[no-relnote] Replace deprecated runc utils.WithProcfd with local helper function

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

Author: ArangoGutierrez

cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go

@@ -25,8 +25,9 @@ import (
 	"path/filepath"
 
 	"github.com/google/uuid"
-	"github.com/opencontainers/runc/libcontainer/utils"
 	"golang.org/x/sys/unix"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/system"
 )
 
 func createParamsFileInContainer(containerRoot *os.Root, contents []byte) error {
@@ -37,7 +38,7 @@ func createParamsFileInContainer(containerRoot *os.Root, contents []byte) error
 		return fmt.Errorf("error creating hook scratch folder: %w", err)
 	}
 
-	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {
+	err := system.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {
 		return createTmpFs(hookScratchDirFdPath, len(contents))
 	})
 	if err != nil {
@@ -49,7 +50,7 @@ func createParamsFileInContainer(containerRoot *os.Root, contents []byte) error
 		return fmt.Errorf("error creating modified params file: %w", err)
 	}
 
-	err = utils.WithProcfd(containerRootDirPath, modifiedParamsFilePath, func(modifiedParamsFileFdPath string) error {
+	err = system.WithProcfd(containerRootDirPath, modifiedParamsFilePath, func(modifiedParamsFileFdPath string) error {
 		modifiedParamsFile, err := os.OpenFile(modifiedParamsFileFdPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0444)
 		if err != nil {
 			return fmt.Errorf("failed to open modified params file: %w", err)
@@ -60,7 +61,7 @@ func createParamsFileInContainer(containerRoot *os.Root, contents []byte) error
 			return fmt.Errorf("failed to write temporary params file: %w", err)
 		}
 
-		err = utils.WithProcfd(containerRootDirPath, nvidiaDriverParamsPath, func(nvidiaDriverParamsFdPath string) error {
+		err = system.WithProcfd(containerRootDirPath, nvidiaDriverParamsPath, func(nvidiaDriverParamsFdPath string) error {
 			return unix.Mount(modifiedParamsFileFdPath, nvidiaDriverParamsFdPath, "", unix.MS_BIND|unix.MS_RDONLY|unix.MS_NODEV|unix.MS_PRIVATE|unix.MS_NOSYMFOLLOW, "")
 		})
 		if err != nil {

go.mod

@@ -5,6 +5,7 @@ go 1.25.0
 require (
 	github.com/NVIDIA/go-nvlib v0.8.1
 	github.com/NVIDIA/go-nvml v0.13.0-1
+	github.com/cyphar/filepath-securejoin v0.6.1
 	github.com/google/uuid v1.6.0
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/reexec v0.1.0
@@ -25,7 +26,6 @@ require (
 
 require (
 	cyphar.com/go-pathrs v0.2.1 // indirect
-	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect

internal/ldconfig/ldconfig_linux.go

@@ -32,9 +32,9 @@ import (
 	"github.com/google/uuid"
 	"github.com/moby/sys/mountinfo"
 	"github.com/moby/sys/reexec"
-
-	"github.com/opencontainers/runc/libcontainer/utils"
 	"golang.org/x/sys/unix"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/system"
 )
 
 // pivotRoot will call pivot_root such that rootfs becomes the new root
@@ -198,7 +198,7 @@ func mountLdConfig(hostLdconfigPath string, containerRoot *os.Root) (string, err
 		return "", fmt.Errorf("error creating hook scratch folder: %w", err)
 	}
 
-	err = utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {
+	err = system.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {
 		return createTmpFs(hookScratchDirFdPath, int(hostLdconfigInfo.Size()))
 	})
 	if err != nil {
@@ -209,7 +209,7 @@ func mountLdConfig(hostLdconfigPath string, containerRoot *os.Root) (string, err
 		return "", fmt.Errorf("error creating ldconfig: %w", err)
 	}
 
-	err = utils.WithProcfd(containerRootDirPath, ldconfigPath, func(ldconfigFdPath string) error {
+	err = system.WithProcfd(containerRootDirPath, ldconfigPath, func(ldconfigFdPath string) error {
 		return unix.Mount(hostLdconfigPath, ldconfigFdPath, "", unix.MS_BIND|unix.MS_RDONLY|unix.MS_NODEV|unix.MS_PRIVATE|unix.MS_NOSYMFOLLOW, "")
 	})
 	if err != nil {

internal/system/procfd_linux.go

@@ -0,0 +1,59 @@
+//go:build linux
+
+/**
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package system
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+	"golang.org/x/sys/unix"
+)
+
+// WithProcfd opens a file descriptor to the specified path and invokes the
+// provided function with a /proc/self/fd path.
+func WithProcfd(root, unsafePath string, fn func(fdPath string) error) error {
+	// Securely join paths to prevent directory traversal attacks
+	fullPath, err := securejoin.SecureJoin(root, unsafePath)
+	if err != nil {
+		return fmt.Errorf("resolving path inside rootfs failed: %w", err)
+	}
+
+	// Open the target path with O_PATH to get a file descriptor without
+	// actually opening the file for reading or writing
+	fd, err := unix.Open(fullPath, unix.O_PATH|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return fmt.Errorf("failed to open path %q: %w", fullPath, err)
+	}
+	defer unix.Close(fd)
+
+	// Construct the /proc/self/fd path
+	procFdPath := "/proc/self/fd/" + strconv.Itoa(fd)
+
+	// Double-check the path is the one we expected to prevent TOCTOU attacks
+	if realpath, err := os.Readlink(procFdPath); err != nil {
+		return fmt.Errorf("procfd verification failed: %w", err)
+	} else if realpath != fullPath {
+		return fmt.Errorf("possibly malicious path detected -- refusing to operate on %s", realpath)
+	}
+
+	return fn(procFdPath)
+}