nongnu: firefox: Fix GPU decoding.

* nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch: New
file.
* nongnu/packages/mozilla.scm (firefox-esr)[source]<patches>: Add it.
[#:phases]<wrap-glxtest>: New phase ported from Guix's librewolf package.
<wrap-program>: Remove whitelist manipulation.
[inputs]: Add pciutils.
* nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch: New file.
* nongnu/packages/mozilla.scm (firefox)[source]<patches>: Add it.

Fixes: https://gitlab.com/nonguix/nonguix/-/issues/389
Signed-off-by: Hilton Chain <hako@ultrarare.space>
Modified-by: Hilton Chain <hako@ultrarare.space>

nongnu/packages/mozilla.scm

@@ -17,7 +17,7 @@
 ;;; Copyright © 2020-2025 Jonathan Brielmaier <jonathan.brielmaier@web.de>
 ;;; Copyright © 2020 Zhu Zihao <all_but_last@163.com>
 ;;; Copyright © 2021 pineapples <guixuser6392@protonmail.com>
-;;; Copyright © 2021, 2024 Brice Waegeneire <brice@waegenei.re>
+;;; Copyright © 2021, 2024, 2025 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2021, 2022, 2023 John Kehayias <john.kehayias@protonmail.com>
 ;;; Copyright © 2022 Pierre Langlois <pierre.langlois@gmx.com>
 ;;; Copyright © 2023-2025 Tomas Volf <wolf@wolfsden.cz>
@@ -63,6 +63,7 @@
   #:use-module (gnu packages node)
   #:use-module (gnu packages nss)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages pciutils)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages pulseaudio)
   #:use-module (gnu packages python)
@@ -106,7 +107,8 @@
                      %load-path)
                 patch))
              '("firefox-esr-compare-paths.patch"
-               "firefox-esr-use-system-wide-dir.patch")))
+               "firefox-esr-use-system-wide-dir.patch"
+               "firefox-esr-add-store-to-rdd-allowlist.patch")))
        ;; XXX: 75 Mo (800+ Mo uncompressed) of unused tests.
        ;; Removing it makes it possible to compile on some systems.
        (modules '((guix build utils)))
@@ -351,6 +353,20 @@
                                   (string-drop hash 8)))))))
           (replace 'install
             (lambda _ (invoke "./mach" "install")))
+          (add-after 'install 'wrap-glxtest
+            ;; glxtest uses dlopen() to load mesa and pci
+            ;; libs, wrap it to set LD_LIBRARY_PATH.
+            (lambda* (#:key inputs outputs #:allow-other-keys)
+              (let* ((out (assoc-ref outputs "out"))
+                     (lib (string-append out "/lib"))
+                     (libs (map
+                            (lambda (lib-name)
+                              (string-append (assoc-ref inputs
+                                                        lib-name)
+                                             "/lib"))
+                            '("mesa" "pciutils"))))
+                (wrap-program (car (find-files lib "^glxtest$"))
+                  `("LD_LIBRARY_PATH" prefix ,libs)))))
           (add-after 'install 'wrap-program
             (lambda* (#:key inputs outputs #:allow-other-keys)
               ;; The following two functions are from Guix's icecat package in
@@ -380,23 +396,6 @@
                      ;; and libva depend on).
                      (pciaccess-lib (string-append (assoc-ref inputs "libpciaccess")
                                                    "/lib"))
-                     ;; VA-API is run in the RDD (Remote Data Decoder) sandbox
-                     ;; and must be explicitly given access to files it needs.
-                     ;; Rather than adding the whole store (as Nix had
-                     ;; upstream do, see
-                     ;; <https://github.com/NixOS/nixpkgs/pull/165964> and
-                     ;; linked upstream patches), we can just follow the
-                     ;; runpaths of the needed libraries to add everything to
-                     ;; LD_LIBRARY_PATH.  These will then be accessible in the
-                     ;; RDD sandbox.
-                     ;; TODO: Properly handle the runpath of libraries needed
-                     ;; (for RDD) recursively, so the explicit libpciaccess
-                     ;; can be removed.
-                     (rdd-whitelist
-                      (map (cut string-append <> "/")
-                           (delete-duplicates
-                            (append-map runpaths-of-input
-                                        '("mesa" "ffmpeg")))))
                      (pulseaudio-lib (string-append (assoc-ref inputs "pulseaudio")
                                                     "/lib"))
                      ;; For sharing on Wayland
@@ -409,7 +408,7 @@
                 (wrap-program (car (find-files lib "^firefox$"))
                   `("LD_LIBRARY_PATH" prefix (,mesa-lib ,libnotify-lib ,libva-lib
                                               ,pciaccess-lib ,pulseaudio-lib ,eudev-lib
-                                              ,@rdd-whitelist ,pipewire-lib))
+                                              ,pipewire-lib))
                   `("XDG_DATA_DIRS" prefix (,gtk-share))
                   `("MOZ_LEGACY_PROFILES" = ("1"))
                   `("MOZ_ALLOW_DOWNGRADE" = ("1"))))))
@@ -485,6 +484,7 @@
         nspr-4.32
         ;; nss
         pango
+        pciutils
         pipewire
         pixman
         pulseaudio
@@ -550,7 +550,8 @@ Release (ESR) version.")
                 patch))
              '("firefox-restore-desktop-files.patch"
                "firefox-ge-138-compare-paths.patch"
-               "firefox-use-system-wide-dir.patch")))
+               "firefox-use-system-wide-dir.patch"
+               "firefox-add-store-to-rdd-allowlist.patch")))
        ;; XXX: 75 Mo (800+ Mo uncompressed) of unused tests.
        ;; Removing it makes it possible to compile on some systems.
        (modules '((guix build utils)))

