e75e549252
This change has two parts: 1. Provide our own local implementation of numeric-only getaddrinfo in auditdns.c used to audit for DNS leaks, rather than deferring to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton. To keep review and implementation simple, this is limited to AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we arrange to pass AI_NUMERICSERV in callers too. 2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo. (In principle this might also avoid other network leaks -- POSIX guarantees no name resolution service will be invoked, and gives NIS+ as an example.) One tiny semantic change to avoid tripping over the auditor: kadmin(8) now uses the string "749" rather than the string "kerberos-adm". (Currently we don't audit kadmin(8) for DNS leaks but let's avoid leaving a rake to step on.) Every other caller I found is already guaranteed to pass a numeric service rather than named service to getaddrinfo. fix https://github.com/heimdal/heimdal/issues/1212
80 KiB
80 KiB