From a0f7977f0f18a7eb075f84260ab80b94bd2a9b4d Mon Sep 17 00:00:00 2001 From: Zhang Wei Date: Thu, 27 Oct 2016 00:42:22 +0800 Subject: [PATCH] Detect and forbid duplicated namespace in spec When spec file contains duplicated namespaces, e.g. specs: specs.Spec{ Linux: &specs.Linux{ Namespaces: []specs.Namespace{ { Type: "pid", }, { Type: "pid", Path: "/proc/1/ns/pid", }, }, }, } runc should report malformed spec instead of using latest one by default, because this spec could be quite confusing. Signed-off-by: Zhang Wei --- libcontainer/specconv/spec_linux.go | 3 +++ libcontainer/specconv/spec_linux_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go index 479ffd13..fec19784 100644 --- a/libcontainer/specconv/spec_linux.go +++ b/libcontainer/specconv/spec_linux.go @@ -187,6 +187,9 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) { if !exists { return nil, fmt.Errorf("namespace %q does not exist", ns) } + if config.Namespaces.Contains(t) { + return nil, fmt.Errorf("malformed spec file: duplicated ns %q", ns) + } config.Namespaces.Add(t, ns.Path) } if config.Namespaces.Contains(configs.NEWNET) { diff --git a/libcontainer/specconv/spec_linux_test.go b/libcontainer/specconv/spec_linux_test.go index cd23620a..e28700ae 100644 --- a/libcontainer/specconv/spec_linux_test.go +++ b/libcontainer/specconv/spec_linux_test.go @@ -38,3 +38,27 @@ func TestLinuxCgroupsPathNotSpecified(t *testing.T) { t.Errorf("Wrong cgroupsPath, expected it to be empty string, got '%s'", cgroup.Path) } } + +func TestDupNamespaces(t *testing.T) { + spec := &specs.Spec{ + Linux: &specs.Linux{ + Namespaces: []specs.Namespace{ + { + Type: "pid", + }, + { + Type: "pid", + Path: "/proc/1/ns/pid", + }, + }, + }, + } + + _, err := CreateLibcontainerConfig(&CreateOpts{ + Spec: spec, + }) + + if err == nil { + t.Errorf("Duplicated namespaces should be forbidden") + } +}