@@ -59,9 +59,10 @@ func init() {

 }

 type driver struct {

-	root       string // root path for the driver to use

-	apparmor   bool

-	sharedRoot bool

+	root            string // root path for the driver to use

+	apparmor        bool

+	sharedRoot      bool

+	restrictionPath string

 }

 func NewDriver(root string, apparmor bool) (*driver, error) {

@@ -69,10 +70,15 @@ func NewDriver(root string, apparmor bool) (*driver, error) {

 	if err := linkLxcStart(root); err != nil {

 		return nil, err

 	}

+	restrictionPath := filepath.Join(root, "empty")

+	if err := os.MkdirAll(restrictionPath, 0700); err != nil {

+		return nil, err

+	}

 	return &driver{

-		apparmor:   apparmor,

-		root:       root,

-		sharedRoot: rootIsShared(),

+		apparmor:        apparmor,

+		root:            root,

+		sharedRoot:      rootIsShared(),

+		restrictionPath: restrictionPath,

 	}, nil

 }

@@ -403,14 +409,16 @@ func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {

 	if err := LxcTemplateCompiled.Execute(fo, struct {

 		*execdriver.Command

-		AppArmor     bool

-		ProcessLabel string

-		MountLabel   string

+		AppArmor          bool

+		ProcessLabel      string

+		MountLabel        string

+		RestrictionSource string

 	}{

-		Command:      c,

-		AppArmor:     d.apparmor,

-		ProcessLabel: process,

-		MountLabel:   mount,

+		Command:           c,

+		AppArmor:          d.apparmor,

+		ProcessLabel:      process,

+		MountLabel:        mount,

+		RestrictionSource: d.restrictionPath,

 	}); err != nil {

 		return "", err

 	}

@@ -88,7 +88,9 @@ lxc.mount.entry = proc {{escapeFstabSpaces $ROOTFS}}/proc proc nosuid,nodev,noex

 # WARNING: sysfs is a known attack vector and should probably be disabled

 # if your userspace allows it. eg. see http://bit.ly/T9CkqJ

+{{if .Privileged}}

 lxc.mount.entry = sysfs {{escapeFstabSpaces $ROOTFS}}/sys sysfs nosuid,nodev,noexec 0 0

+{{end}}

 {{if .Tty}}

 lxc.mount.entry = {{.Console}} {{escapeFstabSpaces $ROOTFS}}/dev/console none bind,rw 0 0

@@ -109,8 +111,15 @@ lxc.mount.entry = {{$value.Source}} {{escapeFstabSpaces $ROOTFS}}/{{escapeFstabS

 {{if .AppArmor}}

 lxc.aa_profile = unconfined

 {{else}}

-#lxc.aa_profile = unconfined

+# not unconfined

 {{end}}

+{{else}}

+# restrict access to proc

+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/sys none bind,ro 0 0

+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/irq none bind,ro 0 0

+lxc.mount.entry = {{.RestrictionSource}} {{escapeFstabSpaces $ROOTFS}}/proc/acpi none bind,ro 0 0

+lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/sysrq-trigger none bind,ro 0 0

+lxc.mount.entry = {{escapeFstabSpaces $ROOTFS}}/dev/null {{escapeFstabSpaces $ROOTFS}}/proc/kcore none bind,ro 0 0

 {{end}}

 # limits

@@ -25,6 +25,7 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container

 	container.Cgroups.Name = c.ID

 	// check to see if we are running in ramdisk to disable pivot root

 	container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""

+	container.Context["restriction_path"] = d.restrictionPath

 	if err := d.createNetwork(container, c); err != nil {

 		return nil, err

@@ -33,6 +34,8 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container

 		if err := d.setPrivileged(container); err != nil {

 			return nil, err

 		}

+	} else {

+		container.Mounts = append(container.Mounts, libcontainer.Mount{Type: "devtmpfs"})

 	}

 	if err := d.setupCgroups(container, c); err != nil {

 		return nil, err

@@ -81,6 +84,11 @@ func (d *driver) setPrivileged(container *libcontainer.Container) error {

 		c.Enabled = true

 	}

 	container.Cgroups.DeviceAccess = true

+

+	// add sysfs as a mount for privileged containers

+	container.Mounts = append(container.Mounts, libcontainer.Mount{Type: "sysfs"})

+	delete(container.Context, "restriction_path")

+

 	if apparmor.IsEnabled() {

 		container.Context["apparmor_profile"] = "unconfined"

 	}

@@ -99,7 +107,13 @@ func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.C

 func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Command) error {

 	for _, m := range c.Mounts {

-		container.Mounts = append(container.Mounts, libcontainer.Mount{m.Source, m.Destination, m.Writable, m.Private})

+		container.Mounts = append(container.Mounts, libcontainer.Mount{

+			Type:        "bind",

+			Source:      m.Source,

+			Destination: m.Destination,

+			Writable:    m.Writable,

+			Private:     m.Private,

+		})

 	}

 	return nil

 }

@@ -23,7 +23,7 @@ import (

 const (

 	DriverName                = "native"

-	Version                   = "0.1"

+	Version                   = "0.2"

 	BackupApparmorProfilePath = "apparmor/docker.back" // relative to docker root

 )

@@ -62,6 +62,7 @@ type driver struct {

 	root             string

 	initPath         string

 	activeContainers map[string]*exec.Cmd

+	restrictionPath  string

 }

 func NewDriver(root, initPath string) (*driver, error) {

@@ -72,8 +73,14 @@ func NewDriver(root, initPath string) (*driver, error) {

 	if err := apparmor.InstallDefaultProfile(filepath.Join(root, "../..", BackupApparmorProfilePath)); err != nil {

 		return nil, err

 	}

+	restrictionPath := filepath.Join(root, "empty")

+	if err := os.MkdirAll(restrictionPath, 0700); err != nil {

+		return nil, err

+	}

+

 	return &driver{

 		root:             root,

+		restrictionPath:  restrictionPath,

 		initPath:         initPath,

 		activeContainers: make(map[string]*exec.Cmd),

 	}, nil

@@ -665,3 +665,25 @@ func TestUnPrivilegedCannotMount(t *testing.T) {

 	logDone("run - test un-privileged cannot mount")

 }

+

+func TestSysNotAvaliableInNonPrivilegedContainers(t *testing.T) {

+	cmd := exec.Command(dockerBinary, "run", "busybox", "ls", "/sys/kernel")

+	if code, err := runCommand(cmd); err == nil || code == 0 {

+		t.Fatal("sys should not be available in a non privileged container")

+	}

+

+	deleteAllContainers()

+

+	logDone("run - sys not avaliable in non privileged container")

+}

+

+func TestSysAvaliableInPrivilegedContainers(t *testing.T) {

+	cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "ls", "/sys/kernel")

+	if code, err := runCommand(cmd); err != nil || code != 0 {

+		t.Fatalf("sys should be available in privileged container")

+	}

+

+	deleteAllContainers()

+

+	logDone("run - sys avaliable in privileged container")

+}

@@ -16,76 +16,149 @@ process are specified in this file.  The configuration is used for each process

 Sample `container.json` file:

 ```json

 {

-   "hostname" : "koye",

-   "networks" : [

+   "mounts" : [

       {

-         "gateway" : "172.17.42.1",

-         "context" : {

-            "bridge" : "docker0",

-            "prefix" : "veth"

-         },

-         "address" : "172.17.0.2/16",

-         "type" : "veth",

-         "mtu" : 1500

+         "type" : "devtmpfs"

       }

    ],

-   "cgroups" : {

-      "parent" : "docker",

-      "name" : "11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620"

-   },

    "tty" : true,

    "environment" : [

       "HOME=/",

-      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

-      "HOSTNAME=11bb30683fb0",

-      "TERM=xterm"

-   ],

-   "capabilities_mask" : [

-      "SETPCAP",

-      "SYS_MODULE",

-      "SYS_RAWIO",

-      "SYS_PACCT",

-      "SYS_ADMIN",

-      "SYS_NICE",

-      "SYS_RESOURCE",

-      "SYS_TIME",

-      "SYS_TTY_CONFIG",

-      "MKNOD",

-      "AUDIT_WRITE",

-      "AUDIT_CONTROL",

-      "MAC_OVERRIDE",

-      "MAC_ADMIN",

-      "NET_ADMIN"

+      "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",

+      "container=docker",

+      "TERM=xterm-256color"

    ],

-   "context" : {

-      "apparmor_profile" : "docker-default"

+   "hostname" : "koye",

+   "cgroups" : {

+      "parent" : "docker",

+      "name" : "docker-koye"

    },

-   "mounts" : [

+   "capabilities_mask" : [

+      {

+         "value" : 8,

+         "key" : "SETPCAP",

+         "enabled" : false

+      },

+      {

+         "enabled" : false,

+         "value" : 16,

+         "key" : "SYS_MODULE"

+      },

+      {

+         "value" : 17,

+         "key" : "SYS_RAWIO",

+         "enabled" : false

+      },

+      {

+         "key" : "SYS_PACCT",

+         "value" : 20,

+         "enabled" : false

+      },

+      {

+         "value" : 21,

+         "key" : "SYS_ADMIN",

+         "enabled" : false

+      },

+      {

+         "value" : 23,

+         "key" : "SYS_NICE",

+         "enabled" : false

+      },

+      {

+         "value" : 24,

+         "key" : "SYS_RESOURCE",

+         "enabled" : false

+      },

       {

-         "source" : "/var/lib/docker/containers/11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620/resolv.conf",

-         "writable" : false,

-         "destination" : "/etc/resolv.conf",

-         "private" : true

+         "key" : "SYS_TIME",

+         "value" : 25,

+         "enabled" : false

       },

       {

-         "source" : "/var/lib/docker/containers/11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620/hostname",

-         "writable" : false,

-         "destination" : "/etc/hostname",

-         "private" : true

+         "enabled" : false,

+         "value" : 26,

+         "key" : "SYS_TTY_CONFIG"

       },

       {

-         "source" : "/var/lib/docker/containers/11bb30683fb0bdd57fab4d3a8238877f1e4395a2cfc7320ea359f7a02c1a5620/hosts",

-         "writable" : false,

-         "destination" : "/etc/hosts",

-         "private" : true

+         "key" : "AUDIT_WRITE",

+         "value" : 29,

+         "enabled" : false

+      },

+      {

+         "value" : 30,

+         "key" : "AUDIT_CONTROL",

+         "enabled" : false

+      },

+      {

+         "enabled" : false,

+         "key" : "MAC_OVERRIDE",

+         "value" : 32

+      },

+      {

+         "enabled" : false,

+         "key" : "MAC_ADMIN",

+         "value" : 33

+      },

+      {

+         "key" : "NET_ADMIN",

+         "value" : 12,

+         "enabled" : false

+      },

+      {

+         "value" : 27,

+         "key" : "MKNOD",

+         "enabled" : true

+      }

+   ],

+   "networks" : [

+      {

+         "mtu" : 1500,

+         "address" : "127.0.0.1/0",

+         "type" : "loopback",

+         "gateway" : "localhost"

+      },

+      {

+         "mtu" : 1500,

+         "address" : "172.17.42.2/16",

+         "type" : "veth",

+         "context" : {

+            "bridge" : "docker0",

+            "prefix" : "veth"

+         },

+         "gateway" : "172.17.42.1"

       }

    ],

    "namespaces" : [

-      "NEWNS",

-      "NEWUTS",

-      "NEWIPC",

-      "NEWPID",

-      "NEWNET"

+      {

+         "key" : "NEWNS",

+         "value" : 131072,

+         "enabled" : true,

+         "file" : "mnt"

+      },

+      {

+         "key" : "NEWUTS",

+         "value" : 67108864,

+         "enabled" : true,

+         "file" : "uts"

+      },

+      {

+         "enabled" : true,

+         "file" : "ipc",

+         "key" : "NEWIPC",

+         "value" : 134217728

+      },

+      {

+         "file" : "pid",

+         "enabled" : true,

+         "value" : 536870912,

+         "key" : "NEWPID"

+      },

+      {

+         "enabled" : true,

+         "file" : "net",

+         "key" : "NEWNET",

+         "value" : 1073741824

+      }

    ]

 }

 ```

deleted file mode 100644

@@ -1,35 +0,0 @@

-package capabilities

-

-import (

-	"github.com/dotcloud/docker/pkg/libcontainer"

-	"github.com/syndtr/gocapability/capability"

-	"os"

-)

-

-// DropCapabilities drops capabilities for the current process based

-// on the container's configuration.

