@@ -36,7 +36,7 @@ func createContainer(c *execdriver.Command) *libcontainer.Container {

 	container.Cgroups.Name = c.ID

 	if c.Privileged {

-		container.Capabilities = nil

+		container.CapabilitiesMask = nil

 		container.Cgroups.DeviceAccess = true

 		container.Context["apparmor_profile"] = "unconfined"

 	}

@@ -59,7 +59,7 @@ func createContainer(c *execdriver.Command) *libcontainer.Container {

 // the libcontainer configuration file

 func getDefaultTemplate() *libcontainer.Container {

 	return &libcontainer.Container{

-		Capabilities: libcontainer.Capabilities{

+		CapabilitiesMask: libcontainer.Capabilities{

 			libcontainer.GetCapability("SETPCAP"),

 			libcontainer.GetCapability("SYS_MODULE"),

 			libcontainer.GetCapability("SYS_RAWIO"),

@@ -40,7 +40,7 @@ Sample `container.json` file:

       "HOSTNAME=11bb30683fb0",

       "TERM=xterm"

    ],

-   "capabilities" : [

+   "capabilities_mask" : [

       "SETPCAP",

       "SYS_MODULE",

       "SYS_RAWIO",

@@ -9,7 +9,7 @@ import (

 // DropCapabilities drops capabilities for the current process based

 // on the container's configuration.

 func DropCapabilities(container *libcontainer.Container) error {

-	if drop := getCapabilities(container); len(drop) > 0 {

+	if drop := getCapabilitiesMask(container); len(drop) > 0 {

 		c, err := capability.NewPid(os.Getpid())

 		if err != nil {

 			return err

@@ -23,10 +23,10 @@ func DropCapabilities(container *libcontainer.Container) error {

 	return nil

 }

-// getCapabilities returns the specific cap values for the libcontainer types

-func getCapabilities(container *libcontainer.Container) []capability.Cap {

+// getCapabilitiesMask returns the specific cap mask values for the libcontainer types

+func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {

 	drop := []capability.Cap{}

-	for _, c := range container.Capabilities {

+	for _, c := range container.CapabilitiesMask {

 		drop = append(drop, c.Value)

 	}

 	return drop

@@ -11,19 +11,19 @@ type Context map[string]string

 // Container defines configuration options for how a

 // container is setup inside a directory and how a process should be executed

 type Container struct {

-	Hostname     string          `json:"hostname,omitempty"`      // hostname

-	ReadonlyFs   bool            `json:"readonly_fs,omitempty"`   // set the containers rootfs as readonly

-	NoPivotRoot  bool            `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk

-	User         string          `json:"user,omitempty"`          // user to execute the process as

-	WorkingDir   string          `json:"working_dir,omitempty"`   // current working directory

-	Env          []string        `json:"environment,omitempty"`   // environment to set

-	Tty          bool            `json:"tty,omitempty"`           // setup a proper tty or not

-	Namespaces   Namespaces      `json:"namespaces,omitempty"`    // namespaces to apply

-	Capabilities Capabilities    `json:"capabilities,omitempty"`  // capabilities to drop

-	Networks     []*Network      `json:"networks,omitempty"`      // nil for host's network stack

-	Cgroups      *cgroups.Cgroup `json:"cgroups,omitempty"`       // cgroups

-	Context      Context         `json:"context,omitempty"`       // generic context for specific options (apparmor, selinux)

-	Mounts       []Mount         `json:"mounts,omitempty"`

+	Hostname         string          `json:"hostname,omitempty"`          // hostname

+	ReadonlyFs       bool            `json:"readonly_fs,omitempty"`       // set the containers rootfs as readonly

+	NoPivotRoot      bool            `json:"no_pivot_root,omitempty"`     // this can be enabled if you are running in ramdisk

+	User             string          `json:"user,omitempty"`              // user to execute the process as

+	WorkingDir       string          `json:"working_dir,omitempty"`       // current working directory

+	Env              []string        `json:"environment,omitempty"`       // environment to set

+	Tty              bool            `json:"tty,omitempty"`               // setup a proper tty or not

+	Namespaces       Namespaces      `json:"namespaces,omitempty"`        // namespaces to apply

+	CapabilitiesMask Capabilities    `json:"capabilities_mask,omitempty"` // capabilities to drop

+	Networks         []*Network      `json:"networks,omitempty"`          // nil for host's network stack

+	Cgroups          *cgroups.Cgroup `json:"cgroups,omitempty"`           // cgroups

+	Context          Context         `json:"context,omitempty"`           // generic context for specific options (apparmor, selinux)

+	Mounts           []Mount         `json:"mounts,omitempty"`

 }

 // Network defines configuration for a container's networking stack

@@ -14,7 +14,7 @@

         "NEWUTS",

         "NEWNET"

     ],

-    "capabilities": [

+    "capabilities_mask": [

         "SETPCAP",

         "SYS_MODULE",

         "SYS_RAWIO",