From f3a00d38601d95b1fc94aa8b67d98605346f0514 Mon Sep 17 00:00:00 2001
From: Evan Phoenix <evan@phx.io>
Date: Mon, 3 Oct 2022 10:39:33 -0700
Subject: [PATCH] Use securejoin

Signed-off-by: Evan Phoenix <evan@phx.io>
---
 libcontainer/cgroups/systemd/common.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
index c25a078de96..09b03239e3f 100644
--- a/libcontainer/cgroups/systemd/common.go
+++ b/libcontainer/cgroups/systemd/common.go
@@ -14,6 +14,7 @@ import (
 	"time"
 
 	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	dbus "github.com/godbus/dbus/v5"
 	"github.com/sirupsen/logrus"
 
@@ -297,7 +298,13 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
 				// (/dev/{block,char} is populated by udev, which isn't strictly required for systemd).
 				// Ironically, this happens most easily when starting containerd within a runc created
 				// container itself.
-				if _, err := os.Stat("/sys" + entry.Path); err != nil {
+				testPath, err := securejoin.SecureJoin("/sys", entry.Path)
+				if err != nil {
+					logrus.Errorf("error joining entry path: %s", err)
+					continue
+				}
+
+				if _, err := os.Stat(testPath); err != nil {
 					logrus.Warnf("skipping device %s for systemd: %s", entry.Path, err)
 					continue
 				}