[pve-devel] [PATCH v5 pve-container 4/5] fix #6897: constrain and untaint path for systemd version detection

[Robert Obkircher]

Ensure that the concatenated path stays within the container and
untaint it to make it callable from other hooks that run in taint mode
and would otherwise get an "Insecure dependency in exec" error.

Signed-off-by: Robert Obkircher <r.obkircher at proxmox.com>
---
 src/PVE/LXC/Setup/Base.pm | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 370f3fa..6865225 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -605,9 +605,16 @@ sub clear_machine_id {
 sub get_systemd_version {
     my ($self, $init) = @_;
 
+    my $binary = abs_path($self->{rootdir} . $init);
+    if ($binary =~ /(^\Q$self->{rootdir}\E.*)/) {
+        $binary = $1; # untainted
+    } else {
+        die "Could not construct path to systemd binary: $self->{rootdir}, $init";
+    }
+
     my $version = undef;
     PVE::Tools::run_command(
-        ['objdump', '-p', $self->{rootdir} . $init],
+        ['objdump', '-p', $binary],
         outfunc => sub {
             my $line = shift;
             if ($line =~ /libsystemd-shared-(\d+)(?:[-_.][a-zA-Z0-9]+)*\.so:?$/) {
-- 
2.47.3