ICU version 73 (bug 1824744) has [a change to call realpath][icu-2323]
rather than just readlink on `/etc/localtime`, meaning that it needs to
be able to readlink every directory involved in path resolution. In
particular, for a symlink into `/usr/share/zoneinfo`, this includes
`/usr`, which is blocked by the content sandbox policy.
Currently, the file broker requires `MAY_READ` permission to allow
readlink, so we grant that on `/usr` and `/nix` (there will be a
similar issue with symlinks to `/nix/store/...`). Note that this
applies only to those directories themselves, not files within them.
This also means that the process can open those directories for reading
(i.e., readdir), but that should be relatively low-impact compared to
the information that's already exposed.
[icu-2323]: https://github.com/unicode-org/icu/pull/2323
Differential Revision: https://phabricator.services.mozilla.com/D186584
13c96aa81a