Update specs

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

Godeps/Godeps.json

@@ -53,7 +53,7 @@
 		},
 		{
 			"ImportPath": "github.com/opencontainers/specs",
-			"Rev": "5b31bb2b7771e5074a4eb14eca432da1ca5182d6"
+			"Rev": "da9240a7125f601aef46f66ea615177607b00d39"
 		},
 		{
 			"ImportPath": "github.com/syndtr/gocapability/capability",

Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml

@@ -0,0 +1,17 @@
+language: go
+go:
+  - 1.4.2
+  - 1.3.3
+
+sudo: false
+
+before_install:
+  - go get golang.org/x/tools/cmd/vet
+  - go get github.com/golang/lint/golint
+
+install: true
+
+script:
+  - go vet -x ./...
+  - $HOME/gopath/bin/golint ./...
+  

Godeps/_workspace/src/github.com/opencontainers/specs/README.md

@@ -8,6 +8,7 @@ Table of Contents
 - [Container Configuration](config.md)
   - [Linux Specific Configuration](config-linux.md)
 - [Runtime and Lifecycle](runtime.md)
+- [Implementations](implementations.md)
 
 ## Use Cases
 
@@ -63,10 +64,16 @@ the `LICENSE` file of this repository.
 ## Weekly Call
 
 The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST.
-Everyone is welcome to participate in the call.  The link to the call will be posted on the mailing
+The link to the call will be posted on the mailing list each week along with set topics for discussion.
-list each week along with set topics for discussion.
+Everyone is welcome to participate in the call, although there can only be speaking members on the Google Hangout.
+Participants who don't get a speaking slot can watch the live broadcast on [this YouTube channel][youtube] and post feedback and questions on [the IRC channel](#irc).
+Everyone is welcome to propose additional topics, suggest other agenda alterations, or request a speaking slot via the mailing list.
 Minutes for the call will be posted to the mailing list for those who are unable to join the call.
 
+## IRC
+
+OCI discussion happens on #opencontainers on Freenode.
+
 ## Markdown style
 
 To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line.
@@ -127,3 +134,5 @@ then you just add a line to every git commit message:
 using your real name (sorry, no pseudonyms or anonymous contributions.)
 
 You can add the sign off when creating the git commit via `git commit -s`.
+
+[youtube]: https://www.youtube.com/channel/UC1wmLdEYmwWcsFg7bt1s5nw

Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md

@@ -55,20 +55,82 @@ within the container.
 
 ### Access to devices
 
-Devices is an array specifying the list of devices from the host to make available in the container.
+Devices is an array specifying the list of devices to be created in the container.
-By providing a device name within the list the runtime should look up the same device on the host's `/dev`
+Next parameters can be specified:
-and collect information about the device node so that it can be recreated for the container.  The runtime
+
-should not only create the device inside the container but ensure that the root user inside 
+* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod`
-the container has access rights for the device.
+* path - full path to device inside container
+* major, minor - major, minor numbers for device. More info in `man mknod`.
+                 There is special value: `-1`, which means `*` for `device`
+                 cgroup setup.
+* permissions - cgroup permissions for device. A composition of 'r'
+                (read), 'w' (write), and 'm' (mknod).
+* fileMode - file mode for device file
+* uid - uid of device owner
+* gid - gid of device owner
 
 ```json
    "devices": [
-        "null",
+        {
-        "random",
+            "path": "/dev/random",
-        "full",
+            "type": "c",
-        "tty",
+            "major": 1,
-        "zero",
+            "minor": 8,
-        "urandom"
+            "permissions": "rwm",
+            "fileMode": 0666,
+            "uid": 0,
+            "gid": 0
+        },
+        {
+            "path": "/dev/urandom",
+            "type": "c",
+            "major": 1,
+            "minor": 9,
+            "permissions": "rwm",
+            "fileMode": 0666,
+            "uid": 0,
+            "gid": 0
+        },
+        {
+            "path": "/dev/null",
+            "type": "c",
+            "major": 1,
+            "minor": 3,
+            "permissions": "rwm",
+            "fileMode": 0666,
+            "uid": 0,
+            "gid": 0
+        },
+        {
+            "path": "/dev/zero",
+            "type": "c",
+            "major": 1,
+            "minor": 5,
+            "permissions": "rwm",
+            "fileMode": 0666,
+            "uid": 0,
+            "gid": 0
+        },
+        {
+            "path": "/dev/tty",
+            "type": "c",
+            "major": 5,
+            "minor": 0,
+            "permissions": "rwm",
+            "fileMode": 0666,
+            "uid": 0,
+            "gid": 0
+        },
+        {
+            "path": "/dev/full",
+            "type": "c",
+            "major": 1,
+            "minor": 7,
+            "permissions": "rwm",
+            "fileMode": 0666,
+            "uid": 0,
+            "gid": 0
+        }
     ]
 ```
 
