Skip to content

Commit

Permalink
libcontainer/configs/config: Clear hook environ variables on empty Env
Browse files Browse the repository at this point in the history 
The runtime spec has [1]:

  * env (array of strings, OPTIONAL) with the same semantics as IEEE
    Std 1003.1-2008's environ.

And running execle or similar with NULL env results in an empty
environent:

  $ cat test.c
  #include <unistd.h>

  int main()
  {
    return execle("/usr/bin/env", "env", NULL, NULL);
  }
  $ cc -o test test.c
  $ ./test
  ...no output...

Go's Cmd.Env, on the other hand, has [2]:

  If Env is nil, the new process uses the current process's
  environment.

This commit works around that by setting Env to an empty slice in
those cases to avoid leaking the runtime environment into the hooks.

[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
[2]: https://golang.org/pkg/os/exec/#Cmd

Signed-off-by: W. Trevor King <wking@tremily.us>
(cherry picked from commit c11bd33)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
  • Loading branch information
@wking @lifubang
wking authored and lifubang committed Dec 11, 2024
1 parent 4cb480d commit 8fff44d
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions libcontainer/configs/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -480,6 +480,9 @@ func (c Command) Run(s *specs.State) error {
Stdout: &stdout,
Stderr: &stderr,
}
if cmd.Env == nil {
cmd.Env = []string{}
}
if err := cmd.Start(); err != nil {
return err
}
Expand Down

0 comments on commit 8fff44d

Please sign in to comment.