libct/start: use execabs for newuidmap lookup

Since we are looking up the path to newuidmap/newgidmap in one context,
and executing those in another (libct/nsenter), it might make sense to
use a stricter rules for looking up path to those binaries.

Practically it means that if someone wants to use custom newuidmap and
newgidmap binaries from $PATH, it would be impossible to use these from
the current directory by means of PATH=.:$PATH; instead one would have
to do something like PATH=$(pwd):$PATH.

See https://go.dev/blog/path-security for background.

Signed-off-by: Kir Kolyshkin <[email protected]>

libcontainer/container_linux.go

@@ -23,6 +23,7 @@ import (
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink/nl"
+	"golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 	"google.golang.org/protobuf/proto"
 
@@ -2150,7 +2151,7 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 				// We resolve the paths for new{u,g}idmap from
 				// the context of runc to avoid doing a path
 				// lookup in the nsexec context.
-				if path, err := exec.LookPath("newuidmap"); err == nil {
+				if path, err := execabs.LookPath("newuidmap"); err == nil {
 					r.AddData(&Bytemsg{
 						Type:  UidmapPathAttr,
 						Value: []byte(path),
@@ -2178,7 +2179,7 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 				Value: b,
 			})
 			if c.config.RootlessEUID {
-				if path, err := exec.LookPath("newgidmap"); err == nil {
+				if path, err := execabs.LookPath("newgidmap"); err == nil {
 					r.AddData(&Bytemsg{
 						Type:  GidmapPathAttr,
 						Value: []byte(path),

vendor/modules.txt

@@ -72,6 +72,7 @@ github.com/vishvananda/netns
 golang.org/x/net/bpf
 # golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c
 ## explicit
+golang.org/x/sys/execabs
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/unix
 golang.org/x/sys/windows