fix(ie-sandbox): add missing landlock rules for DNS resolution #75

Add /etc/host.conf, /etc/gai.conf, /etc/ld.so.cache to landlock
whitelist for network profile. Add /usr/lib, /lib, /lib64 for read
access to glibc NSS modules (libnss_dns.so etc.) needed by
getaddrinfo().

This fixes DNS resolution in the sandboxed network child process.
External HTTPS connections still fail (tracked in #75) — use
--single-process as workaround.

Author: thomasnemer

crates/ie-sandbox/src/sandbox_linux.rs

@@ -73,11 +73,26 @@ fn apply_landlock(profile: SandboxProfile) -> Result<bool> {
                 }
             }
             // Allow read on DNS/network config files
-            for path in ["/etc/resolv.conf", "/etc/nsswitch.conf", "/etc/hosts"] {
+            for path in [
+                "/etc/resolv.conf",
+                "/etc/nsswitch.conf",
+                "/etc/hosts",
+                "/etc/gai.conf",
+                "/etc/host.conf",
+                "/etc/ld.so.cache",
+            ] {
                 if let Ok(fd) = PathFd::new(path) {
                     rs = rs.add_rule(PathBeneath::new(fd, AccessFs::from_read(abi)))?;
                 }
             }
+            // Allow read on system libraries (glibc NSS modules for DNS resolution)
+            for path in ["/usr/lib", "/lib", "/lib64"] {
+                if std::path::Path::new(path).exists()
+                    && let Ok(fd) = PathFd::new(path)
+                {
+                    rs = rs.add_rule(PathBeneath::new(fd, AccessFs::from_read(abi)))?;
+                }
+            }
             rs
         }
         SandboxProfile::Renderer => {