From d1da45855c0f7d71bb13928f8028937d3fa062d9 Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Wed, 13 Oct 2021 17:10:35 +0000 Subject: [PATCH 1/5] preloadNSS: Drop the dns query workaround We can actually just load nss ourselves and call in nss to configure it and we don't need to run a dummy query entirely to have nss load nss_dns as a side-effect. Signed-off-by: Arthur Gautier --- src/libmain/shared.cc | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index 85f9f0d58..93775bed1 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -15,9 +15,9 @@ #include #include #include -#include -#include -#include +#include +#include +#include #include @@ -121,21 +121,8 @@ static void preloadNSS() { been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to load its lookup libraries in the parent before any child gets a chance to. */ std::call_once(dns_resolve_flag, []() { - struct addrinfo *res = NULL; - - /* nss will only force the "local" (not through nscd) dns resolution if its on the LOCALDOMAIN. - We need the resolution to be done locally, as nscd socket will not be accessible in the - sandbox. */ - char * previous_env = getenv("LOCALDOMAIN"); - setenv("LOCALDOMAIN", "invalid", 1); - if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) == 0) { - if (res) freeaddrinfo(res); - } - if (previous_env) { - setenv("LOCALDOMAIN", previous_env, 1); - } else { - unsetenv("LOCALDOMAIN"); - } + dlopen (LIBNSS_DNS_SO, RTLD_NOW); + __nss_configure_lookup ("hosts", "dns"); }); } From 85717eff15fadd625014ed57de80f59304fa67db Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Thu, 14 Oct 2021 21:43:07 +0000 Subject: [PATCH 2/5] preloadNSS: detect glibc Signed-off-by: Arthur Gautier --- src/libmain/shared.cc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index 93775bed1..1fb2d62d3 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -15,9 +15,12 @@ #include #include #include +#include +#ifdef __GLIBC__ #include #include #include +#endif #include @@ -121,8 +124,10 @@ static void preloadNSS() { been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to load its lookup libraries in the parent before any child gets a chance to. */ std::call_once(dns_resolve_flag, []() { +#ifdef __GLIBC__ dlopen (LIBNSS_DNS_SO, RTLD_NOW); __nss_configure_lookup ("hosts", "dns"); +#endif }); } From ca8989daf36629ce47cf35d6e56f92d01f3172ec Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Thu, 14 Oct 2021 21:54:29 +0000 Subject: [PATCH 3/5] preloadNSS: warn if unable to open nss backend Signed-off-by: Arthur Gautier --- src/libmain/shared.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index 1fb2d62d3..da3bc3bb5 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -125,7 +125,9 @@ static void preloadNSS() { load its lookup libraries in the parent before any child gets a chance to. */ std::call_once(dns_resolve_flag, []() { #ifdef __GLIBC__ - dlopen (LIBNSS_DNS_SO, RTLD_NOW); + if (dlopen (LIBNSS_DNS_SO, RTLD_NOW) == NULL) { + printMsg(Verbosity::lvlWarn, fmt("Unable to load nss_dns backend")); + } __nss_configure_lookup ("hosts", "dns"); #endif }); From c345a4a1e8ad2c5274b06a72337b91a6d11c7f8a Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Fri, 15 Oct 2021 07:33:49 +0000 Subject: [PATCH 4/5] fixup macos build Signed-off-by: Arthur Gautier --- src/libmain/shared.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index da3bc3bb5..5eb7871f3 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -15,7 +15,9 @@ #include #include #include +#ifdef __linux__ #include +#endif #ifdef __GLIBC__ #include #include From fa4abe46e2cedfacc90c82177671a3000b229f28 Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Sat, 16 Oct 2021 01:39:14 +0000 Subject: [PATCH 5/5] preloadNSS: document the preload mechanism Signed-off-by: Arthur Gautier --- src/libmain/shared.cc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc index 5eb7871f3..b6bfea8cb 100644 --- a/src/libmain/shared.cc +++ b/src/libmain/shared.cc @@ -127,6 +127,24 @@ static void preloadNSS() { load its lookup libraries in the parent before any child gets a chance to. */ std::call_once(dns_resolve_flag, []() { #ifdef __GLIBC__ + /* On linux, glibc will run every lookup through the nss layer. + * That means every lookup goes, by default, through nscd, which acts as a local + * cache. + * Because we run builds in a sandbox, we also remove access to nscd otherwise + * lookups would leak into the sandbox. + * + * But now we have a new problem, we need to make sure the nss_dns backend that + * does the dns lookups when nscd is not available is loaded or available. + * + * We can't make it available without leaking nix's environment, so instead we'll + * load the backend, and configure nss so it does not try to run dns lookups + * through nscd. + * + * This is technically only used for builtins:fetch* functions so we only care + * about dns. + * + * All other platforms are unaffected. + */ if (dlopen (LIBNSS_DNS_SO, RTLD_NOW) == NULL) { printMsg(Verbosity::lvlWarn, fmt("Unable to load nss_dns backend")); }