From 2eff39803957010879d806dbb9b56876dadaa76f Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 4 Jan 2025 00:22:55 +0100
Subject: [PATCH] Beef up DNS resolution a little

Let's write a basic nsswitch.conf that makes use of libnss-resolve
and bind mount the systemd-resolved socket into the sandbox if
available.
---
 mkosi/__init__.py                             | 23 +++++++++++++++++++
 .../10-debian-kali-ubuntu/mkosi.conf          |  2 ++
 mkosi/run.py                                  | 12 ++++++----
 3 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 2feaa3900..57eab634d 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1077,6 +1077,29 @@ def install_sandbox_trees(config: Config, dst: Path) -> None:
     Path(dst / "etc/resolv.conf").unlink(missing_ok=True)
     Path(dst / "etc/resolv.conf").touch()
 
+    if not (dst / "etc/nsswitch.conf").exists():
+        (dst / "etc/nsswitch.conf").write_text(
+            textwrap.dedent(
+                """\
+                passwd:     files
+                shadow:     files
+                group:      files
+                hosts:      files myhostname resolve [!UNAVAIL=return] dns
+                services:   files
+                netgroup:   files
+                automount:  files
+
+                aliases:    files
+                ethers:     files
+                gshadow:    files
+                networks:   files dns
+                protocols:  files
+                publickey:  files
+                rpc:        files
+                """
+            )
+        )
+
     Path(dst / "etc/static").unlink(missing_ok=True)
     if (config.tools() / "etc/static").is_symlink():
         (dst / "etc/static").symlink_to((config.tools() / "etc/static").readlink())
diff --git a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf
index d9acff430..20428588e 100644
--- a/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf
+++ b/mkosi/resources/mkosi-tools/mkosi.conf.d/10-debian-kali-ubuntu/mkosi.conf
@@ -27,6 +27,8 @@ Packages=
         libcryptsetup12
         libseccomp2
         libtss2-dev
+        libnss-resolve
+        libnss-myhostname
         makepkg
         openssh-client
         ovmf
diff --git a/mkosi/run.py b/mkosi/run.py
index afa21f35b..f43d7f586 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -609,8 +609,10 @@ def sandbox_cmd(
         else:
             cmdline += ["--dev", "/dev"]
 
-        if network and Path("/etc/resolv.conf").exists():
-            cmdline += ["--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf"]
+        if network:
+            for p in (Path("/etc/resolv.conf"), Path("/run/systemd/resolve")):
+                if p.exists():
+                    cmdline += ["--ro-bind", p, p]
 
         home = None
 
@@ -734,8 +736,10 @@ def chroot_cmd(
         *chroot_options(),
     ]  # fmt: skip
 
-    if network and Path("/etc/resolv.conf").exists():
-        cmdline += ["--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf"]
+    if network:
+        for p in (Path("/etc/resolv.conf"), Path("/run/systemd/resolve")):
+            if p.exists():
+                cmdline += ["--ro-bind", p, p]
 
     with vartmpdir() as dir:
         yield [*cmdline, "--bind", dir, "/var/tmp", *options]
-- 
2.47.2