firefox: allow RDD sandbox access to gpu drivers

Firefox uses a sandboxing model that only allows access to paths that
were previously explicitly granted. We can only add granular permissions
to a specific sandbox by patching, because setting LD_LIBRARY_PATH would
affect all of them.

To use hardware decoding via VA-API with Firefox 98.0.2 one needs to
head to `about:config` and enable `media.ffmpeg.vaapi.enabled`.

Closes: #157061

1 files changed, 8 insertions, 0 deletions

diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix
index 64cba1b52a60e..d4bdaaf7f1dc4 100644
--- a/pkgs/applications/networking/browsers/firefox/common.nix
+++ b/pkgs/applications/networking/browsers/firefox/common.nix
@@ -165,6 +165,14 @@ buildStdenv.mkDerivation ({
   inherit src unpackPhase meta;
 
   patches = [
+    (fetchpatch {
+      # RDD Sandbox paths for NixOS, remove with Firefox>=100
+      # https://hg.mozilla.org/integration/autoland/rev/5ac6a69a01f47ca050d90704a9791b8224d30f14
+      # https://bugzilla.mozilla.org/show_bug.cgi?id=1761692
+      name = "mozbz-1761692-rdd-sandbox-paths.patch";
+      url = "https://hg.mozilla.org/integration/autoland/raw-rev/5ac6a69a01f47ca050d90704a9791b8224d30f14";
+      hash = "sha256-+NGRUxXA7HGvPaAwvDveqRsdXof5nBIc+l4hdf7cC/Y=";
+    })
   ]
   ++ lib.optional (lib.versionAtLeast version "86") ./env_var_for_system_dir-ff86.patch
   ++ lib.optional (lib.versionAtLeast version "90" && lib.versionOlder version "95") ./no-buildconfig-ffx90.patch