diff --git a/cmd/nvidia-container-runtime-hook/main.go b/cmd/nvidia-container-runtime-hook/main.go index 30aad846..0c61e558 100644 --- a/cmd/nvidia-container-runtime-hook/main.go +++ b/cmd/nvidia-container-runtime-hook/main.go @@ -142,6 +142,7 @@ func doPrestart() { args = append(args, rootfs) env := append(os.Environ(), cli.Environment...) + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection? err = syscall.Exec(args[0], args, env) log.Panicln("exec failed:", err) } diff --git a/cmd/nvidia-container-runtime/main_test.go b/cmd/nvidia-container-runtime/main_test.go index dad9ac79..185c3378 100644 --- a/cmd/nvidia-container-runtime/main_test.go +++ b/cmd/nvidia-container-runtime/main_test.go @@ -86,6 +86,7 @@ func TestBadInput(t *testing.T) { t.Fatal(err) } + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmdCreate := exec.Command(nvidiaRuntime, "create", "--bundle") t.Logf("executing: %s\n", strings.Join(cmdCreate.Args, " ")) err = cmdCreate.Run() @@ -103,6 +104,7 @@ func TestGoodInput(t *testing.T) { t.Fatalf("error generating runtime spec: %v", err) } + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmdRun := exec.Command(nvidiaRuntime, "run", "--bundle", cfg.bundlePath(), "testcontainer") t.Logf("executing: %s\n", strings.Join(cmdRun.Args, " ")) output, err := cmdRun.CombinedOutput() @@ -113,6 +115,7 @@ func TestGoodInput(t *testing.T) { require.NoError(t, err, "should be no errors when reading and parsing spec from config.json") require.Empty(t, spec.Hooks, "there should be no hooks in config.json") + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmdCreate := exec.Command(nvidiaRuntime, "create", "--bundle", cfg.bundlePath(), "testcontainer") t.Logf("executing: %s\n", strings.Join(cmdCreate.Args, " ")) err = cmdCreate.Run() @@ -158,6 +161,7 @@ func TestDuplicateHook(t *testing.T) { } // Test how runtime handles already existing prestart hook in config.json + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmdCreate := exec.Command(nvidiaRuntime, "create", "--bundle", cfg.bundlePath(), "testcontainer") t.Logf("executing: %s\n", strings.Join(cmdCreate.Args, " ")) output, err := cmdCreate.CombinedOutput() @@ -226,6 +230,7 @@ func (c testConfig) generateNewRuntimeSpec() error { return err } + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmd := exec.Command("cp", c.unmodifiedSpecFile(), c.specFilePath()) err = cmd.Run() if err != nil { diff --git a/cmd/nvidia-ctk/hook/chmod/chmod.go b/cmd/nvidia-ctk/hook/chmod/chmod.go index 1276f7fa..90ea8107 100644 --- a/cmd/nvidia-ctk/hook/chmod/chmod.go +++ b/cmd/nvidia-ctk/hook/chmod/chmod.go @@ -127,6 +127,7 @@ func (m command) run(c *cli.Context, cfg *config) error { args := append([]string{filepath.Base(chmodPath), cfg.mode}, paths...) + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection return syscall.Exec(chmodPath, args, nil) } diff --git a/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go b/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go index f9719e64..db5ae266 100644 --- a/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go +++ b/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go @@ -100,6 +100,7 @@ func (m command) run(c *cli.Context, cfg *config) error { args = append(args, "-r", containerRoot) } + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection return syscall.Exec(args[0], args, nil) } diff --git a/internal/oci/runtime_syscall_exec.go b/internal/oci/runtime_syscall_exec.go index d752776a..6820e3a1 100644 --- a/internal/oci/runtime_syscall_exec.go +++ b/internal/oci/runtime_syscall_exec.go @@ -27,6 +27,7 @@ type syscallExec struct{} var _ Runtime = (*syscallExec)(nil) func (r syscallExec) Exec(args []string) error { + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection err := syscall.Exec(args[0], args, os.Environ()) if err != nil { return fmt.Errorf("could not exec '%v': %v", args[0], err) diff --git a/tools/container/container.go b/tools/container/container.go index 85547019..4cba08f0 100644 --- a/tools/container/container.go +++ b/tools/container/container.go @@ -157,6 +157,7 @@ func (o Options) SystemdRestart(service string) error { logrus.Infof("Restarting %v%v using systemd: %v", service, msg, args) + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmd := exec.Command(args[0], args[1:]...) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr diff --git a/tools/container/nvidia-toolkit/run.go b/tools/container/nvidia-toolkit/run.go index 740835b3..87d5b111 100644 --- a/tools/container/nvidia-toolkit/run.go +++ b/tools/container/nvidia-toolkit/run.go @@ -229,6 +229,7 @@ func installToolkit(o *options) error { filepath.Join(o.root, toolkitSubDir), } + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmd := exec.Command("sh", "-c", strings.Join(cmdline, " ")) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr @@ -247,6 +248,7 @@ func setupRuntime(o *options) error { cmdline := fmt.Sprintf("%v setup %v %v\n", o.runtime, o.runtimeArgs, toolkitDir) + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmd := exec.Command("sh", "-c", cmdline) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr @@ -272,6 +274,7 @@ func cleanupRuntime(o *options) error { cmdline := fmt.Sprintf("%v cleanup %v %v\n", o.runtime, o.runtimeArgs, toolkitDir) + //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection cmd := exec.Command("sh", "-c", cmdline) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr