From 88c13c0713d15cd065df6af9e803646cb23f303c Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Sun, 5 Apr 2020 20:12:20 -0700
Subject: [PATCH] cgroupv2: use SecureJoin in systemd driver

It seems that some paths are coming from user and are therefore
untrusted.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/cgroups/systemd/unified_hierarchy.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libcontainer/cgroups/systemd/unified_hierarchy.go b/libcontainer/cgroups/systemd/unified_hierarchy.go
index 9e0d6db9c..540161afe 100644
--- a/libcontainer/cgroups/systemd/unified_hierarchy.go
+++ b/libcontainer/cgroups/systemd/unified_hierarchy.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs2"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -213,7 +214,13 @@ func (m *UnifiedManager) GetUnifiedPath() (string, error) {
 		return "", err
 	}
 
-	m.path = filepath.Join(fs2.UnifiedMountpoint, slice, getUnitName(c))
+	path := filepath.Join(slice, getUnitName(c))
+	path, err = securejoin.SecureJoin(fs2.UnifiedMountpoint, path)
+	if err != nil {
+		return "", err
+	}
+	m.path = path
+
 	return m.path, nil
 }