libcontainer/configs/config: Clear hook environ variables on empty Env

wking · lifubang · commit 6c2bcc6fa13b · 2024-12-11T23:32:32.000+08:00
The runtime spec has [1]: * env (array of strings, OPTIONAL) with the same semantics as IEEE Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environent: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: If Env is nil, the new process uses the current process's environment. This commit works around that by setting Env to an empty slice in those cases to avoid leaking the runtime environment into the hooks. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd Signed-off-by: W. Trevor King <wking@tremily.us> (cherry picked from commit c11bd33) Signed-off-by: lfbzhm <lifubang@acmcoder.com>
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -480,6 +480,9 @@ func (c Command) Run(s *specs.State) error {
 		Stdout: &stdout,
 		Stderr: &stderr,
 	}
+	if cmd.Env == nil {
+		cmd.Env = []string{}
+	}
 	if err := cmd.Start(); err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -480,6 +480,9 @@ func (c Command) Run(s *specs.State) error {`
`480`	`480`	`Stdout: &stdout,`
`481`	`481`	`Stderr: &stderr,`
`482`	`482`	`}`
	`483`	`+ if cmd.Env == nil {`
	`484`	`+ cmd.Env = []string{}`
	`485`	`+ }`
`483`	`486`	`if err := cmd.Start(); err != nil {`
`484`	`487`	`return err`
`485`	`488`	`}`