@@ -139,7 +139,7 @@ func WithApparmor(c *container.Container) coci.SpecOpts {

 func WithCapabilities(c *container.Container) coci.SpecOpts {

 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {

 		capabilities, err := caps.TweakCapabilities(

-			oci.DefaultCapabilities(),

+			caps.DefaultCapabilities(),

 			c.HostConfig.CapAdd,

 			c.HostConfig.CapDrop,

 			c.HostConfig.Capabilities,

@@ -390,7 +390,7 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe

 	// Note these are against the UVM.

 	setResourcesInSpec(c, s, true) // LCOW is Hyper-V only

-	capabilities, err := caps.TweakCapabilities(oci.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged)

+	capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged)

 	if err != nil {

 		return fmt.Errorf("linux spec capabilities: %v", err)

 	}

new file mode 100644

@@ -0,0 +1,21 @@

+package caps // import "github.com/docker/docker/oci/caps"

+

+// DefaultCapabilities returns a Linux kernel default capabilities

+func DefaultCapabilities() []string {

+	return []string{

+		"CAP_CHOWN",

+		"CAP_DAC_OVERRIDE",

+		"CAP_FSETID",

+		"CAP_FOWNER",

+		"CAP_MKNOD",

+		"CAP_NET_RAW",

+		"CAP_SETGID",

+		"CAP_SETUID",

+		"CAP_SETFCAP",

+		"CAP_SETPCAP",

+		"CAP_NET_BIND_SERVICE",

+		"CAP_SYS_CHROOT",

+		"CAP_KILL",

+		"CAP_AUDIT_WRITE",

+	}

+}

@@ -4,6 +4,7 @@ import (

 	"os"

 	"runtime"

+	"github.com/docker/docker/oci/caps"

 	specs "github.com/opencontainers/runtime-spec/specs-go"

 )

@@ -11,26 +12,6 @@ func iPtr(i int64) *int64        { return &i }

 func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }

 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }

-// DefaultCapabilities returns a Linux kernel default capabilities

-func DefaultCapabilities() []string {

-	return []string{

-		"CAP_CHOWN",

-		"CAP_DAC_OVERRIDE",

-		"CAP_FSETID",

-		"CAP_FOWNER",

-		"CAP_MKNOD",

-		"CAP_NET_RAW",

-		"CAP_SETGID",

-		"CAP_SETUID",

-		"CAP_SETFCAP",

-		"CAP_SETPCAP",

-		"CAP_NET_BIND_SERVICE",

-		"CAP_SYS_CHROOT",

-		"CAP_KILL",

-		"CAP_AUDIT_WRITE",

-	}

-}

-

 // DefaultSpec returns the default spec used by docker for the current Platform

 func DefaultSpec() specs.Spec {

 	return DefaultOSSpec(runtime.GOOS)

@@ -60,10 +41,10 @@ func DefaultLinuxSpec() specs.Spec {

 		Version: specs.Version,

 		Process: &specs.Process{

 			Capabilities: &specs.LinuxCapabilities{

-				Bounding:    DefaultCapabilities(),

-				Permitted:   DefaultCapabilities(),

-				Inheritable: DefaultCapabilities(),

-				Effective:   DefaultCapabilities(),

+				Bounding:    caps.DefaultCapabilities(),

+				Permitted:   caps.DefaultCapabilities(),

+				Inheritable: caps.DefaultCapabilities(),

+				Effective:   caps.DefaultCapabilities(),

 			},

 		},

 		Root: &specs.Root{},