nvidia-ctk hook chmod: Ignore permission errors

In some cases we might get a permission error trying to chmod -
most likely this is due to something beyond our control
like whole `/dev` being mounted.
Do not fail container creation in this case.

Due to loosing control of the program after `exec()`-ing `chmod(1)` program
and therefore not being able to handle errors -
refactor to use `chmod(2)` syscall instead of `exec()` `chmod(1)` program.

Fixes: #143
Signed-off-by: Ievgen Popovych <jmennius@gmail.com>

cmd/nvidia-ctk/hook/chmod/chmod.go

@@ -17,16 +17,15 @@
 package chmod
 
 import (
+	"errors"
 	"fmt"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
-	"syscall"
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/logger"
-	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/oci"
 	"github.com/urfave/cli/v2"
 )
@@ -126,17 +125,16 @@ func (m command) run(c *cli.Context, cfg *config) error {
 		return nil
 	}
 
-	locator := lookup.NewExecutableLocator(m.logger, "")
+	for _, path := range paths {
-	targets, err := locator.Locate("chmod")
+		err = os.Chmod(path, desiredMode)
-	if err != nil {
+		// in some cases this is not an issue (e.g. whole /dev mounted), see #143
-		return fmt.Errorf("failed to locate chmod: %v", err)
+		if errors.Is(err, fs.ErrPermission) {
+			m.logger.Debugf("Ignoring permission error with chmod: %v", err)
+			err = nil
+		}
 	}
-	chmodPath := targets[0]
 
-	args := append([]string{filepath.Base(chmodPath), cfg.mode}, paths...)
+	return err
-
-	//nolint:gosec // TODO: Can we harden this so that there is less risk of command injection
-	return syscall.Exec(chmodPath, args, nil)
 }
 
 // getPaths updates the specified paths relative to the root.