diff --git a/libcontainer/logs/logs.go b/libcontainer/logs/logs.go index 349a18ed383..95deb0d6ca7 100644 --- a/libcontainer/logs/logs.go +++ b/libcontainer/logs/logs.go @@ -4,19 +4,10 @@ import ( "bufio" "encoding/json" "io" - "os" "github.com/sirupsen/logrus" ) -// IsLogrusFd returns whether the provided fd matches the one that logrus is -// currently outputting to. This should only ever be called by UnsafeCloseFrom -// from `runc init`. -func IsLogrusFd(fd uintptr) bool { - file, ok := logrus.StandardLogger().Out.(*os.File) - return ok && file.Fd() == fd -} - func ForwardLogs(logPipe io.ReadCloser) chan error { done := make(chan error, 1) s := bufio.NewScanner(logPipe) diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go index 842f9b0a6d2..bf3237a2911 100644 --- a/libcontainer/utils/utils_unix.go +++ b/libcontainer/utils/utils_unix.go @@ -10,8 +10,6 @@ import ( _ "unsafe" // for go:linkname "golang.org/x/sys/unix" - - "github.com/opencontainers/runc/libcontainer/logs" ) // EnsureProcHandle returns whether or not the given file handle is on procfs. @@ -102,12 +100,6 @@ func UnsafeCloseFrom(minFd int) error { // don't have any choice. return } - if logs.IsLogrusFd(uintptr(fd)) { - // Do not close the logrus output fd. We cannot exec a pipe, and - // the contents are quite limited (very little attacker control, - // JSON-encoded) making shellcode attacks unlikely. - return - } // There's nothing we can do about errors from close(2), and the // only likely error to be seen is EBADF which indicates the fd was // already closed (in which case, we got what we wanted).