Skip to content

Use resolved runsc executable path for nixos compatibility#13100

Open
0kenx wants to merge 2 commits intogoogle:masterfrom
0kenx:sigid/runsc-real-exe-path
Open

Use resolved runsc executable path for nixos compatibility#13100
0kenx wants to merge 2 commits intogoogle:masterfrom
0kenx:sigid/runsc-real-exe-path

Conversation

@0kenx
Copy link
Copy Markdown

@0kenx 0kenx commented May 6, 2026

Summary

Use specutils.ExePath instead of /proc/self/exe when runsc re-execs itself inside a new user namespace, and resolve ExePath to the real executable path at startup with a conservative fallback to /proc/self/exe.

Why

Some host-side execute allowlist policies cannot safely authorize procfs magic-link execution through /proc/self/exe. Resolving the real executable path keeps helper and user-namespace re-execs on the same concrete binary path that the supervisor already authorized.

Changes

  • Replace the direct /proc/self/exe re-exec in MaybeRunAsRoot with ExePath.
  • Initialize ExePath from os.Executable(), resolving symlinks when possible.
  • Fall back to /proc/self/exe if resolution fails, returns a non-absolute path, points at a directory, or points at a non-executable file.

Validation

  • Ran gofmt on changed files.
  • Ran git diff --check.

0kenx added 2 commits May 6, 2026 18:32
@0kenx
patch hardcoded path
200cc54 
Signed-off-by: 0kenx <km@nxfi.app>
@0kenx
patch hardcoded path
0e36ef8 
Signed-off-by: 0kenx <km@nxfi.app>
@google-cla
Copy link
Copy Markdown

google-cla Bot commented May 6, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@EtiennePerot
Copy link
Copy Markdown
Collaborator

EtiennePerot commented May 6, 2026

Some host-side execute allowlist policies cannot safely authorize procfs magic-link execution through /proc/self/exe.

Can you elaborate here?

There is a tradeoff here, which is that the path at specutils.ExePath may have changed between the time runsc started and the time it re-execs. There have been attacks on this path during the container startup process, by making container startup hooks act in unexpected ways. IMO /proc/self/exe is the safer thing to do. I am surprised that an allowlist policy wouldn't allow it, since that seems like the safest way for a binary to re-exec itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0kenx @EtiennePerot