Guix driver paths for icecat RDD sandbox

[Jelle Licht]

Hi guix,

I was playing around tyring to get hardware enabled video decoding
working in icecat and/or firefox in guix, and found out that the fine
folks working on Nix have already gotten a patch upstreamed that allows
stuff in /nix/store to be loaded[0]. (Grep around for '/nix/store' in
our icecat sources to see what I mean).

>From what I can see, the RDD whitelist reads through symlinks, so the
actual target file needs to be whitelisted before the file is loaded in
the sandbox.

Without this (or a similar fix), we'd need a custom package per possible
value of LIBVA_DRIVERS_PATH, as loadable libraries for hardware
accelaration do not seem directly configurable via
'browser/app/profile/icecat.js' at runtime. I may be wrong here, but
this seems to also imply that a recompilation of icecat would be
required as well every time one of these 'inputs' change :/.

OTOH, it would have some drawbacks:
- It hardcodes /gnu/store, instead of $MY_MAGIC_STORE_LOCATION
- It allows loading of pretty much anything in the store by the
sandboxed process.

The second drawback seems pretty iffy, but the current suggested
workaround is to disable the sandbox entirely.

So that leaves us with 2 questions:

1. Do we want apply a patch to whitelist '/gnu/store'?
2. If so, would we want to also send this patch upstream firefox? They
seem open to accepting it.

I've opened an upstream issue for a similar treatment of /gnu/store,
which may also simplify the 'build-sandbox-whitelist' phase of our
icecat package[1] if accepted. I'm not entirely sure if that is
ultimately a good thing yet though.

Happy to hear any thoughts on this subject.

- Jelle

[0]: https://bugzilla.mozilla.org/show_bug.cgi?id=1761692
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1808408