From a316b10dab79d9298b02c7930958ed52e0ccf4e4 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Thu, 25 Jul 2019 15:24:39 +0100
Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
 libraries are loaded in the host environment not in the chroot from untrusted
 files.

See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
Signed-off-by: Tibor Vass <tibor@docker.com>
---
 pkg/chrootarchive/archive.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/chrootarchive/archive.go b/pkg/chrootarchive/archive.go
index 6ff61e6a76..83ed0c6b2f 100644
--- a/pkg/chrootarchive/archive.go
+++ b/pkg/chrootarchive/archive.go
@@ -4,13 +4,22 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 )
 
+func init() {
+	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
+	// environment not in the chroot from untrusted files.
+	_, _ = user.Lookup("docker")
+	_, _ = net.LookupHost("localhost")
+}
+
 // NewArchiver returns a new Archiver which uses chrootarchive.Untar
 func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
 	if idMapping == nil {