gnu: webkitgtk: Adjust BubbleWrap wrapper.

This revisits <https://issues.guix.gnu.org/40837> with a fix that doesn't
require to have PULSE_CLIENTCONFIG point to an absolute store location, which
will allow us to revert to have PULSE_CLIENTCONFIG point to a fixed location
under /etc.  This would alleviate the need to reboot to have changes to the
PulseAudio configuration effected.

* gnu/packages/patches/webkitgtk-share-store.patch: Delete file.
* gnu/packages/patches/webkitgtk-bubblewrap-paths.patch: Add file.
* gnu/packages/patches/webkitgtk-canonicalize-paths.patch: Likewise.
* gnu/local.mk (dist_patch_DATA): Update patches list.
* gnu/packages/webkit.scm (webkitgtk)[patches]: Adjust accordingly.

gnu/local.mk

@@ -1925,8 +1925,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/vte-CVE-2012-2738-pt2.patch			\
   %D%/packages/patches/vtk-fix-freetypetools-build-failure.patch	\
   %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch	\
-  %D%/packages/patches/webkitgtk-share-store.patch		\
   %D%/packages/patches/webkitgtk-bind-all-fonts.patch		\
+  %D%/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch	\
+  %D%/packages/patches/webkitgtk-canonicalize-paths.patch	\
   %D%/packages/patches/webrtc-audio-processing-big-endian.patch	\
   %D%/packages/patches/websocketpp-fix-for-cmake-3.15.patch	\
   %D%/packages/patches/wicd-bitrate-none-fix.patch		\

gnu/packages/patches/webkitgtk-adjust-bubblewrap-paths.patch

@@ -0,0 +1,38 @@
+Share /gnu/store in the BubbleWrap container and remove FHS mounts.
+
+This is a Guix-specific patch not meant to be upstreamed.
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index f0a5e4b05dff..88b11f806968 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -854,27 +854,12 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
+         "--ro-bind", "/sys/dev", "/sys/dev",
+         "--ro-bind", "/sys/devices", "/sys/devices",
+ 
+-        "--ro-bind-try", "/usr/share", "/usr/share",
+-        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+         "--ro-bind-try", DATADIR, DATADIR,
+-
+-        // We only grant access to the libdirs webkit is built with and
+-        // guess system libdirs. This will always have some edge cases.
+-        "--ro-bind-try", "/lib", "/lib",
+-        "--ro-bind-try", "/usr/lib", "/usr/lib",
+-        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+         "--ro-bind-try", LIBDIR, LIBDIR,
+-#if CPU(ADDRESS64)
+-        "--ro-bind-try", "/lib64", "/lib64",
+-        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
+-        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
+-#else
+-        "--ro-bind-try", "/lib32", "/lib32",
+-        "--ro-bind-try", "/usr/lib32", "/usr/lib32",
+-        "--ro-bind-try", "/usr/local/lib32", "/usr/local/lib32",
+-#endif
+-
+         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
++
++        // Bind mount the store inside the WebKitGTK sandbox.
++        "--ro-bind", "@storedir@", "@storedir@",
+     };
+ 
+     if (launchOptions.processType == ProcessLauncher::ProcessType::DBusProxy) {

gnu/packages/patches/webkitgtk-bind-all-fonts.patch

@@ -1,12 +1,10 @@
-Add fonts from all XDG_DATA_DIRS, not just XDG_DATA_HOME.
+Upstream commit: https://github.com/WebKit/WebKit/commit/31ac354cbeecf866f9a38f7b2f8f59f7975d3f6a
 
-See <http://bugs.gnu.org/41174>.
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-Author: Liliana Marie Prikler <liliana.prikler@gmail.com>
+index ecc804663784..8de174be3c0e 100644
-Index: webkitgtk-2.28.2/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-===================================================================
 --- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
 +++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -387,6 +387,7 @@ static void bindFonts(Vector<CString>& args)
+@@ -288,6 +288,7 @@ static void bindFonts(Vector<CString>& args)
      const char* homeDir = g_get_home_dir();
      const char* dataDir = g_get_user_data_dir();
      const char* cacheDir = g_get_user_cache_dir();
@@ -14,13 +12,14 @@ Index: webkitgtk-2.28.2/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher
  
