Skip to content

Commit fbe3eed

Browse files
cypharcyphar
committed
setns init: do explicit lookup of execve argument early
(This is a partial backport of a minor change included in commit dac4171.) This mirrors the logic in standard_init_linux.go, and also ensures that we do not call exec.LookPath in the final execve step. While this is okay for regular binaries, it seems exec.LookPath calls os.Getenv which tries to emit a log entry to the test harness when running in "go test" mode. In a future patch (in order to fix CVE-2024-21626), we will close all of the file descriptors immediately before execve, which would mean the file descriptor for test harness logging would be closed at execve time. So, moving exec.LookPath earlier is necessary. Ref: dac4171 ("runc-dmz: reduce memfd binary cloning cost with small C binary") Signed-off-by: Aleksa Sarai <[email protected]>
1 parent 0994249 commit fbe3eed

File tree

1 file changed

+17
-1
lines changed

1 file changed

+17
-1
lines changed

libcontainer/setns_init_linux.go

+17-1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"errors"
55
"fmt"
66
"os"
7+
"os/exec"
78
"strconv"
89

910
"github.com/opencontainers/selinux/go-selinux"
@@ -82,6 +83,21 @@ func (l *linuxSetnsInit) Init() error {
8283
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
8384
return err
8485
}
86+
87+
// Check for the arg before waiting to make sure it exists and it is
88+
// returned as a create time error.
89+
name, err := exec.LookPath(l.config.Args[0])
90+
if err != nil {
91+
return err
92+
}
93+
// exec.LookPath in Go < 1.20 might return no error for an executable
94+
// residing on a file system mounted with noexec flag, so perform this
95+
// extra check now while we can still return a proper error.
96+
// TODO: remove this once go < 1.20 is not supported.
97+
if err := eaccess(name); err != nil {
98+
return &os.PathError{Op: "eaccess", Path: name, Err: err}
99+
}
100+
85101
// Set seccomp as close to execve as possible, so as few syscalls take
86102
// place afterward (reducing the amount of syscalls that users need to
87103
// enable in their seccomp profiles).
@@ -101,5 +117,5 @@ func (l *linuxSetnsInit) Init() error {
101117
return &os.PathError{Op: "close log pipe", Path: "fd " + strconv.Itoa(l.logFd), Err: err}
102118
}
103119

104-
return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
120+
return system.Exec(name, l.config.Args[0:], os.Environ())
105121
}

0 commit comments

Comments
 (0)