runc: fix bug that exec command leaks files

Signed-off-by: Zhang Tianyang <burning9699@gmail.com>
2022-02-23 20:26:59 +08:00 · 2022-02-23 20:26:59 +08:00 · b08e4090ea
parent 3905a44f0f
commit b08e4090ea
4 changed files with 19 additions and 7 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -8,3 +8,8 @@ members = [
    "crates/runc",
    "crates/runc-shim",
 ]
+
+[profile.release]
+# Keep binary as small as possible
+# https://doc.rust-lang.org/book/ch09-01-unrecoverable-errors-with-panic.html
+panic = 'abort'
--- a/crates/runc-shim/Cargo.toml
+++ b/crates/runc-shim/Cargo.toml
@ -25,7 +25,3 @@ crossbeam = "0.8.1"
 containerd-shim = { path = "../shim", version = "0.2.0" }
 runc = { path = "../runc", version = "0.1.0" }

-[profile.release]
-# Keep binary as small as possible
-# https://doc.rust-lang.org/book/ch09-01-unrecoverable-errors-with-panic.html
-panic = 'abort'
--- a/crates/runc/src/lib.rs
+++ b/crates/runc/src/lib.rs
@ -34,7 +34,10 @@
 */

 //! A crate for consuming the runc binary in your Rust applications, similar to [go-runc](https://github.com/containerd/go-runc) for Go.
+#![allow(unused)]
+
 use std::fmt::{self, Display};
+use std::io::Write;
 use std::path::{Path, PathBuf};
 use std::process::ExitStatus;

@ -207,9 +210,16 @@ impl Runc {

    /// Execute an additional process inside the container
    pub fn exec(&self, id: &str, spec: &Process, opts: Option<&ExecOpts>) -> Result<()> {
-        let filename = utils::temp_filename_in_runtime_dir()?;
-        let spec_json = serde_json::to_string(spec).map_err(Error::JsonDeserializationFailed)?;
-        std::fs::write(&filename, spec_json).map_err(Error::SpecFileCreationFailed)?;
+        let (mut temp_file, filename) = utils::make_temp_file_in_runtime_dir()?;
+        {
+            let f = temp_file.as_file_mut();
+            let spec_json =
+                serde_json::to_string(spec).map_err(Error::JsonDeserializationFailed)?;
+            f.write(spec_json.as_bytes())
+                .map_err(Error::SpecFileCreationFailed)?;
+            f.flush().map_err(Error::SpecFileCreationFailed)?;
+        }
+
        let mut args = vec!["exec".to_string(), "--process".to_string(), filename];
        if let Some(opts) = opts {
            args.append(&mut opts.args()?);
--- a/crates/runc/src/utils.rs
+++ b/crates/runc/src/utils.rs
@ -95,6 +95,7 @@ pub fn make_temp_file_in_runtime_dir() -> Result<(NamedTempFile, String), Error>
    let file_name = temp_filename_in_runtime_dir()?;
    let temp_file = Builder::new()
        .prefix(&file_name)
+        .rand_bytes(0)
        .tempfile()
        .map_err(Error::SpecFileCreationFailed)?;
    Ok((temp_file, file_name))