From 3d75d87bd3affc59e5d725f218b7cd4b3b38180b Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Tue, 7 Sep 2021 01:49:37 +0000 Subject: [PATCH] preloadNSS: fixup nss_dns load Before this commit, the dns lookup in preloadNSS would still go through nscd. This did not have the effect of loading the nss_dns.so as expected (nss_dns.so being out of reach from within the sandbox). Should LOCALDOMAIN environment variable be defined, nss will completely avoid nscd and will do its dns resolution on its own. By temporarly setting LOCALDOMAIN variable before calling in NSS, we can force NSS to load the shared libraries as expected. Signed-off-by: Arthur Gautier --- src/libstore/build.cc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index bf8914cc0..8e40d51a3 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1896,9 +1896,19 @@ static void preloadNSS() { std::call_once(dns_resolve_flag, []() { struct addrinfo *res = NULL; - if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) != 0) { + /* nss will only force the "local" (not through nscd) dns resolution if its on the LOCALDOMAIN. + We need the resolution to be done locally, as nscd socket will not be accessible in the + sandbox. */ + char * previous_env = getenv("LOCALDOMAIN"); + setenv("LOCALDOMAIN", "invalid", 1); + if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) == 0) { if (res) freeaddrinfo(res); } + if (previous_env) { + setenv("LOCALDOMAIN", previous_env, 1); + } else { + unsetenv("LOCALDOMAIN"); + } }); }