From b940cc5cff325ecba2dc2a950f14f098e1519511 Mon Sep 17 00:00:00 2001
From: Michael Crosby <crosbymichael@gmail.com>
Date: Mon, 10 Dec 2018 15:40:40 -0500
Subject: [PATCH] Move caps and device spec utils to `oci` pkg

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
---
 daemon/exec_linux.go          |  2 +-
 daemon/oci_linux.go           |  4 ++--
 daemon/oci_windows.go         |  4 ++--
 {daemon => oci}/caps/utils.go |  2 +-
 {daemon => oci}/oci.go        | 26 ++++++++++++++------------
 5 files changed, 20 insertions(+), 18 deletions(-)
 rename {daemon => oci}/caps/utils.go (98%)
 rename {daemon => oci}/oci.go (74%)

diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
index cd52f4886f..2c4f96a5c8 100644
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -2,8 +2,8 @@ package daemon // import "github.com/docker/docker/daemon"
 
 import (
 	"github.com/docker/docker/container"
-	"github.com/docker/docker/daemon/caps"
 	"github.com/docker/docker/daemon/exec"
+	"github.com/docker/docker/oci/caps"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 58209c56fa..e330f4fc66 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -113,7 +113,7 @@ func setDevices(s *specs.Spec, c *container.Container) error {
 		}
 
 		var err error
-		devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
+		devPermissions, err = oci.AppendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
 		if err != nil {
 			return err
 		}
@@ -762,7 +762,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
 	if err := setNamespaces(daemon, &s, c); err != nil {
 		return nil, fmt.Errorf("linux spec namespaces: %v", err)
 	}
-	if err := setCapabilities(&s, c); err != nil {
+	if err := oci.SetCapabilities(&s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
 		return nil, fmt.Errorf("linux spec capabilities: %v", err)
 	}
 	if err := setSeccomp(daemon, &s, c); err != nil {
diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go
index baa6ae0b91..8cffbc6b17 100644
--- a/daemon/oci_windows.go
+++ b/daemon/oci_windows.go
@@ -368,10 +368,10 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
 	}
 	s.Root.Path = "rootfs"
 	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
-	if err := setCapabilities(s, c); err != nil {
+	if err := oci.SetCapabilities(s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
 		return fmt.Errorf("linux spec capabilities: %v", err)
 	}
-	devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
+	devPermissions, err := oci.AppendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
 	if err != nil {
 		return fmt.Errorf("linux runtime spec devices: %v", err)
 	}
diff --git a/daemon/caps/utils.go b/oci/caps/utils.go
similarity index 98%
rename from daemon/caps/utils.go
rename to oci/caps/utils.go
index c5ded542ef..9b939fffc4 100644
--- a/daemon/caps/utils.go
+++ b/oci/caps/utils.go
@@ -1,4 +1,4 @@
-package caps // import "github.com/docker/docker/daemon/caps"
+package caps // import "github.com/docker/docker/oci/caps"
 
 import (
 	"fmt"
diff --git a/daemon/oci.go b/oci/oci.go
similarity index 74%
rename from daemon/oci.go
rename to oci/oci.go
index 52050e24fa..adc6a3715c 100644
--- a/daemon/oci.go
+++ b/oci/oci.go
@@ -1,27 +1,28 @@
-package daemon // import "github.com/docker/docker/daemon"
+package oci // import "github.com/docker/docker/oci"
 
 import (
 	"fmt"
 	"regexp"
 	"strconv"
 
-	"github.com/docker/docker/container"
-	"github.com/docker/docker/daemon/caps"
+	"github.com/docker/docker/oci/caps"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
 // nolint: gosimple
-var (
-	deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
-)
+var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
 
-func setCapabilities(s *specs.Spec, c *container.Container) error {
-	var caplist []string
-	var err error
-	if c.HostConfig.Privileged {
+// SetCapabilities sets the provided capabilities on the spec
+// All capabilities are added if privileged is true
+func SetCapabilities(s *specs.Spec, add, drop []string, privileged bool) error {
+	var (
+		caplist []string
+		err     error
+	)
+	if privileged {
 		caplist = caps.GetAllCapabilities()
 	} else {
-		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, add, drop)
 		if err != nil {
 			return err
 		}
@@ -39,7 +40,8 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 	return nil
 }
 
-func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
+// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
+func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
 	for _, deviceCgroupRule := range rules {
 		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
 		if len(ss[0]) != 5 {