libcontainer/configs/config: Clear hook environ variables on empty Env

wking · wking · commit 96e87700c050 · 2018-02-23T18:34:39.000-08:00
The runtime spec has [1]: * env (array of strings, OPTIONAL) with the same semantics as IEEE Std 1003.1-2008's environ. And running execle or similar with NULL env results in an empty environent: $ cat test.c #include <unistd.h> int main() { return execle("/usr/bin/env", "env", NULL, NULL); } $ cc -o test test.c $ ./test ...no output... Go's Cmd.Env, on the other hand, has [2]: If Env is nil, the new process uses the current process's environment. This commit works around that by setting Env to an empty slice in those cases to avoid leaking the runtime environment into the hooks. [1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks [2]: https://golang.org/pkg/os/exec/#Cmd Signed-off-by: W. Trevor King <wking@tremily.us>
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -320,6 +320,9 @@ func (c Command) Run(s HookState) error {
 		Stdout: &stdout,
 		Stderr: &stderr,
 	}
+	if cmd.Env == nil {
+		cmd.Env = []string{}
+	}
 	if err := cmd.Start(); err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -320,6 +320,9 @@ func (c Command) Run(s HookState) error {`
`320`	`320`	`Stdout: &stdout,`
`321`	`321`	`Stderr: &stderr,`
`322`	`322`	`}`
	`323`	`+ if cmd.Env == nil {`
	`324`	`+ cmd.Env = []string{}`
	`325`	`+ }`
`323`	`326`	`if err := cmd.Start(); err != nil {`
`324`	`327`	`return err`
`325`	`328`	`}`