Move SafeExec logic to utils package

Signed-off-by: Evan Lezar <elezar@nvidia.com>

cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go

@@ -40,6 +40,7 @@ const (
 )
 
 type command struct {
+	utils.SafeExecer
 	logger logger.Interface
 }
 
@@ -53,6 +54,7 @@ type options struct {
 func NewCommand(logger logger.Interface) *cli.Command {
 	c := command{
 		logger:     logger,
+		SafeExecer: utils.NewSafeExecer(logger),
 	}
 	return c.build()
 }
@@ -142,7 +144,7 @@ func (m command) run(c *cli.Context, cfg *options) error {
 	// be configured to use a different config file by default.
 	args = append(args, "-f", "/etc/ld.so.conf")
 
-	return m.SafeExec(ldconfigPath, args, nil)
+	return m.Exec(ldconfigPath, args, nil)
 }
 
 // resolveLDConfigPath determines the LDConfig path to use for the system.

cmd/nvidia-cdi-hook/utils/safe-exec.go

@@ -0,0 +1,32 @@
+/**
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package utils
+
+import "github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
+
+// A SafeExecer is used to Exec an application from a memfd to prevent possible
+// tampering.
+type SafeExecer struct {
+	logger logger.Interface
+}
+
+// NewSafeExecer creates a SafeExecer with the specified logger.
+func NewSafeExecer(logger logger.Interface) SafeExecer {
+	return SafeExecer{
+		logger: logger,
+	}
+}

cmd/nvidia-cdi-hook/utils/safe-exec_linux.go

@@ -14,7 +14,7 @@
 # limitations under the License.
 **/
 
-package ldcache
+package utils
 
 import (
 	"fmt"
@@ -25,11 +25,11 @@ import (
 	"github.com/opencontainers/runc/libcontainer/dmz"
 )
 
-// SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it.
+// Exec attempts to clone the specified binary (as an memfd, for example) before executing it.
-func (m command) SafeExec(path string, args []string, envv []string) error {
+func (s SafeExecer) Exec(path string, args []string, envv []string) error {
 	safeExe, err := cloneBinary(path)
 	if err != nil {
-		m.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err)
+		s.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err)
 		//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 		return syscall.Exec(path, args, envv)
 	}

cmd/nvidia-cdi-hook/utils/safe-exec_other.go

@@ -17,13 +17,14 @@
 # limitations under the License.
 **/
 
-package ldcache
+package utils
 
 import "syscall"
 
-// SafeExec is not implemented on non-linux systems and forwards directly to the
+// Exec is not implemented on non-linux systems and forwards directly to the
 // Exec syscall.
-func (m *command) SafeExec(path string, args []string, envv []string) error {
+func (s SafeExecer) Exec(path string, args []string, envv []string) error {
+	s.logger.Warningf("Cloning binary not implemented for binary %q; falling back to Exec", path)
 	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	return syscall.Exec(path, args, envv)
 }