C-WCOW: Differentiate container cmdline

MahatiC · MahatiC · commit 0e7cadb0648f · 2025-09-25T13:27:42.000+01:00
Signed-off-by: Mahati Chamarthy &lt;mahati.chamarthy@gmail.com&gt;
diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
@@ -91,11 +91,15 @@ func (b *Bridge) createContainer(req *request) (err error) {
 		if err := b.hostState.SetupSecurityContextDir(ctx, &spec); err != nil {
 			return err
 		}
+		commandLine := len(spec.Process.Args) > 0
 		c := &Container{
-			id:        containerID,
-			spec:      spec,
-			processes: make(map[uint32]*containerProcess),
+			id:              containerID,
+			spec:            spec,
+			processes:       make(map[uint32]*containerProcess),
+			commandLine:     commandLine,
+			commandLineExec: false,
 		}
+
 		log.G(ctx).Tracef("Adding ContainerID: %v", containerID)
 		if err := b.hostState.AddContainer(req.ctx, containerID, c); err != nil {
 			log.G(ctx).Tracef("Container exists in the map.")
@@ -272,15 +276,19 @@ func (b *Bridge) executeProcess(req *request) (err error) {
 			return fmt.Errorf("failed to get created container: %w", err)
 		}
 
-		// if this is an exec of Container command line, then it's already enforced
-		// during container creation, hence skip it here
-		containerCommandLine := escapeArgs(c.spec.Process.Args)
-		if processParams.CommandLine != containerCommandLine {
+		c.processesMutex.Lock()
+		isInitExec := c.commandLine && !c.commandLineExec
+		if isInitExec {
+			// if this is an exec of Container command line, then it's already enforced
+			// during container creation, hence skip it here
+			c.commandLineExec = true
 
+		}
+		c.processesMutex.Unlock()
+		if !isInitExec {
 			user := securitypolicy.IDName{
 				Name: processParams.User,
 			}
-
 			log.G(req.ctx).Tracef("Enforcing policy on exec in container")
 			_, _, _, err = b.hostState.securityPolicyEnforcer.
 				EnforceExecInContainerPolicyV2(
@@ -298,7 +306,7 @@ func (b *Bridge) executeProcess(req *request) (err error) {
 		}
 		headerID := req.header.ID
 
-		// initiate process ID
+		// initiate exec process response channel
 		procRespCh := make(chan *prot.ContainerExecuteProcessResponse, 1)
 		b.pendingMu.Lock()
 		b.pending[headerID] = procRespCh
diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go
@@ -42,10 +42,12 @@ type Host struct {
 }
 
 type Container struct {
-	id             string
-	spec           specs.Spec
-	processesMutex sync.Mutex
-	processes      map[uint32]*containerProcess
+	id              string
+	spec            specs.Spec
+	processesMutex  sync.Mutex
+	processes       map[uint32]*containerProcess
+	commandLine     bool
+	commandLineExec bool
 }
 
 // Process is a struct that defines the lifetime and operations associated with
