~s);~%"
-                            "security.sandbox.content.read_path_whitelist"
-                            (call-with-input-file "whitelist.txt"
-                              get-string-all))
                     ;; Add-ons pannel (see settings.js in Icecat source).
                     (format #t "pref(~s, ~s);~%"
                             "extensions.getAddons.search.browseURL"