switch back from golang.org/x/sys/execabs to os/exec (go1.19)

This is effectively a revert of 2ac9968, which
switched from os/exec to the golang.org/x/sys/execabs package to mitigate
security issues (mainly on Windows) with lookups resolving to binaries in the
current directory.

from the go1.19 release notes https://go.dev/doc/go1.19#os-exec-path

> ## PATH lookups
>
> Command and LookPath no longer allow results from a PATH search to be found
> relative to the current directory. This removes a common source of security
> problems but may also break existing programs that depend on using, say,
> exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe) in
> the current directory. See the os/exec package documentation for information
> about how best to update such programs.
>
> On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath
> environment variable, making it possible to disable the default implicit search
> of “.” in PATH lookups on Windows systems.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

archive/compression/compression.go

@@ -25,12 +25,12 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"strconv"
 	"sync"
 
 	"github.com/containerd/log"
 	"github.com/klauspost/compress/zstd"
-	exec "golang.org/x/sys/execabs"
 )
 
 type (

archive/compression/compression_test.go

@@ -23,12 +23,11 @@ import (
 	"crypto/rand"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"testing"
-
-	exec "golang.org/x/sys/execabs"
 )
 
 func TestMain(m *testing.M) {

archive/tar_test.go

@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"testing"
@@ -38,7 +39,6 @@ import (
 	"github.com/containerd/continuity/fs/fstest"
 	"github.com/opencontainers/go-digest"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 )
 
 const tarCmd = "tar"

cmd/containerd/command/service_windows.go

@@ -20,14 +20,14 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"time"
 
 	"github.com/containerd/containerd/v2/errdefs"
 	"github.com/containerd/containerd/v2/services/server"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/debug"

cmd/ctr/commands/content/content.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"sort"
 	"strings"
 	"text/tabwriter"
@@ -35,7 +36,6 @@ import (
 	digest "github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/urfave/cli"
-	exec "golang.org/x/sys/execabs"
 )
 
 var (

contrib/apparmor/template.go

@@ -25,11 +25,10 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path"
 	"strings"
 	"text/template"
-
-	exec "golang.org/x/sys/execabs"
 )
 
 // NOTE: This code is copied from <github.com/docker/docker/profiles/apparmor>.

contrib/nvidia/nvidia.go

@@ -20,13 +20,13 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"strconv"
 	"strings"
 
 	"github.com/containerd/containerd/v2/containers"
 	"github.com/containerd/containerd/v2/oci"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
-	exec "golang.org/x/sys/execabs"
 )
 
 // NvidiaCLI is the path to the Nvidia helper binary

diff/stream_unix.go

@@ -25,12 +25,12 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"sync"
 
 	"github.com/containerd/containerd/v2/protobuf"
 	"github.com/containerd/containerd/v2/protobuf/proto"
 	"github.com/containerd/typeurl/v2"
-	exec "golang.org/x/sys/execabs"
 )
 
 // NewBinaryProcessor returns a binary processor for use with processing content streams

diff/stream_windows.go

@@ -23,11 +23,11 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"sync"
 
 	"github.com/Microsoft/go-winio"
-	exec "golang.org/x/sys/execabs"
 
 	"github.com/containerd/containerd/v2/protobuf"
 	"github.com/containerd/containerd/v2/protobuf/proto"

integration/client/client_test.go

@@ -23,14 +23,14 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"testing"
 	"time"
 
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/identity"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
-	exec "golang.org/x/sys/execabs"
 
 	. "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/defaults"

integration/client/container_fuzzer.go

@@ -26,13 +26,13 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"os/exec"
 	"strings"
 	"time"
 
 	fuzz "github.com/AdaLogics/go-fuzz-headers"
 	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/oci"
-	exec "golang.org/x/sys/execabs"
 )
 
 var (

integration/client/container_linux_test.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -44,7 +45,6 @@ import (
 
