From: Robert Obkircher <r.obkircher@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v4 pve-container 4/5] fix #6897: constrain and untaint path for systemd version detection
Date: Thu, 13 Nov 2025 16:03:02 +0100 [thread overview]
Message-ID: <20251113150342.101933-5-r.obkircher@proxmox.com> (raw)
In-Reply-To: <20251113150342.101933-1-r.obkircher@proxmox.com>
Ensure that the concatenated path stays within the container and
untaint it to make it callable from other hooks that run in taint mode
and would otherwise get an "Insecure dependency in exec" error.
Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
src/PVE/LXC/Setup/Base.pm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 12e3097..bd595ab 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -604,9 +604,16 @@ sub clear_machine_id {
sub get_systemd_version {
my ($self, $init) = @_;
+ my $binary = abs_path($self->{rootdir} . $init);
+ if ($binary =~ /(^\Q$self->{rootdir}\E.*)/) {
+ $binary = $1; # untainted
+ } else {
+ die "Could not construct path to systemd binary: $self->{rootdir}, $init";
+ }
+
my $version = undef;
PVE::Tools::run_command(
- ['objdump', '-p', $self->{rootdir} . $init],
+ ['objdump', '-p', $binary],
outfunc => sub {
my $line = shift;
if ($line =~ /libsystemd-shared-(\d+)(?:[-_.][a-zA-Z0-9]+)*\.so:?$/) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-13 15:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 15:02 [pve-devel] [PATCH v4 pve-container 0/5] warn that nesting may be required Robert Obkircher
2025-11-13 15:02 ` [pve-devel] [PATCH v4 pve-container 1/5] Ensure that container startup warnings are displayed if startup fails Robert Obkircher
2025-11-13 16:14 ` Fiona Ebner
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 2/5] Propagate prestart-hook warnings to task-log Robert Obkircher
2025-11-13 16:36 ` Fiona Ebner
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 3/5] fix #6897: warn that nesting may be required for systemd Robert Obkircher
2025-11-13 15:03 ` Robert Obkircher [this message]
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 4/5] fix #6897: constrain and untaint path when detecting systemd version Robert Obkircher
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 5/5] fix #6897: also warn in the post_clone and post_create hooks Robert Obkircher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113150342.101933-5-r.obkircher@proxmox.com \
--to=r.obkircher@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox