From 130fc589fcfe2f99f99b567508a1ea3c6ab2eaca Mon Sep 17 00:00:00 2001 From: "W. Trevor King" <wking@tremily.us> Date: Fri, 23 Feb 2018 16:53:26 -0800 Subject: [PATCH] libcontainer/configs/config: Clear hook environ variables on empty Env The runtime spec has [1]: * env (array of strings, OPTIONAL) with the same semantics as IEEE Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environent: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: If Env is nil, the new process uses the current process's environment. This commit works around that by setting Env to an empty slice in those cases to avoid leaking the runtime environment into the hooks. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd Signed-off-by: W. Trevor King <wking@tremily.us> (cherry picked from commit c11bd33e91843e4985af77fd1c77975a3d2daa8a) Signed-off-by: lfbzhm <lifubang@acmcoder.com> --- libcontainer/configs/config.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index 22fe0f9b4c1..f416179217e 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -480,6 +480,9 @@ func (c Command) Run(s *specs.State) error { Stdout: &stdout, Stderr: &stderr, } + if cmd.Env == nil { + cmd.Env = []string{} + } if err := cmd.Start(); err != nil { return err }