# --- T2-COPYRIGHT-BEGIN ---
# t2/package/*/firefox/sandbox-x11.patch
# Copyright (C) 2025 The T2 SDE Project
# SPDX-License-Identifier: GPL-2.0 or patched project license
# --- T2-COPYRIGHT-END ---

--- firefox-134.0.2/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp.vanilla	2025-01-31 11:35:45.944913917 +0100
+++ firefox-134.0.2/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp	2025-01-31 11:42:37.705897499 +0100
@@ -454,6 +454,10 @@
   policy->AddTree(rdonly, "/usr/lib");
   policy->AddTree(rdonly, "/usr/lib32");
   policy->AddTree(rdonly, "/usr/lib64");
+  policy->AddTree(rdonly, "/usr/X11/lib");
+  policy->AddTree(rdonly, "/usr/X11/lib32");
+  policy->AddTree(rdonly, "/usr/X11/lib64");
+
   policy->AddTree(rdonly, "/etc");
   policy->AddTree(rdonly, "/usr/share");
   policy->AddTree(rdonly, "/usr/local/share");
@@ -548,7 +552,7 @@
     {
       // If $XDG_CONFIG_HOME is set, we need to account for it.
       // FIXME: Bug 1722272: Maybe this should just be handled with
-      // GetSpecialSystemDirectory(Unix_XDG_ConfigHome) ?
+      // GetSpecialSystemDirectory(UNIx_XDG_ConfigHome) ?
       nsCOMPtr<nsIFile> confDirOrXDGConfigHomeDir;
       if (!xdgConfigHome.IsEmpty()) {
         rv = NS_NewNativeLocalFile(xdgConfigHome,
@@ -907,8 +911,9 @@
   policy->AddTree(rdonly, "/usr/lib");
   policy->AddTree(rdonly, "/usr/lib32");
   policy->AddTree(rdonly, "/usr/lib64");
-  policy->AddTree(rdonly, "/run/opengl-driver/lib");
-  policy->AddTree(rdonly, "/nix/store");
+  policy->AddTree(rdonly, "/usr/X11/lib");
+  policy->AddTree(rdonly, "/usr/X11/lib32");
+  policy->AddTree(rdonly, "/usr/X11/lib64");
 
   // Bug 1647957: memory reporting.
   AddMemoryReporting(policy.get(), aPid);
@@ -986,6 +991,9 @@
   policy->AddTree(rdonly, "/usr/lib");
   policy->AddTree(rdonly, "/usr/lib32");
   policy->AddTree(rdonly, "/usr/lib64");
+  policy->AddTree(rdonly, "/usr/X11/lib");
+  policy->AddTree(rdonly, "/usr/X11/lib32");
+  policy->AddTree(rdonly, "/usr/X11/lib64");
   policy->AddTree(rdonly, "/usr/share");
   policy->AddTree(rdonly, "/usr/local/share");
   policy->AddTree(rdonly, "/etc");
@@ -1040,12 +1048,12 @@
   policy->AddTree(rdonly, "/usr/lib");
   policy->AddTree(rdonly, "/usr/lib32");
   policy->AddTree(rdonly, "/usr/lib64");
+  policy->AddTree(rdonly, "/usr/X11/lib");
+  policy->AddTree(rdonly, "/usr/X11/lib32");
+  policy->AddTree(rdonly, "/usr/X11/lib64");
   policy->AddTree(rdonly, "/usr/share");
   policy->AddTree(rdonly, "/usr/local/share");
   policy->AddTree(rdonly, "/etc");
-  // Required to make sure ffmpeg loads properly, this is already existing on
-  // Content and RDD
-  policy->AddTree(rdonly, "/nix/store");
 
   // glibc will try to stat64("/") while populating nsswitch database
   // https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396