init: use securejoin for /proc/self/setgroups

cyphar · cyphar · commit 435cc81be6b7 · 2025-11-01T21:24:05.000+11:00
Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -21,6 +22,7 @@ import (
 
 	"github.com/opencontainers/cgroups"
 	"github.com/opencontainers/runc/internal/linux"
+	"github.com/opencontainers/runc/internal/pathrs"
 	"github.com/opencontainers/runc/libcontainer/capabilities"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/system"
@@ -470,7 +472,12 @@ func setupUser(config *initConfig) error {
 	// We don't need to use /proc/thread-self here because setgroups is a
 	// per-userns file and thus is global to all threads in a thread-group.
 	// This lets us avoid having to do runtime.LockOSThread.
-	setgroups, err := os.ReadFile("/proc/self/setgroups")
+	var setgroups []byte
+	setgroupsFile, err := pathrs.ProcSelfOpen("setgroups", unix.O_RDONLY)
+	if err == nil {
+		setgroups, err = io.ReadAll(setgroupsFile)
+		_ = setgroupsFile.Close()
+	}
 	if err != nil && !os.IsNotExist(err) {
 		return err
 	}
