From a56f2bc836d623aaf0bb66124ff2a64792cfdd28 Mon Sep 17 00:00:00 2001
From: lifubang <lifubang@acmcoder.com>
Date: Tue, 25 Mar 2025 02:48:44 +0000
Subject: [PATCH] libct: we should set envs after we are in the jail of the
 container

Because we have to set a default HOME env for the current container
user, so we should set it after we are in the jail of the container,
or else we'll use host's `/etc/passwd` to get a wrong HOME value.
Please see: #4688.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit bf38646497586267776aa440323ebf4103338ffa)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/init_linux.go | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 8c30aae95..b6bcddc19 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -233,12 +233,6 @@ func startInitialization() (retErr error) {
 }
 
 func containerInit(t initType, config *initConfig, pipe *syncSocket, consoleSocket, pidfdSocket, fifoFile, logPipe *os.File) error {
-	env, err := prepareEnv(config.Env, config.UID)
-	if err != nil {
-		return err
-	}
-	config.Env = env
-
 	// Clean the RLIMIT_NOFILE cache in go runtime.
 	// Issue: https://github.com/opencontainers/runc/issues/4195
 	maybeClearRlimitNofileCache(config.Rlimits)
@@ -325,6 +319,14 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}
 
+	// We should set envs after we are in the jail of the container.
+	// Please see https://github.com/opencontainers/runc/issues/4688
+	env, err := prepareEnv(config.Env, config.UID)
+	if err != nil {
+		return err
+	}
+	config.Env = env
+
 	w, err := capabilities.New(config.Capabilities)
 	if err != nil {
 		return err