diff --git a/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go b/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go index df0bd6c6..5d152c1a 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go +++ b/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go @@ -27,6 +27,7 @@ import ( "github.com/NVIDIA/nvidia-container-toolkit/internal/config" "github.com/NVIDIA/nvidia-container-toolkit/internal/logger" "github.com/NVIDIA/nvidia-container-toolkit/internal/oci" + safeexec "github.com/NVIDIA/nvidia-container-toolkit/internal/safe-exec" ) const ( @@ -39,6 +40,7 @@ const ( ) type command struct { + safeexec.Execer logger logger.Interface } @@ -52,6 +54,7 @@ type options struct { func NewCommand(logger logger.Interface) *cli.Command { c := command{ logger: logger, + Execer: safeexec.New(logger), } return c.build() } @@ -141,7 +144,7 @@ func (m command) run(c *cli.Context, cfg *options) error { args = append(args, folders...) } - return m.SafeExec(ldconfigPath, args, nil) + return m.Exec(ldconfigPath, args, nil) } // resolveLDConfigPath determines the LDConfig path to use for the system. diff --git a/internal/safe-exec/safe-exec.go b/internal/safe-exec/safe-exec.go new file mode 100644 index 00000000..8c2f68cf --- /dev/null +++ b/internal/safe-exec/safe-exec.go @@ -0,0 +1,37 @@ +/** +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +**/ + +package safeexec + +import "github.com/NVIDIA/nvidia-container-toolkit/internal/logger" + +// An Execer implements an Exec function. +type Execer interface { + Exec(string, []string, []string) error +} + +// A safeExecer is used to Exec an application from a memfd to prevent possible +// tampering. +type safeExecer struct { + logger logger.Interface +} + +// New creates a safe Execer with the specified logger. +func New(logger logger.Interface) Execer { + return &safeExecer{ + logger: logger, + } +} diff --git a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go b/internal/safe-exec/safe-exec_linux.go similarity index 86% rename from cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go rename to internal/safe-exec/safe-exec_linux.go index c1c655b4..9f56216e 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go +++ b/internal/safe-exec/safe-exec_linux.go @@ -14,7 +14,7 @@ # limitations under the License. **/ -package ldcache +package safeexec import ( "fmt" @@ -25,11 +25,11 @@ import ( "github.com/opencontainers/runc/libcontainer/dmz" ) -// SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it. -func (m command) SafeExec(path string, args []string, envv []string) error { +// Exec attempts to clone the specified binary (as an memfd, for example) before executing it. +func (s *safeExecer) Exec(path string, args []string, envv []string) error { safeExe, err := cloneBinary(path) if err != nil { - m.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err) + s.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err) //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection return syscall.Exec(path, args, envv) } diff --git a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go b/internal/safe-exec/safe-exec_other.go similarity index 75% rename from cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go rename to internal/safe-exec/safe-exec_other.go index dff11dd3..82e1f741 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go +++ b/internal/safe-exec/safe-exec_other.go @@ -17,13 +17,14 @@ # limitations under the License. **/ -package ldcache +package safeexec import "syscall" -// SafeExec is not implemented on non-linux systems and forwards directly to the +// Exec is not implemented on non-linux systems and forwards directly to the // Exec syscall. -func (m *command) SafeExec(path string, args []string, envv []string) error { +func (s *safeExecer) Exec(path string, args []string, envv []string) error { + s.logger.Warningf("Cloning binary not implemented for binary %q; falling back to Exec", path) //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection return syscall.Exec(path, args, envv) }