@@ -81,7 +143,7 @@ the container. For more information, see the [kernel cgroups documentation](http
 ## Linux capabilities
 
 Capabilities is an array that specifies Linux capabilities that can be provided to the process
-inside the container. Valid values are the string after `CAP_` for capabilities defined 
+inside the container. Valid values are the string after `CAP_` for capabilities defined
 in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
 
 ```json
@@ -146,7 +208,39 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave
     "rootfsPropagation": "slave",
 ```
 
-## Security
+## Selinux process label
 
-**TODO:** security profiles
+Selinux process label specifies the label with which the processes in a container are run.
+For more information about SELinux, see  [Selinux documentation](http://selinuxproject.org/page/Main_Page)
+```json
+   "selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
+```
 
+## Apparmor profile
+
+Apparmor profile specifies the name of the apparmor profile that will be used for the container.
+For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
+
+```json
+   "apparmorProfile": "acme_secure_profile"
+```
+
+## Seccomp
+
+Seccomp provides application sandboxing mechanism in the Linux kernel.
+Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows
+matching on values passed as arguments to syscalls.
+For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
+The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
+
+```json
+   "seccomp": {
+       "defaultAction": "SCMP_ACT_ALLOW",
+       "syscalls": [
+           {
+               "name": "getcwd",
+               "action": "SCMP_ACT_ERRNO"
+           }
+       ]
+   }
+```

Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md

@@ -0,0 +1,16 @@
+# Implementations
+
+The following sections link to associated projects, some of which are maintained by the OCI and some of which are maintained by external organizations.
+If you know of any associated projects that are not listed here, please file a pull request adding a link to that project.
+
+## Runtime (Container)
+
+* [opencontainers/runc](https://github.com/opencontainers/runc) - Reference implementation of OCI runtime
+
+## Runtime (Virtual Machine)
+
+* [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI
+
+## Testing
+
+* [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime

Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go

@@ -2,6 +2,8 @@
 
 package specs
 
+import "os"
+
 // LinuxSpec is the full specification for Linux containers
 type LinuxSpec struct {
 	Spec
@@ -27,7 +29,13 @@ type Linux struct {
 	// Capabilities are Linux capabilities that are kept for the container
 	Capabilities []string `json:"capabilities"`
 	// Devices are a list of device nodes that are created and enabled for the container
-	Devices []string `json:"devices"`
+	Devices []Device `json:"devices"`
+	// ApparmorProfile specified the apparmor profile for the container.
+	ApparmorProfile string `json:"apparmorProfile"`
+	// SelinuxProcessLabel specifies the selinux context that the container process is run as.
+	SelinuxProcessLabel string `json:"selinuxProcessLabel"`
+	// Seccomp specifies the seccomp security settings for the container.
+	Seccomp Seccomp `json:"seccomp"`
 	// RootfsPropagation is the rootfs mount propagation mode for the container
 	RootfsPropagation string `json:"rootfsPropagation"`
 }
@@ -157,3 +165,49 @@ type Resources struct {
 	// Network restriction configuration
 	Network Network `json:"network"`
 }
+
+type Device struct {
+	// Device type, block, char, etc.
+	Type rune `json:"type"`
+	// Path to the device.
+	Path string `json:"path"`
+	// Major is the device's major number.
+	Major int64 `json:"major"`
+	// Minor is the device's minor number.
+	Minor int64 `json:"minor"`
+	// Cgroup permissions format, rwm.
+	Permissions string `json:"permissions"`
+	// FileMode permission bits for the device.
+	FileMode os.FileMode `json:"fileMode"`
+	// UID of the device.
+	UID uint32 `json:"uid"`
+	// Gid of the device.
+	GID uint32 `json:"gid"`
+}
+
+// Seccomp represents syscall restrictions
+type Seccomp struct {
+	DefaultAction Action     `json:"defaultAction"`
+	Syscalls      []*Syscall `json:"syscalls"`
+}
+
+// Action taken upon Seccomp rule match
+type Action string
+
+// Operator used to match syscall arguments in Seccomp
+type Operator string
+
+// Arg used for matching specific syscall arguments in Seccomp
+type Arg struct {
+	Index    uint     `json:"index"`
+	Value    uint64   `json:"value"`
+	ValueTwo uint64   `json:"valueTwo"`
+	Op       Operator `json:"op"`
+}
+
+// Syscall is used to match a syscall in Seccomp
+type Syscall struct {
+	Name   string `json:"name"`
+	Action Action `json:"action"`
+	Args   []*Arg `json:"args"`
+}