From f73e28371f2886ba2d7fd9a563035330e3d18fec Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Fri, 1 Aug 2025 12:54:25 +0300 Subject: [PATCH 1/2] libcontainer/intelrdt: refactor path handling Also, use GetPath() in Apply to get the resctrl group path, similar to other methods of intelRdtManager. Signed-off-by: Markus Lehtonen --- libcontainer/intelrdt/intelrdt.go | 40 +++++++++++--------------- libcontainer/intelrdt/intelrdt_test.go | 5 ++-- 2 files changed, 19 insertions(+), 26 deletions(-) diff --git a/libcontainer/intelrdt/intelrdt.go b/libcontainer/intelrdt/intelrdt.go index 7d4b4d38a60..6e9bc3c8fac 100644 --- a/libcontainer/intelrdt/intelrdt.go +++ b/libcontainer/intelrdt/intelrdt.go @@ -159,10 +159,23 @@ func NewManager(config *configs.Config, id string, path string) *Manager { if config.IntelRdt == nil { return nil } - if _, err := Root(); err != nil { - // Intel RDT is not available. + + rootPath, err := Root() + if err != nil { return nil } + // NOTE: Should we check if the path provided as arg matches the path + // constructed below? If not, we're screwed as we've effectively lost resctrl + // control of the container (e.g. because the resctrl fs was unmounted or + // remounted elsewhere). All operations are deemed to fail. + if path == "" { + clos := id + if config.IntelRdt.ClosID != "" { + clos = config.IntelRdt.ClosID + } + path = filepath.Join(rootPath, clos) + } + return newManager(config, id, path) } @@ -428,21 +441,6 @@ func IsMBAEnabled() bool { return mbaEnabled } -// Get the path of the clos group in "resource control" filesystem that the container belongs to -func (m *Manager) getIntelRdtPath() (string, error) { - rootPath, err := Root() - if err != nil { - return "", err - } - - clos := m.id - if m.config.IntelRdt != nil && m.config.IntelRdt.ClosID != "" { - clos = m.config.IntelRdt.ClosID - } - - return filepath.Join(rootPath, clos), nil -} - // Apply applies Intel RDT configuration to the process with the specified pid. func (m *Manager) Apply(pid int) (err error) { // If intelRdt is not specified in config, we do nothing @@ -450,10 +448,7 @@ func (m *Manager) Apply(pid int) (err error) { return nil } - path, err := m.getIntelRdtPath() - if err != nil { - return err - } + path := m.GetPath() m.mu.Lock() defer m.mu.Unlock() @@ -497,9 +492,6 @@ func (m *Manager) Destroy() error { // GetPath returns Intel RDT path to save in a state file and to be able to // restore the object later. func (m *Manager) GetPath() string { - if m.path == "" { - m.path, _ = m.getIntelRdtPath() - } return m.path } diff --git a/libcontainer/intelrdt/intelrdt_test.go b/libcontainer/intelrdt/intelrdt_test.go index c127cd8f7c6..114499f82f3 100644 --- a/libcontainer/intelrdt/intelrdt_test.go +++ b/libcontainer/intelrdt/intelrdt_test.go @@ -101,13 +101,14 @@ func TestApply(t *testing.T) { helper := NewIntelRdtTestUtil(t) const closID = "test-clos" + closPath := filepath.Join(helper.IntelRdtPath, closID) helper.config.IntelRdt.ClosID = closID - intelrdt := newManager(helper.config, "", helper.IntelRdtPath) + intelrdt := newManager(helper.config, "container-1", closPath) if err := intelrdt.Apply(1234); err == nil { t.Fatal("unexpected success when applying pid") } - if _, err := os.Stat(filepath.Join(helper.IntelRdtPath, closID)); err == nil { + if _, err := os.Stat(closPath); err == nil { t.Fatal("closid dir should not exist") } From 3a962655f88bd123bd4027f06323a3184d2fd8a8 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Mon, 4 Aug 2025 09:40:18 +0300 Subject: [PATCH 2/2] libcontainer/intelrdt: use SecureJoin in NewManager Protects against invalid (non-validated) CLOS names. Signed-off-by: Markus Lehtonen --- libcontainer/intelrdt/intelrdt.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libcontainer/intelrdt/intelrdt.go b/libcontainer/intelrdt/intelrdt.go index 6e9bc3c8fac..d9c1b7234fc 100644 --- a/libcontainer/intelrdt/intelrdt.go +++ b/libcontainer/intelrdt/intelrdt.go @@ -10,6 +10,7 @@ import ( "strings" "sync" + securejoin "github.com/cyphar/filepath-securejoin" "github.com/moby/sys/mountinfo" "golang.org/x/sys/unix" @@ -173,7 +174,9 @@ func NewManager(config *configs.Config, id string, path string) *Manager { if config.IntelRdt.ClosID != "" { clos = config.IntelRdt.ClosID } - path = filepath.Join(rootPath, clos) + if path, err = securejoin.SecureJoin(rootPath, clos); err != nil { + return nil + } } return newManager(config, id, path)