Share /gnu/store in the BubbleWrap container and remove FHS mounts.
Also share user profile directory.

This is a Guix-specific patch not meant to be upstreamed.
diff --git a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
index 99395d6..3604730 100644
--- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
@@ -765,1 +765,1 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
         return adoptGRef(g_subprocess_launcher_spawnv(launcher, argv, error));

     const char* runDir = g_get_user_runtime_dir();
+    const char* homeDir = g_get_home_dir();
+    char* profileDir = g_strconcat(homeDir, "/.guix-profile", NULL);
     Vector<CString> sandboxArgs = {
         "--die-with-parent",
         "--unshare-uts",
@@ -786,28 +788,24 @@ GRefPtr<GSubprocess> bubblewrapSpawn(GSubprocessLauncher* launcher, const Proces
         "--ro-bind", "/sys/dev", "/sys/dev",
         "--ro-bind", "/sys/devices", "/sys/devices",
 
-        "--ro-bind-try", "/usr/share", "/usr/share",
-        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
         "--ro-bind-try", DATADIR, DATADIR,
-
-        // We only grant access to the libdirs webkit is built with and
-        // guess system libdirs. This will always have some edge cases.
-        "--ro-bind-try", "/lib", "/lib",
-        "--ro-bind-try", "/usr/lib", "/usr/lib",
-        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
         "--ro-bind-try", LIBDIR, LIBDIR,
-#if CPU(ADDRESS64)
-        "--ro-bind-try", "/lib64", "/lib64",
-        "--ro-bind-try", "/usr/lib64", "/usr/lib64",
-        "--ro-bind-try", "/usr/local/lib64", "/usr/local/lib64",
-#else
-        "--ro-bind-try", "/lib32", "/lib32",
-        "--ro-bind-try", "/usr/lib32", "/usr/lib32",
-        "--ro-bind-try", "/usr/local/lib32", "/usr/local/lib32",
-#endif
-
         "--ro-bind-try", PKGLIBEXECDIR, PKGLIBEXECDIR,
+
+        // Bind mount the store inside the WebKitGTK sandbox.
+        "--ro-bind", "@storedir@", "@storedir@",
+
+        // Bind mount the guix profile directory
+        "--ro-bind", profileDir, profileDir,
+
+        // This is needed for locales if not in profile
+        "--ro-bind-try", "@localedir@", "@localedir@",
+
+        // This is needed for video hardware acceleration (va-api)
+        // via /lib/dri if not in profile
+        "--ro-bind-try", "@dridir@", "@dridir@",
     };
+    free(profileDir);
 
     if (enableDebugPermissions()) {
         const char* dataDir = g_get_user_data_dir();