internal/outcome: attempt nscd path-hiding if present

This avoids creating the mount point on musl setups which accomplishes nothing and can run into permission problems.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/outcome/spcontainer.go

@@ -18,13 +18,12 @@ import (
 	"hakurei.app/hst"
 	"hakurei.app/internal/acl"
 	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/env"
 	"hakurei.app/internal/system"
 	"hakurei.app/internal/validate"
 	"hakurei.app/message"
 )
 
-const varRunNscd = fhs.Var + "run/nscd"
-
 func init() { gob.Register(new(spParamsOp)) }
 
 // spParamsOp initialises unordered fields of [container.Params] and the
@@ -136,17 +135,23 @@ type spFilesystemOp struct {
 }
 
 func (s *spFilesystemOp) toSystem(state *outcomeStateSys) error {
-	/* retrieve paths and hide them if they're made available in the sandbox;
-
-	this feature tries to improve user experience of permissive defaults, and
-	to warn about issues in custom configuration; it is NOT a security feature
-	and should not be treated as such, ALWAYS be careful with what you bind */
+	// retrieve paths and hide them if they're made available in the sandbox
+	//
+	// this feature tries to improve user experience of permissive defaults, and
+	// to warn about issues in custom configuration; it is NOT a security feature
+	// and should not be treated as such, ALWAYS be careful with what you bind
 	hidePaths := []string{
 		state.sc.RuntimePath.String(),
 		state.sc.SharePath.String(),
+	}
 
-		// this causes emulated passwd database to be bypassed on some /etc/ setups
-		varRunNscd,
+	if state.Paths == nil || state.HasNscd {
+		hidePaths = append(hidePaths,
+			// this causes emulated passwd database to be bypassed on some /etc/
+			// setups, made optional to avoid needlessly creating it on
+			// non-glibc systems when invoking permissive defaults
+			env.VarRunNscd,
+		)
 	}
 
 	// dbus.Address does not go through syscallDispatcher