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 )
 

integration/client/container_test.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
@@ -49,7 +50,6 @@ import (
 	"github.com/containerd/typeurl/v2"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 )
 
 func empty() cio.Creator {

integration/client/daemon.go

@@ -21,13 +21,13 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os/exec"
 	"runtime"
 	"sync"
 	"syscall"
 	"time"
 
 	. "github.com/containerd/containerd/v2/client"
-	exec "golang.org/x/sys/execabs"
 )
 
 type daemon struct {

integration/client/restart_monitor_test.go

@@ -22,6 +22,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -38,7 +39,6 @@ import (
 	srvconfig "github.com/containerd/containerd/v2/services/server/config"
 	"github.com/containerd/typeurl/v2"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 )
 
 func newDaemonWithConfig(t *testing.T, configTOML string) (*Client, *daemon, func()) {

integration/image_load_test.go

@@ -17,13 +17,13 @@
 package integration
 
 import (
+	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
 
 	"github.com/containerd/containerd/v2/integration/images"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 )
 

integration/issue7496_linux_test.go

@@ -22,6 +22,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"os/exec"
 	"strconv"
 	"strings"
 	"syscall"
@@ -35,7 +36,6 @@ import (
 	"github.com/containerd/ttrpc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 )
 
 // TestIssue7496 is used to reproduce https://github.com/containerd/containerd/issues/7496

integration/main_test.go

@@ -25,6 +25,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	goruntime "runtime"
 	"strconv"
@@ -47,7 +48,6 @@ import (
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"

integration/pod_userns_linux_test.go

@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
 	"strings"
@@ -32,7 +33,6 @@ import (
 	runc "github.com/containerd/go-runc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 )

integration/volume_copy_up_unix_test.go

@@ -20,8 +20,7 @@ package integration
 
 import (
 	"fmt"
-
-	exec "golang.org/x/sys/execabs"
+	"os/exec"
 )
 
 func getOwnership(path string) (string, error) {

mount/lookup_linux_test.go

@@ -19,6 +19,7 @@ package mount
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -28,7 +29,6 @@ import (
 	"github.com/containerd/continuity/testutil"
 	"github.com/containerd/continuity/testutil/loopback"
 	"github.com/stretchr/testify/assert"
-	exec "golang.org/x/sys/execabs"
 )
 
 func checkLookup(t *testing.T, fsType, mntPoint, dir string) {

mount/mount_freebsd.go

@@ -20,9 +20,9 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"time"
 
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 )
 

mount/mount_linux.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
@@ -28,8 +29,6 @@ import (
 	"time"
 
 	"github.com/sirupsen/logrus"
-
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 )
 

mount/mount_linux_test.go

@@ -19,12 +19,12 @@ package mount
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"reflect"
 	"testing"
 
 	"github.com/containerd/continuity/testutil"
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 )
 

pkg/process/io.go

@@ -25,6 +25,7 @@ import (
 	"io"
 	"net/url"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"sync"
 	"sync/atomic"
@@ -36,7 +37,6 @@ import (
 	"github.com/containerd/fifo"
 	runc "github.com/containerd/go-runc"
 	"github.com/containerd/log"
-	exec "golang.org/x/sys/execabs"
 )
 
 const binaryIOProcTermTimeout = 12 * time.Second // Give logger process solid 10 seconds for cleanup

pkg/process/io_util.go

@@ -19,8 +19,7 @@ package process
 import (
 	"net/url"
 	"os"
-
-	exec "golang.org/x/sys/execabs"
+	"os/exec"
 )
 
 // NewBinaryCmd returns a Cmd to be used to start a logging binary.

runtime/v2/runc/manager/manager_linux.go

@@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	goruntime "runtime"
 	"syscall"
@@ -39,7 +40,6 @@ import (
 	"github.com/containerd/containerd/v2/runtime/v2/shim"
 	runcC "github.com/containerd/go-runc"
 	"github.com/containerd/log"
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/sys/unix"
 )