From c42e0ac27fdae77a492439543b594d752ab8fbb8 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Fri, 28 Feb 2025 14:38:02 +0200 Subject: [PATCH] Move SafeExec logic to utils package Signed-off-by: Evan Lezar --- .../update-ldcache/update-ldcache.go | 6 ++-- cmd/nvidia-cdi-hook/utils/safe-exec.go | 32 +++++++++++++++++++ .../safe-exec_linux.go | 8 ++--- .../safe-exec_other.go | 7 ++-- 4 files changed, 44 insertions(+), 9 deletions(-) create mode 100644 cmd/nvidia-cdi-hook/utils/safe-exec.go rename cmd/nvidia-cdi-hook/{update-ldcache => utils}/safe-exec_linux.go (85%) rename cmd/nvidia-cdi-hook/{update-ldcache => utils}/safe-exec_other.go (75%) diff --git a/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go b/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go index 2d238b82..c19bc539 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go +++ b/cmd/nvidia-cdi-hook/update-ldcache/update-ldcache.go @@ -40,6 +40,7 @@ const ( ) type command struct { + utils.SafeExecer logger logger.Interface } @@ -52,7 +53,8 @@ type options struct { // NewCommand constructs an update-ldcache command with the specified logger func NewCommand(logger logger.Interface) *cli.Command { c := command{ - logger: logger, + logger: logger, + SafeExecer: utils.NewSafeExecer(logger), } return c.build() } @@ -142,7 +144,7 @@ func (m command) run(c *cli.Context, cfg *options) error { // be configured to use a different config file by default. args = append(args, "-f", "/etc/ld.so.conf") - return m.SafeExec(ldconfigPath, args, nil) + return m.Exec(ldconfigPath, args, nil) } // resolveLDConfigPath determines the LDConfig path to use for the system. diff --git a/cmd/nvidia-cdi-hook/utils/safe-exec.go b/cmd/nvidia-cdi-hook/utils/safe-exec.go new file mode 100644 index 00000000..b15440de --- /dev/null +++ b/cmd/nvidia-cdi-hook/utils/safe-exec.go @@ -0,0 +1,32 @@ +/** +# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +**/ + +package utils + +import "github.com/NVIDIA/nvidia-container-toolkit/internal/logger" + +// A SafeExecer is used to Exec an application from a memfd to prevent possible +// tampering. +type SafeExecer struct { + logger logger.Interface +} + +// NewSafeExecer creates a SafeExecer with the specified logger. +func NewSafeExecer(logger logger.Interface) SafeExecer { + return SafeExecer{ + logger: logger, + } +} diff --git a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go b/cmd/nvidia-cdi-hook/utils/safe-exec_linux.go similarity index 85% rename from cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go rename to cmd/nvidia-cdi-hook/utils/safe-exec_linux.go index c1c655b4..30556c5b 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_linux.go +++ b/cmd/nvidia-cdi-hook/utils/safe-exec_linux.go @@ -14,7 +14,7 @@ # limitations under the License. **/ -package ldcache +package utils import ( "fmt" @@ -25,11 +25,11 @@ import ( "github.com/opencontainers/runc/libcontainer/dmz" ) -// SafeExec attempts to clone the specified binary (as an memfd, for example) before executing it. -func (m command) SafeExec(path string, args []string, envv []string) error { +// Exec attempts to clone the specified binary (as an memfd, for example) before executing it. +func (s SafeExecer) Exec(path string, args []string, envv []string) error { safeExe, err := cloneBinary(path) if err != nil { - m.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err) + s.logger.Warningf("Failed to clone binary %q: %v; falling back to Exec", path, err) //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection return syscall.Exec(path, args, envv) } diff --git a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go b/cmd/nvidia-cdi-hook/utils/safe-exec_other.go similarity index 75% rename from cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go rename to cmd/nvidia-cdi-hook/utils/safe-exec_other.go index dff11dd3..9534dcfd 100644 --- a/cmd/nvidia-cdi-hook/update-ldcache/safe-exec_other.go +++ b/cmd/nvidia-cdi-hook/utils/safe-exec_other.go @@ -17,13 +17,14 @@ # limitations under the License. **/ -package ldcache +package utils import "syscall" -// SafeExec is not implemented on non-linux systems and forwards directly to the +// Exec is not implemented on non-linux systems and forwards directly to the // Exec syscall. -func (m *command) SafeExec(path string, args []string, envv []string) error { +func (s SafeExecer) Exec(path string, args []string, envv []string) error { + s.logger.Warningf("Cloning binary not implemented for binary %q; falling back to Exec", path) //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection return syscall.Exec(path, args, envv) }