nongnu/packages/patches/firefox-add-store-to-rdd-allowlist.patch

@@ -0,0 +1,36 @@
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+index 4eff5e6..42171eb 100644
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -476,6 +476,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+   // Various places where fonts reside
+   policy->AddTree(rdonly, "/usr/X11R6/lib/X11/fonts");
+   policy->AddTree(rdonly, "/nix/store");
++  policy->AddTree(rdonly, "/gnu/store");
+   // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
+   policy->AddTree(rdonly, "/run/host/fonts");
+   policy->AddTree(rdonly, "/run/host/user-fonts");
+@@ -485,6 +486,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+   // Bug 1848615
+   policy->AddPath(rdonly, "/usr");
+   policy->AddPath(rdonly, "/nix");
++  policy->AddPath(rdonly, "/gnu");
+ 
+   AddLdconfigPaths(policy);
+   AddLdLibraryEnvPaths(policy);
+@@ -934,6 +936,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
+   policy->AddTree(rdonly, "/usr/lib64");
+   policy->AddTree(rdonly, "/run/opengl-driver/lib");
+   policy->AddTree(rdonly, "/nix/store");
++  policy->AddTree(rdonly, "/gnu/store");
+ 
+   // Bug 1647957: memory reporting.
+   AddMemoryReporting(policy.get(), aPid);
+@@ -1079,6 +1082,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
+   // Required to make sure ffmpeg loads properly, this is already existing on
+   // Content and RDD
+   policy->AddTree(rdonly, "/nix/store");
++  policy->AddTree(rdonly, "/gnu/store");
+ 
+   // glibc will try to stat64("/") while populating nsswitch database
+   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396

nongnu/packages/patches/firefox-esr-add-store-to-rdd-allowlist.patch

@@ -0,0 +1,36 @@
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+index 0e5358e68e..efbde9616e 100644
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -452,6 +452,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+   // Various places where fonts reside
+   policy->AddDir(rdonly, "/usr/X11R6/lib/X11/fonts");
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
+   // https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/blob/e434e680d22260f277f4a30ec4660ed32b591d16/files/fontconfig-flatpak.conf
+   policy->AddDir(rdonly, "/run/host/fonts");
+   policy->AddDir(rdonly, "/run/host/user-fonts");
+@@ -461,6 +462,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
+   // Bug 1848615
+   policy->AddPath(rdonly, "/usr");
+   policy->AddPath(rdonly, "/nix");
++  policy->AddPath(rdonly, "/gnu");
+ 
+   AddLdconfigPaths(policy);
+   AddLdLibraryEnvPaths(policy);
+@@ -920,6 +922,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
+   policy->AddDir(rdonly, "/usr/lib64");
+   policy->AddDir(rdonly, "/run/opengl-driver/lib");
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
+ 
+   // Bug 1647957: memory reporting.
+   AddMemoryReporting(policy.get(), aPid);
+@@ -1043,6 +1046,7 @@ SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
+   // Required to make sure ffmpeg loads properly, this is already existing on
+   // Content and RDD
+   policy->AddDir(rdonly, "/nix/store");
++  policy->AddDir(rdonly, "/gnu/store");
+ 
+   // glibc will try to stat64("/") while populating nsswitch database
+   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396