From 7a83354cbd3787970d90603720876eb87b48f435 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sun, 5 Oct 2025 20:34:17 +0900
Subject: [PATCH] internal/app: check nscd socket for path hiding

This can seriously break things, and exposes extra host attack surface, so include it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/app/app_test.go    |  4 ++++
 internal/app/spcontainer.go | 12 ++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/internal/app/app_test.go b/internal/app/app_test.go
index 57d81ef..0c54502 100644
--- a/internal/app/app_test.go
+++ b/internal/app/app_test.go
@@ -73,6 +73,7 @@ func TestApp(t *testing.T) {
 					Readonly(m("/var/run/nscd"), 0755).
 					Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
 					Tmpfs(m("/run/user/1971"), 8192, 0755).
+					Tmpfs(m("/run/nscd"), 8192, 0755).
 					Tmpfs(m("/run/dbus"), 8192, 0755).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Tmpfs(m("/run/user/"), 4096, 0755).
@@ -209,6 +210,7 @@ func TestApp(t *testing.T) {
 					Readonly(m("/var/run/nscd"), 0755).
 					Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
 					Tmpfs(m("/run/user/1971"), 8192, 0755).
+					Tmpfs(m("/run/nscd"), 8192, 0755).
 					Tmpfs(m("/run/dbus"), 8192, 0755).
 					Remount(m("/dev/"), syscall.MS_RDONLY).
 					Tmpfs(m("/run/user/"), 4096, 0755).
@@ -552,6 +554,8 @@ func (k *stubNixOS) tempdir() string { return "/tmp/" }
 
 func (k *stubNixOS) evalSymlinks(path string) (string, error) {
 	switch path {
+	case "/var/run/nscd":
+		return "/run/nscd", nil
 	case "/run/user/1971":
 		return "/run/user/1971", nil
 	case "/tmp/hakurei.0":
diff --git a/internal/app/spcontainer.go b/internal/app/spcontainer.go
index ee18cec..cb5d938 100644
--- a/internal/app/spcontainer.go
+++ b/internal/app/spcontainer.go
@@ -13,6 +13,8 @@ import (
 	"hakurei.app/system/dbus"
 )
 
+const varRunNscd = container.FHSVar + "run/nscd"
+
 // spParamsOp initialises unordered fields of [container.Params] and the optional root filesystem.
 // This outcomeOp is hardcoded to always run first.
 type spParamsOp struct {
@@ -121,8 +123,14 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys, _ *hst.Config) error {
 	this feature tries to improve user experience of permissive defaults, and
 	to warn about issues in custom configuration; it is NOT a security feature
 	and should not be treated as such, ALWAYS be careful with what you bind */
-	var hidePaths []string
-	hidePaths = append(hidePaths, state.sc.RuntimePath.String(), state.sc.SharePath.String())
+	hidePaths := []string{
+		state.sc.RuntimePath.String(),
+		state.sc.SharePath.String(),
+
+		// this causes emulated passwd database to be bypassed on some /etc/ setups
+		varRunNscd,
+	}
+
 	_, systemBusAddr := dbus.Address()
 	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
 		return &hst.AppError{Step: "parse dbus address", Err: err}