conmon: Build argv instead of commandline to spawn runtime
This means we don't have to spawn via a shell, but it also means we do the right thing for any input that would have needed to be escaped. For instance if the container name had a $ in i, or even worse, a back-quote! Signed-off-by: Alexander Larsson <alexl@redhat.com>
This commit is contained in:
parent
d2f09ef483
commit
829ec7f351
1 changed files with 27 additions and 15 deletions
|
@ -429,7 +429,7 @@ int main(int argc, char *argv[])
|
||||||
int num_stdio_fds = 0;
|
int num_stdio_fds = 0;
|
||||||
GError *error = NULL;
|
GError *error = NULL;
|
||||||
GOptionContext *context;
|
GOptionContext *context;
|
||||||
_cleanup_gstring_ GString *cmd = NULL;
|
GPtrArray *runtime_argv = NULL;
|
||||||
|
|
||||||
/* Used for OOM notification API */
|
/* Used for OOM notification API */
|
||||||
_cleanup_close_ int efd = -1;
|
_cleanup_close_ int efd = -1;
|
||||||
|
@ -552,27 +552,40 @@ int main(int argc, char *argv[])
|
||||||
slavefd_stderr = fds[1];
|
slavefd_stderr = fds[1];
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd = g_string_new(runtime_path);
|
runtime_argv = g_ptr_array_new();
|
||||||
|
g_ptr_array_add(runtime_argv, runtime_path);
|
||||||
|
|
||||||
/* Generate the cmdline. */
|
/* Generate the cmdline. */
|
||||||
if (!exec && systemd_cgroup)
|
if (!exec && systemd_cgroup)
|
||||||
g_string_append_printf(cmd, " --systemd-cgroup");
|
g_ptr_array_add(runtime_argv, "--systemd-cgroup");
|
||||||
|
|
||||||
if (exec)
|
if (exec) {
|
||||||
g_string_append_printf(cmd, " exec -d --pid-file %s", pid_file);
|
g_ptr_array_add (runtime_argv, "exec");
|
||||||
else
|
g_ptr_array_add (runtime_argv, "-d");
|
||||||
g_string_append_printf(cmd, " create --bundle %s --pid-file %s", bundle_path, pid_file);
|
g_ptr_array_add (runtime_argv, "--pid-file");
|
||||||
|
g_ptr_array_add (runtime_argv, pid_file);
|
||||||
|
} else {
|
||||||
|
g_ptr_array_add (runtime_argv, "create");
|
||||||
|
g_ptr_array_add (runtime_argv, "--bundle");
|
||||||
|
g_ptr_array_add (runtime_argv, bundle_path);
|
||||||
|
g_ptr_array_add (runtime_argv, "--pid-file");
|
||||||
|
g_ptr_array_add (runtime_argv, pid_file);
|
||||||
|
}
|
||||||
|
|
||||||
if (terminal)
|
if (terminal) {
|
||||||
g_string_append_printf(cmd, " --console-socket %s", csname);
|
g_ptr_array_add(runtime_argv, "--console-socket");
|
||||||
|
g_ptr_array_add(runtime_argv, csname);
|
||||||
|
}
|
||||||
|
|
||||||
/* Set the exec arguments. */
|
/* Set the exec arguments. */
|
||||||
if (exec) {
|
if (exec) {
|
||||||
g_string_append_printf(cmd, " --process %s", exec_process_spec);
|
g_ptr_array_add(runtime_argv, "--process");
|
||||||
|
g_ptr_array_add(runtime_argv, exec_process_spec);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Container name comes last. */
|
/* Container name comes last. */
|
||||||
g_string_append_printf(cmd, " %s", cid);
|
g_ptr_array_add(runtime_argv, cid);
|
||||||
|
g_ptr_array_add(runtime_argv, NULL);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We have to fork here because the current runC API dups the stdio of the
|
* We have to fork here because the current runC API dups the stdio of the
|
||||||
|
@ -587,8 +600,6 @@ int main(int argc, char *argv[])
|
||||||
if (create_pid < 0) {
|
if (create_pid < 0) {
|
||||||
pexit("Failed to fork the create command");
|
pexit("Failed to fork the create command");
|
||||||
} else if (!create_pid) {
|
} else if (!create_pid) {
|
||||||
char *argv[] = {"sh", "-c", cmd->str, NULL};
|
|
||||||
|
|
||||||
/* We only need to touch the stdio if we have terminal=false. */
|
/* We only need to touch the stdio if we have terminal=false. */
|
||||||
/* FIXME: This results in us not outputting runc error messages to crio's log. */
|
/* FIXME: This results in us not outputting runc error messages to crio's log. */
|
||||||
if (slavefd_stdout >= 0) {
|
if (slavefd_stdout >= 0) {
|
||||||
|
@ -600,11 +611,12 @@ int main(int argc, char *argv[])
|
||||||
pexit("Failed to dup over stderr");
|
pexit("Failed to dup over stderr");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Exec into the process. TODO: Don't use the shell. */
|
execv(g_ptr_array_index(runtime_argv,0), (char **)runtime_argv->pdata);
|
||||||
execv("/bin/sh", argv);
|
|
||||||
exit(127);
|
exit(127);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
g_ptr_array_free (runtime_argv, TRUE);
|
||||||
|
|
||||||
/* The runtime has that fd now. We don't need to touch it anymore. */
|
/* The runtime has that fd now. We don't need to touch it anymore. */
|
||||||
close(slavefd_stdout);
|
close(slavefd_stdout);
|
||||||
close(slavefd_stderr);
|
close(slavefd_stderr);
|
||||||
|
|
Loading…
Reference in a new issue