Skip to content

Commit

Permalink
fix wrong parameters passed to EnforceExecExternalProcessPolicy (#1523)
Browse files Browse the repository at this point in the history 
Fixes GCS panic, because OCIProcess for exec external is nil.

For exec external process we don't use OCIProcess field of
ProcessParameters, but instead use the top level CommandArgs,
Environment and WorkingDirectory.

Signed-off-by: Maksim An <maksiman@microsoft.com>

Signed-off-by: Maksim An <maksiman@microsoft.com>
  • Loading branch information
@anmaxvl
anmaxvl committed Sep 23, 2022
1 parent b2c8eb9 commit 2b143a0
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion internal/guest/runtime/hcsv2/uvm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -492,7 +492,11 @@ func (h *Host) ExecProcess(ctx context.Context, containerID string, params prot.
var pid int
var c *Container
if params.IsExternal || containerID == UVMContainerID {
err = h.securityPolicyEnforcer.EnforceExecExternalProcessPolicy(params.OCIProcess.Args, params.OCIProcess.Env, params.OCIProcess.Cwd)
err = h.securityPolicyEnforcer.EnforceExecExternalProcessPolicy(
params.CommandArgs,
processParamEnvToOCIEnv(params.Environment),
params.WorkingDirectory,
)
if err != nil {
return pid, errors.Wrapf(err, "exec in container denied due to policy")
}
Expand Down

0 comments on commit 2b143a0

Please sign in to comment.