I don't know that it's enough, unfortunately. When I wrote that code (quite angrily, as you can see from the comments), I seem to remember that it was not enough and Goupile would crash when making an SMTP call later on. Because it would finally try to resolve a real domain (the SMTP server) and load some new NSS stuff, and get killed by the kernel for violating the seccomp filters or at the very least, not find the NSS module it wanted.

I was recently able to remove all of this NSS preload workaround with the use of the c-ares DNS resolver instead. It worked well... except that for some reason, inside Landlock sometimes it would fail to resolve correctly, and I was not able to find out why. I plan to fix this and go back to c-ares eventually.

In the meantime, using localhost or a fake domain would be okay if can we prove that it does not crash later when some other NSS shared library has to be loaded.

I think e2e tests are the only way to ensure we catch anything.

I have a very basic playwright test I wrote for nixpkgs which goes through filling a single entry as a non-root user and exports it and checks the contents still match.

I am still debugging it, but will share here once I fix some issue.

That would certainly be nice to have ++ :)