gnu: make-torbrowser: Remove redundant phase.

Follow up to commit 6ee9cd170b which added
torbrowsers-add-store-to-rdd-allowlist.patch and implicitly made
'build-sandbox-whitelist phase unnecessary.

Users are encouraged to use Guix Containers if they want to restrict
browsers' access to their file systems.

* gnu/packages/tor-browsers.scm (make-torbrowser) [arguments] <#:phases>
'build-sandbox-whitelist: Remove it;
'autoconfig: Remove step that adds the forementioned list to browser
default preferences.
* gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch: Add
explanatory comment and refer to issues this patch addresses.

Change-Id: Icc0ea4c2470e8bc82e3a2bf57966b46fd47a7cf8
Signed-off-by: Hilton Chain <hako@ultrarare.space>

gnu/packages/patches/torbrowsers-add-store-to-rdd-allowlist.patch

@@ -1,3 +1,20 @@
+By default Firefox sandbox security model allows browser components to
+access files under '/usr', '/etc' and user home directories.  However,
+similar to Nix, on Guix some of those file hierarchies are actually
+symlinks to '/gnu/store' paths, which then get denied, breaking some
+expected functionality on the browser.  Moreover, their final store
+paths are not available on the build environment and also expected to
+change.
+
+Guix users that are willing to further restrict browsers' access to their
+file systems and do not mind losing some funcionality are advised to use
+Guix Containers.
+
+See: <https://bugzilla.mozilla.org/show_bug.cgi?id=1848615#c8>,
+<https://codeberg.org/guix/guix/issues/661>,
+<https://issues.guix.gnu.org/38045> and
+<https://issues.guix.gnu.org/77559>
+
 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
 +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
 @@ -452,6 +452,7 @@

gnu/packages/tor-browsers.scm

@@ -424,30 +424,6 @@ Browser.")
               (substitute* "dom/media/platforms/ffmpeg/FFmpegRuntimeLinker.cpp"
                 (("libavcodec\\.so")
                  (search-input-file inputs "lib/libavcodec.so")))))
-          (add-after 'fix-ffmpeg-runtime-linker 'build-sandbox-whitelist
-            (lambda* (#:key inputs #:allow-other-keys)
-              (define (runpath-of lib)
-                (call-with-input-file lib
-                  (compose elf-dynamic-info-runpath
-                           elf-dynamic-info
-                           parse-elf
-                           get-bytevector-all)))
-              (define (runpaths-of-input label)
-                (let* ((dir (string-append (assoc-ref inputs label) "/lib"))
-                       (libs (find-files dir "\\.so$")))
-                  (append-map runpath-of libs)))
-              ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
-              (let* ((whitelist
-                      (map (cut string-append <> "/")
-                           (delete-duplicates
-                            `(,(string-append (assoc-ref inputs "shared-mime-info")
-                                              "/share/mime")
-                              ,@(append-map runpaths-of-input
-                                            '("mesa" "ffmpeg"))))))
-                     (whitelist-string (string-join whitelist ",")))
-                (with-output-to-file "whitelist.txt"
-                  (lambda ()
-                    (display whitelist-string))))))
           (add-after 'patch-source-shebangs 'patch-cargo-checksums
             (lambda _
               (use-modules (guix build cargo-utils))
@@ -754,10 +730,6 @@ Browser.")
                     ;; Default is 5.
                     (format #t "pref(~s, ~a);~%"
                             "extensions.enabledScopes" "13")
-                    (format #t "pref(~s, ~s);~%"
-                            "security.sandbox.content.read_path_whitelist"
-                            (call-with-input-file "whitelist.txt"
-                              get-string-all))
                     ;; Add-ons pannel (see settings.js in Icecat source).
                     (format #t "pref(~s, ~s);~%"
                             "extensions.getAddons.search.browseURL"