Merge pull request #623 from rajasec/validate-spec

Adding spec validation for exec and start

exec.go

@@ -118,7 +118,7 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
 		if err := json.NewDecoder(f).Decode(&p); err != nil {
 			return nil, err
 		}
-		return &p, nil
+		return &p, validateProcessSpec(&p)
 	}
 	// process via cli flags
 	if err := os.Chdir(bundle); err != nil {

spec.go

@@ -197,18 +197,6 @@ var mountPropagationMapping = map[string]int{
 	"":         syscall.MS_PRIVATE | syscall.MS_REC,
 }
 
-// validateSpec validates the fields in the spec
-// TODO: Add validation for other fields where applicable
-func validateSpec(spec *specs.Spec) error {
-	if spec.Process.Cwd == "" {
-		return fmt.Errorf("Cwd property must not be empty")
-	}
-	if !filepath.IsAbs(spec.Process.Cwd) {
-		return fmt.Errorf("Cwd must be an absolute path")
-	}
-	return nil
-}
-
 // loadSpec loads the specification from the provided path.
 // If the path is empty then the default path will be "config.json"
 func loadSpec(cPath string) (spec *specs.Spec, err error) {
@@ -224,7 +212,7 @@ func loadSpec(cPath string) (spec *specs.Spec, err error) {
 	if err = json.NewDecoder(cf).Decode(&spec); err != nil {
 		return nil, err
 	}
-	return spec, validateSpec(spec)
+	return spec, validateProcessSpec(&spec.Process)
 }
 
 func createLibcontainerConfig(cgroupName string, spec *specs.Spec) (*configs.Config, error) {

utils.go

@@ -365,3 +365,16 @@ func runProcess(container libcontainer.Container, config *specs.Process, listenF
 	}
 	return handler.forward(process)
 }
+
+func validateProcessSpec(spec *specs.Process) error {
+	if spec.Cwd == "" {
+		return fmt.Errorf("Cwd property must not be empty")
+	}
+	if !filepath.IsAbs(spec.Cwd) {
+		return fmt.Errorf("Cwd must be an absolute path")
+	}
+	if len(spec.Args) == 0 {
+		return fmt.Errorf("args must not be empty")
+	}
+	return nil
+}