Add nolint for exec calls

Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-06-26 18:18:24 +00:00 · 2023-08-28 11:07:04 +02:00 · 2023-08-28 11:07:04 +02:00 · 48d68e4eff
commit 48d68e4eff
parent 709e27bf4b
7 changed files with 13 additions and 0 deletions
--- a/cmd/nvidia-container-runtime-hook/main.go
+++ b/cmd/nvidia-container-runtime-hook/main.go
@ -142,6 +142,7 @@ func doPrestart() {
 	args = append(args, rootfs)

 	env := append(os.Environ(), cli.Environment...)
+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection?
 	err = syscall.Exec(args[0], args, env)
 	log.Panicln("exec failed:", err)
 }
--- a/cmd/nvidia-container-runtime/main_test.go
+++ b/cmd/nvidia-container-runtime/main_test.go
@ -86,6 +86,7 @@ func TestBadInput(t *testing.T) {
 		t.Fatal(err)
 	}

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmdCreate := exec.Command(nvidiaRuntime, "create", "--bundle")
 	t.Logf("executing: %s\n", strings.Join(cmdCreate.Args, " "))
 	err = cmdCreate.Run()
@ -103,6 +104,7 @@ func TestGoodInput(t *testing.T) {
 		t.Fatalf("error generating runtime spec: %v", err)
 	}

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmdRun := exec.Command(nvidiaRuntime, "run", "--bundle", cfg.bundlePath(), "testcontainer")
 	t.Logf("executing: %s\n", strings.Join(cmdRun.Args, " "))
 	output, err := cmdRun.CombinedOutput()
@ -113,6 +115,7 @@ func TestGoodInput(t *testing.T) {
 	require.NoError(t, err, "should be no errors when reading and parsing spec from config.json")
 	require.Empty(t, spec.Hooks, "there should be no hooks in config.json")

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmdCreate := exec.Command(nvidiaRuntime, "create", "--bundle", cfg.bundlePath(), "testcontainer")
 	t.Logf("executing: %s\n", strings.Join(cmdCreate.Args, " "))
 	err = cmdCreate.Run()
@ -158,6 +161,7 @@ func TestDuplicateHook(t *testing.T) {
 	}

 	// Test how runtime handles already existing prestart hook in config.json
+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmdCreate := exec.Command(nvidiaRuntime, "create", "--bundle", cfg.bundlePath(), "testcontainer")
 	t.Logf("executing: %s\n", strings.Join(cmdCreate.Args, " "))
 	output, err := cmdCreate.CombinedOutput()
@ -226,6 +230,7 @@ func (c testConfig) generateNewRuntimeSpec() error {
 		return err
 	}

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmd := exec.Command("cp", c.unmodifiedSpecFile(), c.specFilePath())
 	err = cmd.Run()
 	if err != nil {
--- a/cmd/nvidia-ctk/hook/chmod/chmod.go
+++ b/cmd/nvidia-ctk/hook/chmod/chmod.go
@ -127,6 +127,7 @@ func (m command) run(c *cli.Context, cfg *config) error {

 	args := append([]string{filepath.Base(chmodPath), cfg.mode}, paths...)

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	return syscall.Exec(chmodPath, args, nil)
 }

--- a/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go
+++ b/cmd/nvidia-ctk/hook/update-ldcache/update-ldcache.go
@ -100,6 +100,7 @@ func (m command) run(c *cli.Context, cfg *config) error {
 		args = append(args, "-r", containerRoot)
 	}

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	return syscall.Exec(args[0], args, nil)
 }

--- a/internal/oci/runtime_syscall_exec.go
+++ b/internal/oci/runtime_syscall_exec.go
@ -27,6 +27,7 @@ type syscallExec struct{}
 var _ Runtime = (*syscallExec)(nil)

 func (r syscallExec) Exec(args []string) error {
+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	err := syscall.Exec(args[0], args, os.Environ())
 	if err != nil {
 		return fmt.Errorf("could not exec '%v': %v", args[0], err)
--- a/tools/container/container.go
+++ b/tools/container/container.go
@ -157,6 +157,7 @@ func (o Options) SystemdRestart(service string) error {

 	logrus.Infof("Restarting %v%v using systemd: %v", service, msg, args)

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmd := exec.Command(args[0], args[1:]...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
--- a/tools/container/nvidia-toolkit/run.go
+++ b/tools/container/nvidia-toolkit/run.go
@ -229,6 +229,7 @@ func installToolkit(o *options) error {
 		filepath.Join(o.root, toolkitSubDir),
 	}

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmd := exec.Command("sh", "-c", strings.Join(cmdline, " "))
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
@ -247,6 +248,7 @@ func setupRuntime(o *options) error {

 	cmdline := fmt.Sprintf("%v setup %v %v\n", o.runtime, o.runtimeArgs, toolkitDir)

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmd := exec.Command("sh", "-c", cmdline)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
@ -272,6 +274,7 @@ func cleanupRuntime(o *options) error {

 	cmdline := fmt.Sprintf("%v cleanup %v %v\n", o.runtime, o.runtimeArgs, toolkitDir)

+	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
 	cmd := exec.Command("sh", "-c", cmdline)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr