Merge pull request #3403 from kolyshkin/1.1-exec-subcgroup

[1.1] runc exec --cgroup: ensure the path is a sub-cgroup path
opencontainers · Mar 8, 2022 · 51feb42 · 51feb42
2 parents b9460f2 + 35784a3
commit 51feb42
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -636,7 +636,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
 			// cgroup v1: using the same path for all controllers.
 			// cgroup v2: the only possible way.
 			for k := range proc.cgroupPaths {
-				proc.cgroupPaths[k] = path.Join(proc.cgroupPaths[k], add)
+				subPath := path.Join(proc.cgroupPaths[k], add)
+				if !strings.HasPrefix(subPath, proc.cgroupPaths[k]) {
+					return nil, fmt.Errorf("%s is not a sub cgroup path", add)
+				}
+				proc.cgroupPaths[k] = subPath
 			}
 			// cgroup v2: do not try to join init process's cgroup
 			// as a fallback (see (*setnsProcess).start).
@@ -645,7 +649,11 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, messageSockP
 			// Per-controller paths.
 			for ctrl, add := range p.SubCgroupPaths {
 				if val, ok := proc.cgroupPaths[ctrl]; ok {
-					proc.cgroupPaths[ctrl] = path.Join(val, add)
+					subPath := path.Join(val, add)
+					if !strings.HasPrefix(subPath, val) {
+						return nil, fmt.Errorf("%s is not a sub cgroup path", add)
+					}
+					proc.cgroupPaths[ctrl] = subPath
 				} else {
 					return nil, fmt.Errorf("unknown controller %s in SubCgroupPaths", ctrl)
 				}

diff --git a/tests/integration/exec.bats b/tests/integration/exec.bats
@@ -197,6 +197,11 @@ function check_exec_debug() {
 	__runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
 	testcontainer test_busybox running
 
+	# Check we can't join parent cgroup.
+	runc exec --cgroup ".." test_busybox cat /proc/self/cgroup
+	[ "$status" -ne 0 ]
+	[[ "$output" == *" .. is not a sub cgroup path"* ]]
+
 	# Check we can't join non-existing subcgroup.
 	runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
@@ -243,6 +248,11 @@ function check_exec_debug() {
 	__runc run -d --console-socket "$CONSOLE_SOCKET" test_busybox
 	testcontainer test_busybox running
 
+	# Check we can't join parent cgroup.
+	runc exec --cgroup ".." test_busybox cat /proc/self/cgroup
+	[ "$status" -ne 0 ]
+	[[ "$output" == *" .. is not a sub cgroup path"* ]]
+
 	# Check we can't join non-existing subcgroup.
 	runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]