fix: add macOS DNS redirect preload for MITM

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
2026-02-18 13:22:59 -09:00
parent 7982aebcd7
commit 511c486a5e
2 changed files with 25 additions and 12 deletions
--- a/src/standalone/mod.rs
+++ b/src/standalone/mod.rs
@@ -65,12 +65,12 @@ pub fn discover_main_ls_config() -> Result<MainLSConfig, String> {
    discovery::discover_main_ls_config()
 }

-/// Build the dns_redirect.so preload library if it doesn't already exist.
+/// Build the dns_redirect preload library if it doesn't already exist.
 ///
-/// Linux only — hooks `getaddrinfo()` via LD_PRELOAD to redirect Google API
-/// domain lookups to 127.0.0.1.
+/// Linux/macOS — hooks `getaddrinfo()` via LD_PRELOAD/DYLD_INSERT_LIBRARIES
+/// to redirect Google API domain lookups to 127.0.0.1.
 ///
-/// Returns the path to the .so on success, None on failure.
+/// Returns the path to the shared library on success, None on failure.
 fn build_dns_redirect_so() -> Option<String> {
    if !platform::supports_ld_preload() {
        return None;
@@ -91,10 +91,15 @@ fn build_dns_redirect_so() -> Option<String> {
        return None;
    }

-    // Compile: gcc -shared -fPIC -o dns_redirect.so dns_redirect.c -ldl
-    let output = Command::new("gcc")
+    let output = if cfg!(target_os = "macos") {
+        Command::new("cc")
+            .args(["-dynamiclib", "-o", so_path.as_str(), &c_path])
+            .output()
+    } else {
+        Command::new("gcc")
            .args(["-shared", "-fPIC", "-o", so_path.as_str(), &c_path, "-ldl"])
-        .output();
+            .output()
+    };

    match output {
        Ok(out) if out.status.success() => {
--- a/src/standalone/spawn.rs
+++ b/src/standalone/spawn.rs
@@ -281,15 +281,23 @@ impl StandaloneLS {
                // even the CodeAssistClient which has Proxy:nil hardcoded.
                let so_path = build_dns_redirect_so();
                if let Some(ref so) = so_path {
-                    info!(path = %so, "Enabling LD_PRELOAD DNS redirect for headless MITM");
+                    info!(path = %so, "Enabling DNS redirect preload for headless MITM");
+                    #[cfg(target_os = "macos")]
+                    {
+                        env_vars.push(("DYLD_INSERT_LIBRARIES".into(), so.clone()));
+                        env_vars.push(("DYLD_FORCE_FLAT_NAMESPACE".into(), "1".into()));
+                    }
+                    #[cfg(not(target_os = "macos"))]
+                    {
                        env_vars.push(("LD_PRELOAD".into(), so.clone()));
+                    }
                    env_vars.push((
                        "DNS_REDIRECT_LOG".into(),
                        format!("{data_dir}/dns-redirect.log"),
                    ));
                    // Force Go binaries to use cgo (libc) DNS resolver instead of
-                    // the pure-Go resolver. Without this, LD_PRELOAD getaddrinfo()
-                    // hooks are bypassed because Go resolves DNS internally.
+                    // the pure-Go resolver. Without this, getaddrinfo hooks are
+                    // bypassed because Go resolves DNS internally.
                    env_vars.push(("GODEBUG".into(), "netdns=cgo".into()));
                }