Skip to content

Commit

Permalink
Use securejoin
Browse files Browse the repository at this point in the history
Signed-off-by: Evan Phoenix <evan@phx.io>
  • Loading branch information
evanphx committed Oct 3, 2022
1 parent 4932cf4 commit a3e87da
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions libcontainer/cgroups/systemd/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"time"

systemdDbus "github.com/coreos/go-systemd/v22/dbus"
securejoin "github.com/cyphar/filepath-securejoin"
dbus "github.com/godbus/dbus/v5"
"github.com/sirupsen/logrus"

Expand Down Expand Up @@ -293,11 +294,18 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
// rules separately to systemd) we can safely skip entries that don't
// have a corresponding path.
if _, err := os.Stat(entry.Path); err != nil {
// Also check /sys/dev so that we don't depend on /dev/{block,char} being populated.
// (/dev/{block,char} is populated by udev, which isn't strictly required for systemd).
// Ironically, this happens most easily when starting containerd within a runc created
// container itself.
if _, err := os.Stat("/sys" + entry.Path); err != nil {
// Also check /sys/dev so that we don't depend on /dev/{block,char}
// being populated. (/dev/{block,char} is populated by udev, which
// isn't strictly required for systemd). Ironically, this happens most
// easily when starting containerd within a runc created container
// itself.
testPath, err := securejoin.SecureJoin("/sys", entry.Path)
if err != nil {
logrus.Errorf("error joining entry path: %s", err)
continue
}

if _, err := os.Stat(testPath); err != nil {
logrus.Warnf("skipping device %s for systemd: %s", entry.Path, err)
continue
}
Expand Down

0 comments on commit a3e87da

Please sign in to comment.