security: use absolute paths for exec to prevent PATH poisoning [2/5]

[rsampaio]

LocateExecutable relied on exec.LookPath which could return a relative path if "." is in PATH. When the agent runs as root, a local attacker who places a malicious binary in the working directory could hijack execution.

Harden LocateExecutable to resolve the result to an absolute path via filepath.Abs before returning it. Also resolve "sudo" through LocateExecutable in GetSystemManufacturer instead of using a bare command name, so the same absolute-path guarantee applies.

Description

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• Bug Fixes

  • Fail early with clearer errors when required system binaries cannot be located.
  • Reject non-absolute (relative) resolved executable paths to avoid running unintended commands.
  • Use resolved absolute executable paths for system and privilege-helper invocations rather than relying on ambiguous fallbacks.

• Tests

  • Added a unit test validating rejection of relative executable path results.
  • Broadened CI test tolerance for additional "not found" messages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5be85c44-6686-41d0-b7b7-9c0df0585429

📥 Commits

Reviewing files that changed from the base of the PR and between cc2c7af and 9515c22.

📒 Files selected for processing (8)

• internal/attestation/attestation.go
• internal/attestation/attestation_test.go
• third_party/fleet-intelligence-sdk/pkg/file/file.go
• third_party/fleet-intelligence-sdk/pkg/file/file_test.go
• third_party/fleet-intelligence-sdk/pkg/host/virtualization_environment.go
• third_party/fleet-intelligence-sdk/pkg/process/options.go
• third_party/fleet-intelligence-sdk/pkg/process/pids.go
• third_party/fleet-intelligence-sdk/pkg/systemd/systemd.go

✅ Files skipped from review due to trivial changes (4)

• third_party/fleet-intelligence-sdk/pkg/host/virtualization_environment.go
• internal/attestation/attestation.go
• third_party/fleet-intelligence-sdk/pkg/file/file_test.go
• third_party/fleet-intelligence-sdk/pkg/systemd/systemd.go

🚧 Files skipped from review as they are similar to previous changes (4)

• third_party/fleet-intelligence-sdk/pkg/process/options.go
• internal/attestation/attestation_test.go
• third_party/fleet-intelligence-sdk/pkg/process/pids.go
• third_party/fleet-intelligence-sdk/pkg/file/file.go

---

📝 Walkthrough

Walkthrough

Call sites now resolve executables via a centralized LocateExecutable, validating absolute paths and returning lookup errors early; callers use the resolved absolute paths (e.g., nvattest, dmidecode, pidof, systemctl) when invoking external commands and update related error logging.

Changes

Cohort / File(s)	Summary
Executable Path Locator third_party/fleet-intelligence-sdk/pkg/file/file.go, third_party/fleet-intelligence-sdk/pkg/file/file_test.go	LocateExecutable now returns a wrapped error on exec.LookPath failure and rejects non-absolute resolution results; added test TestLocateExecutableRejectsRelativePathResult.
Attestation internal/attestation/attestation.go, internal/attestation/attestation_test.go	getEvidences resolves nvattest via pkgfile.LocateExecutable, uses the resolved path in exec.CommandContext, stores command run error in runErr, and adjusts test to accept "not found in PATH" early-return cases.
Host / virtualization third_party/fleet-intelligence-sdk/pkg/host/virtualization_environment.go	GetSystemManufacturer now invokes the resolved dmidecode path (dmidecodePath) directly with args -s system-manufacturer instead of hardcoding sudo; lookup errors are returned immediately.
Process utilities third_party/fleet-intelligence-sdk/pkg/process/options.go, third_party/fleet-intelligence-sdk/pkg/process/pids.go	Replaced exec.LookPath and literal invocations with file.LocateExecutable; commandExists and CheckRunningByPid rely on LocateExecutable success and use the resolved absolute paths for execution.
Systemd utilities third_party/fleet-intelligence-sdk/pkg/systemd/systemd.go	Replaced exec.LookPath with file.LocateExecutable for systemd/systemctl detection and for resolving systemctl used in DaemonReload, IsActive, and GetUptime; existence checks now reflect lookup success.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through PATHs both snug and wide,

I sniffed for bins with careful pride.
Only absolute tracks do stay,
No relative tricks to lead astray.
🥕 A tidy run — hooray today!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.71% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary security objective of the PR: hardening executable path resolution to use absolute paths and prevent PATH poisoning attacks. It is concise, specific, and clearly summarizes the main change from the developer's perspective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/absolute-paths-for-exec

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6e872ef9-5c2e-41b8-b15d-90ba30856229

📥 Commits

Reviewing files that changed from the base of the PR and between 47dab0c and 9bcd328.

📒 Files selected for processing (8)

• internal/attestation/attestation.go
• internal/attestation/attestation_test.go
• third_party/fleet-intelligence-sdk/pkg/file/file.go
• third_party/fleet-intelligence-sdk/pkg/file/file_test.go
• third_party/fleet-intelligence-sdk/pkg/host/virtualization_environment.go
• third_party/fleet-intelligence-sdk/pkg/process/options.go
• third_party/fleet-intelligence-sdk/pkg/process/pids.go
• third_party/fleet-intelligence-sdk/pkg/systemd/systemd.go

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9bcd328050

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@third_party/fleet-intelligence-sdk/pkg/host/virtualization_environment.go`:
- Around line 100-103: The code currently swallows failures from
file.LocateExecutable("sudo") by returning ("", nil); change this to propagate
the error (return "", err) or implement a fallback that attempts to run
dmidecodePath without sudo when sudo isn't found. Locate the sudoPath resolution
(file.LocateExecutable("sudo") and variable sudoPath) and either return the
discovered error instead of nil or add logic that, on sudo resolution failure,
tries the dmidecodePath execution path (using dmidecodePath) and logs the
failure to locate sudo (via the existing logger) before falling back so
detection doesn't silently degrade.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1fa729d6-2097-4274-a8c1-8def805aa28a

📥 Commits

Reviewing files that changed from the base of the PR and between 9bcd328 and aeaf471.

📒 Files selected for processing (8)

• internal/attestation/attestation.go
• internal/attestation/attestation_test.go
• third_party/fleet-intelligence-sdk/pkg/file/file.go
• third_party/fleet-intelligence-sdk/pkg/file/file_test.go
• third_party/fleet-intelligence-sdk/pkg/host/virtualization_environment.go
• third_party/fleet-intelligence-sdk/pkg/process/options.go
• third_party/fleet-intelligence-sdk/pkg/process/pids.go
• third_party/fleet-intelligence-sdk/pkg/systemd/systemd.go

✅ Files skipped from review due to trivial changes (2)

• third_party/fleet-intelligence-sdk/pkg/process/options.go
• internal/attestation/attestation.go

🚧 Files skipped from review as they are similar to previous changes (4)

• third_party/fleet-intelligence-sdk/pkg/systemd/systemd.go
• third_party/fleet-intelligence-sdk/pkg/file/file.go
• internal/attestation/attestation_test.go
• third_party/fleet-intelligence-sdk/pkg/file/file_test.go