libcontainer/configs/config: Clear hook environ variables on empty Env

wking · wking · commit 5f6ed84ce40a · 2018-02-23T16:53:26.000-08:00
The runtime spec has [1]: * env (array of strings, OPTIONAL) with the same semantics as IEEE Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environent: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: If Env is nil, the new process uses the current process's environment. This commit works around that by setting a single dummy environment variable in those cases to avoid leaking the runtime environment into the hooks. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd Signed-off-by: W. Trevor King <wking@tremily.us>
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -320,6 +320,9 @@ func (c Command) Run(s HookState) error {
 		Stdout: &stdout,
 		Stderr: &stderr,
 	}
+	if cmd.Env == nil {
+		cmd.Env = []string{"_GO_DOES_NOT_PROVIDE_A_WAY_TO_CLEAR_ENV="}
+	}
 	if err := cmd.Start(); err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -320,6 +320,9 @@ func (c Command) Run(s HookState) error {`
`320`	`320`	`Stdout: &stdout,`
`321`	`321`	`Stderr: &stderr,`
`322`	`322`	`}`
	`323`	`+ if cmd.Env == nil {`
	`324`	`+ cmd.Env = []string{"_GO_DOES_NOT_PROVIDE_A_WAY_TO_CLEAR_ENV="}`
	`325`	`+ }`
`323`	`326`	`if err := cmd.Start(); err != nil {`
`324`	`327`	`return err`
`325`	`328`	`}`