      // Configs can include custom dirs but then we have to parse them...
      GUniquePtr<char> fontConfig(g_build_filename(configDir, "fontconfig", nullptr));
-@@ -403,6 +404,10 @@ static void bindFonts(Vector<CString>& args)
+@@ -304,6 +305,10 @@ static void bindFonts(Vector<CString>& args)
      bindIfExists(args, fontHomeConfigDir.get());
      bindIfExists(args, fontData.get());
      bindIfExists(args, fontHomeData.get());
-+    for (auto dataDir = dataDirs; dataDir != nullptr && *dataDir != nullptr; dataDir++) {
++    for (auto* dataDir = dataDirs; dataDir && *dataDir; dataDir++) {
 +        GUniquePtr<char> fontDataDir(g_build_filename(*dataDir, "fonts", nullptr));
 +        bindIfExists(args, fontDataDir.get());
 +    }
      bindIfExists(args, "/var/cache/fontconfig"); // Used by Debian.
  }
+ 

gnu/packages/patches/webkitgtk-canonicalize-paths.patch

@@ -0,0 +1,66 @@
+Upstream commit: https://github.com/WebKit/WebKit/commit/6a87eb254ef57a986a1a6ce9a3a4b66928afeb65
+
+diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+index ecc804663784..a2a1c9d7a4dd 100644
+--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
++++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+@@ -27,7 +27,6 @@
+ #include <seccomp.h>
+ #include <sys/ioctl.h>
+ #include <sys/mman.h>
+-#include <unistd.h>
+ #include <wtf/FileSystem.h>
+ #include <wtf/UniStdExtras.h>
+ #include <wtf/glib/GRefPtr.h>
+@@ -165,6 +164,15 @@ enum class BindFlags {
+     Device,
+ };
+ 
++static void bindSymlinksRealPath(Vector<CString>& args, const char* path, const char* bindOption = "--ro-bind")
++{
++    WTF::String realPath = FileSystem::realPath(path);
++    if (path != realPath) {
++        CString rpath = realPath.utf8();
++        args.appendVector(Vector<CString>({ bindOption, rpath.data(), rpath.data() }));
++    }
++}
++
+ static void bindIfExists(Vector<CString>& args, const char* path, BindFlags bindFlags = BindFlags::ReadOnly)
+ {
+     if (!path || path[0] == '\0')
+@@ -177,7 +185,16 @@ static void bindIfExists(Vector<CString>& args, const char* path, BindFlags bind
+         bindType = "--ro-bind-try";
+     else
+         bindType = "--bind-try";
+-    args.appendVector(Vector<CString>({ bindType, path, path }));
++
++    // Canonicalize the source path, otherwise a symbolic link could
++    // point to a location outside of the namespace.
++    bindSymlinksRealPath(args, path, bindType);
++
++    // As /etc is exposed wholesale, do not layer extraneous bind
++    // directives on top, which could fail in the presence of symbolic
++    // links.
++    if (!g_str_has_prefix(path, "/etc/"))
++        args.appendVector(Vector<CString>({ bindType, path, path }));
+ }
+ 
+ static void bindDBusSession(Vector<CString>& args, bool allowPortals)
+@@ -410,17 +427,6 @@ static void bindV4l(Vector<CString>& args)
+     }));
+ }
+ 
+-static void bindSymlinksRealPath(Vector<CString>& args, const char* path)
+-{
+-    char realPath[PATH_MAX];
+-
+-    if (realpath(path, realPath) && strcmp(path, realPath)) {
+-        args.appendVector(Vector<CString>({
+-            "--ro-bind", realPath, realPath,
+-        }));
+-    }
+-}
+-
+ // Translate a libseccomp error code into an error message. libseccomp
+ // mostly returns negative errno values such as -ENOMEM, but some
+ // standard errno values are used for non-standard purposes where their

gnu/packages/patches/webkitgtk-share-store.patch

@@ -1,19 +0,0 @@
-Tell bubblewrap to share the store.  Required for programs that use the
-sandboxing features such as Epiphany.
-
-See <https://bugs.gnu.org/40837>.
-Author: Jack Hill <jackhill@jackhill.us>
----
-diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
---- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-@@ -737,6 +737,9 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
-         "--ro-bind-try", "/usr/local/share", "/usr/local/share",
-         "--ro-bind-try", DATADIR, DATADIR,
- 
-+       // Bind mount the store inside the WebKitGTK sandbox.
-+       "--ro-bind", "@storedir@", "@storedir@",
-+
-         // We only grant access to the libdirs webkit is built with and
-         // guess system libdirs. This will always have some edge cases.
-         "--ro-bind-try", "/lib", "/lib",

gnu/packages/webkit.scm

@@ -247,8 +247,9 @@ acceleration in mind, leveraging common 3D graphics APIs for best performance.")
               (sha256
                (base32
                 "1xn1hhd0qaxmjf6vy6664i4mmmjsw9zgrr4w8ni3415d981zvj3b"))
-              (patches (search-patches "webkitgtk-share-store.patch"
+              (patches (search-patches "webkitgtk-bind-all-fonts.patch"
-                                       "webkitgtk-bind-all-fonts.patch"))))
+                                       "webkitgtk-adjust-bubblewrap-paths.patch"
+                                       "webkitgtk-canonicalize-paths.patch"))))
     (build-system cmake-build-system)
     (outputs '("out" "doc" "debug"))
     (arguments