From 788d0827be5d0f784456c45df30642add9547a7e Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 7 Nov 2019 11:30:15 +0900
Subject: [PATCH 1/4] v2: restore VerifyGroupPath

https://github.com/containerd/cgroups/pull/109#discussion_r343218221

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 v2/manager.go    |  8 ++++----
 v2/paths.go      | 21 +++++++++++++++++++++
 v2/paths_test.go |  2 ++
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/v2/manager.go b/v2/manager.go
index 40b1ed15..888fe8ce 100644
--- a/v2/manager.go
+++ b/v2/manager.go
@@ -100,8 +100,8 @@ func writeValues(path string, values []Value) error {
 }
 
 func NewManager(mountpoint string, group string, resources *Resources) (*Manager, error) {
-	if group == "" {
-		return nil, ErrInvalidGroupPath
+	if err := VerifyGroupPath(group); err != nil {
+		return nil, err
 	}
 	path := filepath.Join(mountpoint, group)
 	if err := os.MkdirAll(path, defaultDirPerm); err != nil {
@@ -121,8 +121,8 @@ func NewManager(mountpoint string, group string, resources *Resources) (*Manager
 }
 
 func LoadManager(mountpoint string, group string) (*Manager, error) {
-	if group == "" {
-		return nil, ErrInvalidGroupPath
+	if err := VerifyGroupPath(group); err != nil {
+		return nil, err
 	}
 	path := filepath.Join(mountpoint, group)
 	return &Manager{
diff --git a/v2/paths.go b/v2/paths.go
index 171e45bd..6f2f5edb 100644
--- a/v2/paths.go
+++ b/v2/paths.go
@@ -19,6 +19,7 @@ package v2
 import (
 	"fmt"
 	"path/filepath"
+	"strings"
 )
 
 // NestedGroupPath will nest the cgroups based on the calling processes cgroup
@@ -37,3 +38,23 @@ func PidGroupPath(pid int) (string, error) {
 	p := fmt.Sprintf("/proc/%d/cgroup", pid)
 	return parseCgroupFile(p)
 }
+
+// VerifyGroupPath verifies the format of group path string g.
+// The format is same as the third field in /proc/PID/cgroup.
+// e.g. "/user.slice/user-1001.slice/session-1.scope"
+//
+// g must be a "clean" absolute path starts with "/", and must not contain "/sys/fs/cgroup" prefix.
+//
+// VerifyGroupPath doesn't verify whether g actually exists on the system.
+func VerifyGroupPath(g string) error {
+	if !strings.HasPrefix(g, "/") {
+		return ErrInvalidGroupPath
+	}
+	if filepath.Clean(g) != g {
+		return ErrInvalidGroupPath
+	}
+	if strings.HasPrefix(g, "/sys/fs/cgroup") {
+		return ErrInvalidGroupPath
+	}
+	return nil
+}
diff --git a/v2/paths_test.go b/v2/paths_test.go
index d3650099..00fec4d4 100644
--- a/v2/paths_test.go
+++ b/v2/paths_test.go
@@ -28,6 +28,8 @@ func TestVerifyGroupPath(t *testing.T) {
 		"/foo/bar":                   true,
 		"/sys/fs/cgroup/foo":         false,
 		"/sys/fs/cgroup/unified/foo": false,
+		"foo":                        false,
+		"/foo/../bar":                false,
 	}
 	for s, valid := range valids {
 		err := VerifyGroupPath(s)

From b15f98493ecf98710faa65af8eb3e4eeef892859 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 7 Nov 2019 11:32:33 +0900
Subject: [PATCH 2/4] v2: fix TestParseCgroupFromReader

  --- FAIL: TestParseCgroupFromReader (0.00s)
      utils_test.go:34: expected
  "/user.slice/user-1001.slice/session-1.scope", got ""
      utils_test.go:37: invalid cgroup entry: "2:cpuset:/foo"

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 v2/utils.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/v2/utils.go b/v2/utils.go
index 018f669f..ebb5335b 100644
--- a/v2/utils.go
+++ b/v2/utils.go
@@ -141,13 +141,15 @@ func parseCgroupFromReader(r io.Reader) (string, error) {
 		}
 		var (
 			text  = s.Text()
-			parts = strings.SplitN(text, "::", 2)
+			parts = strings.SplitN(text, ":", 3)
 		)
-		if len(parts) < 2 {
+		if len(parts) < 3 {
 			return "", fmt.Errorf("invalid cgroup entry: %q", text)
 		}
 		// text is like "0::/user.slice/user-1001.slice/session-1.scope"
-		return parts[1], nil
+		if parts[0] == "0" && parts[1] == "" {
+			return parts[2], nil
+		}
 	}
 	return "", fmt.Errorf("cgroup path not found")
 }

From 29ec75e6255b2ae35307600f57feafa0c0563a6f Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 7 Nov 2019 11:35:47 +0900
Subject: [PATCH 3/4] update go.mod

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 go.mod |  1 +
 go.sum | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/go.mod b/go.mod
index 3c32a296..ffea0a1a 100644
--- a/go.mod
+++ b/go.mod
@@ -10,5 +10,6 @@ require (
 	github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700
 	github.com/pkg/errors v0.8.1
 	github.com/sirupsen/logrus v1.4.2
+	github.com/urfave/cli v1.22.1
 	golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f
 )
diff --git a/go.sum b/go.sum
index c655b398..599abb99 100644
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,10 @@
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/coreos/go-systemd v0.0.0-20181030182848-ad9ff7f9a9ff h1:bI9r9ZUi2/EmSnUHqrAm9a+l2Rd4vIdcsn8HLInY8UQ=
 github.com/coreos/go-systemd v0.0.0-20181030182848-ad9ff7f9a9ff/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
@@ -13,17 +16,26 @@ github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700 h1:eNUVfm/RFLIi1G7flU5/ZRTHvd4kcVuzfRnL6OFlzCI=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY=
+github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f h1:Xab8gg26GrI/x3RNdVhVkHHM1XLyGeRBEvz4Q5x4YW8=
 golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

From a4f92d6967edd0fc3b8e7a302e77a9fd3032d2db Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 7 Nov 2019 11:35:57 +0900
Subject: [PATCH 4/4] .travis.yml: run test for all packages

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 626a7037..4f0fdc2a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,7 +22,7 @@ before_script:
 script:
     - DCO_VERBOSITY=-q ../project/script/validate/dco
     - ../project/script/validate/fileheader ../project/
-    - go test -race -coverprofile=coverage.txt -covermode=atomic
+    - go test -race -coverprofile=coverage.txt -covermode=atomic ./...
 
 after_success:
     - bash <(curl -s https://codecov.io/bash)