apparmor: use safe procfs API for labels

EnsureProcHandle only protects us against a tmpfs mount, but the risk of
a procfs path being used (such as /proc/self/sched) has been known for a
while. Now that filepath-securejoin has a reasonably safe procfs API,
switch to it.

Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <[email protected]>

Author: cyphar

libcontainer/apparmor/apparmor_linux.go

@@ -6,6 +6,9 @@ import (
 	"os"
 	"sync"
 
+	"golang.org/x/sys/unix"
+
+	"github.com/opencontainers/runc/internal/pathrs"
 	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
@@ -36,15 +39,15 @@ func setProcAttr(attr, value string) error {
 	// Under AppArmor you can only change your own attr, so there's no reason
 	// to not use /proc/thread-self/ (instead of /proc/<tid>/, like libapparmor
 	// does).
-	attrPath, closer := utils.ProcThreadSelf(attrSubPath)
-	defer closer()
-
-	f, err := os.OpenFile(attrPath, os.O_WRONLY, 0)
+	f, closer, err := pathrs.ProcThreadSelfOpen(attrSubPath, unix.O_WRONLY|unix.O_CLOEXEC)
 	if err != nil {
 		return err
 	}
+	defer closer()
 	defer f.Close()
 
+	// NOTE: This is not really necessary since securejoin.ProcThreadSelf
+	// verifies this in a far stricter sense than EnsureProcHandle.
 	if err := utils.EnsureProcHandle(f); err != nil {
 		return err
 	}