From 8fff44ddbbb308173d35c4a9172093f68a1f8b76 Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Fri, 23 Feb 2018 16:53:26 -0800
Subject: [PATCH 1/2] libcontainer/configs/config: Clear hook environ variables
 on empty Env

The runtime spec has [1]:

  * env (array of strings, OPTIONAL) with the same semantics as IEEE
    Std 1003.1-2008's environ.

And running execle or similar with NULL env results in an empty
environent:

  $ cat test.c
  #include <unistd.h>

  int main()
  {
    return execle("/usr/bin/env", "env", NULL, NULL);
  }
  $ cc -o test test.c
  $ ./test
  ...no output...

Go's Cmd.Env, on the other hand, has [2]:

  If Env is nil, the new process uses the current process's
  environment.

This commit works around that by setting Env to an empty slice in
those cases to avoid leaking the runtime environment into the hooks.

[1]: https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
[2]: https://golang.org/pkg/os/exec/#Cmd

Signed-off-by: W. Trevor King <wking@tremily.us>
(cherry picked from commit c11bd33e91843e4985af77fd1c77975a3d2daa8a)
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
---
 libcontainer/configs/config.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
index 22fe0f9b4c1..f416179217e 100644
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@@ -480,6 +480,9 @@ func (c Command) Run(s *specs.State) error {
 		Stdout: &stdout,
 		Stderr: &stderr,
 	}
+	if cmd.Env == nil {
+		cmd.Env = []string{}
+	}
 	if err := cmd.Start(); err != nil {
 		return err
 	}

From c635e4b9b32f9f33570bdfb169b2b35f83086a89 Mon Sep 17 00:00:00 2001
From: lfbzhm <lifubang@acmcoder.com>
Date: Wed, 19 Jun 2024 14:45:55 +0000
Subject: [PATCH 2/2] add tests for env param in hooks

Signed-off-by: lfbzhm <lifubang@acmcoder.com>
---
 tests/integration/hooks.bats | 39 ++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/tests/integration/hooks.bats b/tests/integration/hooks.bats
index 099337a2b2c..1c3f3f1edcb 100644
--- a/tests/integration/hooks.bats
+++ b/tests/integration/hooks.bats
@@ -42,3 +42,42 @@ function teardown() {
 		[[ "$output" == *"error running $hook hook #1:"* ]]
 	done
 }
+
+@test "runc run [hook with env property]" {
+	update_config '.process.args = ["/bin/true"]'
+	update_config '.process.env = ["TEST_VAR=val"]'
+	# All hooks except Poststop.
+	for hook in prestart createRuntime createContainer startContainer poststart; do
+		echo "testing hook $hook"
+		# shellcheck disable=SC2016
+		update_config '.hooks = {
+			"'$hook'": [{
+				"path": "/bin/sh",
+				"args": ["/bin/sh", "-c", "[ \"$TEST_VAR\"==\"val\" ] && echo yes, we got val from the env TEST_VAR && exit 1 || exit 0"],
+				"env": ["TEST_VAR=val"]
+			}]
+		}'
+		TEST_VAR="val" runc run "test_hook-$hook"
+		[ "$status" -ne 0 ]
+		[[ "$output" == *"yes, we got val from the env TEST_VAR"* ]]
+	done
+}
+
+# https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks
+@test "runc run [hook without env property should not inherit host env]" {
+	update_config '.process.args = ["/bin/true"]'
+	update_config '.process.env = ["TEST_VAR=val"]'
+	# All hooks except Poststop.
+	for hook in prestart createRuntime createContainer startContainer poststart; do
+		echo "testing hook $hook"
+		# shellcheck disable=SC2016
+		update_config '.hooks = {
+			"'$hook'": [{
+				"path": "/bin/sh",
+				"args": ["/bin/sh", "-c", "[[ \"$TEST_VAR\" == \"val\" ]] && echo \"$TEST_VAR\" && exit 1 || exit 0"]
+			}]
+		}'
+		TEST_VAR="val" runc run "test_hook-$hook"
+		[ "$status" -eq 0 ]
+	done
+}