libct: check cmd.Err after exec.Command call

Theoretically, exec.Command can set cmd.Err.

Practically, this should never happen (Linux, Go <= 1.26, exePath is
absolute), but in the unlikely case it does, let's fail early.

This is related to the recently introduced cloneCmd which chooses to not
copy the Err field. Theoretically, exec.Command can set Err and so the
first call to cmd.Start will fail (since Err != nil), and the second
call to cmd.Start may succeed because Err == nil. Yet, this scenario is
highly unlikely, but better be safe than sorry.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Author: kolyshkin

libcontainer/container_linux.go

@@ -528,6 +528,12 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
 	}
 
 	cmd := exec.Command(exePath, "init")
+	// Theoretically, exec.Command can set cmd.Err. Practically, this
+	// should never happen (Linux, Go <= 1.26, exePath is absolute),
+	// but in the unlikely case it just did, let's fail early.
+	if cmd.Err != nil {
+		return nil, fmt.Errorf("exec.Command: %w", cmd.Err)
+	}
 	cmd.Args[0] = os.Args[0]
 	cmd.Stdin = p.Stdin
 	cmd.Stdout = p.Stdout