Move SafeExec logic to utils package

Signed-off-by: Evan Lezar <elezar@nvidia.com>

cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go

@@ -1,57 +0,0 @@
-/**
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package ldcache
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-	"syscall"
-
-	"github.com/opencontainers/runc/libcontainer/dmz"
-)
-
-// SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it.
-func (m command) SafeExec(path string, args []string, envv []string) error {
-	safeExe, err := cloneBinary(path)
-	if err != nil {
-		m.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err)
-		//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
-		return syscall.Exec(path, args, envv)
-	}
-	defer safeExe.Close()
-
-	exePath := "/proc/self/fd/" + strconv.Itoa(int(safeExe.Fd()))
-	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
-	return syscall.Exec(exePath, args, envv)
-}
-
-func cloneBinary(path string) (*os.File, error) {
-	exe, err := os.Open(path)
-	if err != nil {
-		return nil, fmt.Errorf("opening current binary: %w", err)
-	}
-	defer exe.Close()
-
-	stat, err := exe.Stat()
-	if err != nil {
-		return nil, fmt.Errorf("checking %v size: %w", path, err)
-	}
-	size := stat.Size()
-
-	return dmz.CloneBinary(exe, size, path, os.TempDir())
-}

cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go

@@ -1,29 +0,0 @@
-//go:build !linux
-// +build !linux
-
-/**
-# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-**/
-
-package ldcache
-
-import "syscall"
-
-// SafeExec is not implemented on non-linux systems and forwards directly to the
-// Exec syscall.
-func (m *command) SafeExec(path string, args []string, envv []string) error {
-	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
-	return syscall.Exec(path, args, envv)
-}

cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go

@@ -40,6 +40,7 @@ const (
 )
 
 type command struct {
+	utils.SafeExecer
 	logger logger.Interface
 }
 
@@ -52,7 +53,8 @@ type options struct {
 // NewCommand constructs an update-ldcache command with the specified logger
 func NewCommand(logger logger.Interface) *cli.Command {
 	c := command{
-		logger: logger,
+		logger:     logger,
+		SafeExecer: utils.NewSafeExecer(logger),
 	}
 	return c.build()
 }
@@ -142,7 +144,7 @@ func (m command) run(c *cli.Context, cfg *options) error {
 	// be configured to use a different config file by default.
 	args = append(args, "-f", "/etc/ld.so.conf")
 
-	return m.SafeExec(ldconfigPath, args, nil)
+	return m.Exec(ldconfigPath, args, nil)
 }
 
 // resolveLDConfigPath determines the LDConfig path to use for the system.