aboutsummaryrefslogtreecommitdiff
path: root/src/libmain/shared.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/libmain/shared.cc')
-rw-r--r--src/libmain/shared.cc30
1 files changed, 30 insertions, 0 deletions
diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc
index 3a9529c4d..85f9f0d58 100644
--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -15,6 +15,9 @@
#include <sys/stat.h>
#include <unistd.h>
#include <signal.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
#include <openssl/crypto.h>
@@ -110,6 +113,31 @@ static void opensslLockCallback(int mode, int type, const char * file, int line)
}
#endif
+static std::once_flag dns_resolve_flag;
+
+static void preloadNSS() {
+ /* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
+ one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
+ been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
+ load its lookup libraries in the parent before any child gets a chance to. */
+ std::call_once(dns_resolve_flag, []() {
+ struct addrinfo *res = NULL;
+
+ /* nss will only force the "local" (not through nscd) dns resolution if its on the LOCALDOMAIN.
+ We need the resolution to be done locally, as nscd socket will not be accessible in the
+ sandbox. */
+ char * previous_env = getenv("LOCALDOMAIN");
+ setenv("LOCALDOMAIN", "invalid", 1);
+ if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) == 0) {
+ if (res) freeaddrinfo(res);
+ }
+ if (previous_env) {
+ setenv("LOCALDOMAIN", previous_env, 1);
+ } else {
+ unsetenv("LOCALDOMAIN");
+ }
+ });
+}
static void sigHandler(int signo) { }
@@ -176,6 +204,8 @@ void initNix()
if (hasPrefix(getEnv("TMPDIR").value_or("/tmp"), "/var/folders/"))
unsetenv("TMPDIR");
#endif
+
+ preloadNSS();
}