-func DropCapabilities(container *libcontainer.Container) error {

-	if drop := getCapabilitiesMask(container); len(drop) > 0 {

-		c, err := capability.NewPid(os.Getpid())

-		if err != nil {

-			return err

-		}

-		c.Unset(capability.CAPS|capability.BOUNDS, drop...)

-

-		if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {

-			return err

-		}

-	}

-	return nil

-}

-

-// getCapabilitiesMask returns the specific cap mask values for the libcontainer types

-func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {

-	drop := []capability.Cap{}

-	for _, c := range container.CapabilitiesMask {

-		if !c.Enabled {

-			drop = append(drop, c.Value)

-		}

-	}

-	return drop

-}

new file mode 100644

@@ -0,0 +1,60 @@

+// +build linux

+

+package console

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/label"

+	"github.com/dotcloud/docker/pkg/system"

+	"os"

+	"path/filepath"

+	"syscall"

+)

+

+// Setup initializes the proper /dev/console inside the rootfs path

+func Setup(rootfs, consolePath, mountLabel string) error {

+	oldMask := system.Umask(0000)

+	defer system.Umask(oldMask)

+

+	stat, err := os.Stat(consolePath)

+	if err != nil {

+		return fmt.Errorf("stat console %s %s", consolePath, err)

+	}

+	var (

+		st   = stat.Sys().(*syscall.Stat_t)

+		dest = filepath.Join(rootfs, "dev/console")

+	)

+	if err := os.Remove(dest); err != nil && !os.IsNotExist(err) {

+		return fmt.Errorf("remove %s %s", dest, err)

+	}

+	if err := os.Chmod(consolePath, 0600); err != nil {

+		return err

+	}

+	if err := os.Chown(consolePath, 0, 0); err != nil {

+		return err

+	}

+	if err := system.Mknod(dest, (st.Mode&^07777)|0600, int(st.Rdev)); err != nil {

+		return fmt.Errorf("mknod %s %s", dest, err)

+	}

+	if err := label.SetFileLabel(consolePath, mountLabel); err != nil {

+		return fmt.Errorf("set file label %s %s", dest, err)

+	}

+	if err := system.Mount(consolePath, dest, "bind", syscall.MS_BIND, ""); err != nil {

+		return fmt.Errorf("bind %s to %s %s", consolePath, dest, err)

+	}

+	return nil

+}

+

+func OpenAndDup(consolePath string) error {

+	slave, err := system.OpenTerminal(consolePath, syscall.O_RDWR)

+	if err != nil {

+		return fmt.Errorf("open terminal %s", err)

+	}

+	if err := system.Dup2(slave.Fd(), 0); err != nil {

+		return err

+	}

+	if err := system.Dup2(slave.Fd(), 1); err != nil {

+		return err

+	}

+	return system.Dup2(slave.Fd(), 2)

+}

@@ -23,7 +23,7 @@ type Container struct {

 	Networks         []*Network      `json:"networks,omitempty"`          // nil for host's network stack

 	Cgroups          *cgroups.Cgroup `json:"cgroups,omitempty"`           // cgroups

 	Context          Context         `json:"context,omitempty"`           // generic context for specific options (apparmor, selinux)

-	Mounts           []Mount         `json:"mounts,omitempty"`

+	Mounts           Mounts          `json:"mounts,omitempty"`

 }

 // Network defines configuration for a container's networking stack

@@ -37,12 +37,3 @@ type Network struct {

 	Gateway string  `json:"gateway,omitempty"`

 	Mtu     int     `json:"mtu,omitempty"`

 }

-

-// Bind mounts from the host system to the container

-//

-type Mount struct {

-	Source      string `json:"source"`      // Source path, in the host namespace

-	Destination string `json:"destination"` // Destination path, in the container

-	Writable    bool   `json:"writable"`

-	Private     bool   `json:"private"`

-}

@@ -1,50 +1,146 @@

 {

-    "hostname": "koye",

-    "tty": true,

-    "environment": [

-        "HOME=/",

-        "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",

-        "container=docker",

-        "TERM=xterm-256color"

