cli: hook: Validate the hook commands

[sboeuf]

From @bergwolf:

I think we must validate the hook commands (e.g., with a configurable command binary whitelist) before really executing any of them. For example, imagine a public container cloud provider that runs kata containers inside, and then here comes a user who creates a container with rm -rf / in the OCI spec hook. BOOM!
It looks like runc does not handle it either. But kata is supposed to be more secure than runc. :)

[jodh-intel]

Or, we could add a new allow_arbitrary_hook_cmds = false config option. It would be disabled by default and would only allow hooks to call internally recognised commands. For docker, that would be libnetwork-setkey.

If the user upgraded docker and the hook command(s) that docker uses changed, they would have the option of manually setting allow_arbitrary_hook_cmds = true to override the built-in checking. In that scenario, we'd need to ensure we logged the full hook command.