-    ],

-    "namespaces": [

-        "NEWIPC",

-        "NEWNS",

-        "NEWPID",

-        "NEWUTS",

-        "NEWNET"

-    ],

-    "capabilities_mask": [

-        "SETPCAP",

-        "SYS_MODULE",

-        "SYS_RAWIO",

-        "SYS_PACCT",

-        "SYS_ADMIN",

-        "SYS_NICE",

-        "SYS_RESOURCE",

-        "SYS_TIME",

-        "SYS_TTY_CONFIG",

-        "MKNOD",

-        "AUDIT_WRITE",

-        "AUDIT_CONTROL",

-        "MAC_OVERRIDE",

-        "MAC_ADMIN",

-        "NET_ADMIN"

-    ],

-    "networks": [{

-            "type": "veth",

-            "context": {

-                "bridge": "docker0",

-                "prefix": "dock"

-            },

-            "address": "172.17.0.100/16",

-            "gateway": "172.17.42.1",

-            "mtu": 1500

-        }

-    ],

-    "cgroups": {

-        "name": "docker-koye",

-        "parent": "docker",

-        "memory": 5248000

-    }

+   "mounts" : [

+      {

+         "type" : "devtmpfs"

+      }

+   ],

+   "tty" : true,

+   "environment" : [

+      "HOME=/",

+      "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",

+      "container=docker",

+      "TERM=xterm-256color"

+   ],

+   "hostname" : "koye",

+   "cgroups" : {

+      "parent" : "docker",

+      "name" : "docker-koye"

+   },

+   "capabilities_mask" : [

+      {

+         "value" : 8,

+         "key" : "SETPCAP",

+         "enabled" : false

+      },

+      {

+         "enabled" : false,

+         "value" : 16,

+         "key" : "SYS_MODULE"

+      },

+      {

+         "value" : 17,

+         "key" : "SYS_RAWIO",

+         "enabled" : false

+      },

+      {

+         "key" : "SYS_PACCT",

+         "value" : 20,

+         "enabled" : false

+      },

+      {

+         "value" : 21,

+         "key" : "SYS_ADMIN",

+         "enabled" : false

+      },

+      {

+         "value" : 23,

+         "key" : "SYS_NICE",

+         "enabled" : false

+      },

+      {

+         "value" : 24,

+         "key" : "SYS_RESOURCE",

+         "enabled" : false

+      },

+      {

+         "key" : "SYS_TIME",

+         "value" : 25,

+         "enabled" : false

+      },

+      {

+         "enabled" : false,

+         "value" : 26,

+         "key" : "SYS_TTY_CONFIG"

+      },

+      {

+         "key" : "AUDIT_WRITE",

+         "value" : 29,

+         "enabled" : false

+      },

+      {

+         "value" : 30,

+         "key" : "AUDIT_CONTROL",

+         "enabled" : false

+      },

+      {

+         "enabled" : false,

+         "key" : "MAC_OVERRIDE",

+         "value" : 32

+      },

+      {

+         "enabled" : false,

+         "key" : "MAC_ADMIN",

+         "value" : 33

+      },

+      {

+         "key" : "NET_ADMIN",

+         "value" : 12,

+         "enabled" : false

+      },

+      {

+         "value" : 27,

+         "key" : "MKNOD",

+         "enabled" : true

+      }

+   ],

+   "networks" : [

+      {

+         "mtu" : 1500,

+         "address" : "127.0.0.1/0",

+         "type" : "loopback",

+         "gateway" : "localhost"

+      },

+      {

+         "mtu" : 1500,

+         "address" : "172.17.42.2/16",

+         "type" : "veth",

+         "context" : {

+            "bridge" : "docker0",

+            "prefix" : "veth"

+         },

+         "gateway" : "172.17.42.1"

+      }

+   ],

+   "namespaces" : [

+      {

+         "key" : "NEWNS",

+         "value" : 131072,

+         "enabled" : true,

+         "file" : "mnt"

+      },

+      {

+         "key" : "NEWUTS",

+         "value" : 67108864,

+         "enabled" : true,

+         "file" : "uts"

+      },

+      {

+         "enabled" : true,

+         "file" : "ipc",

+         "key" : "NEWIPC",

+         "value" : 134217728

+      },

+      {

+         "file" : "pid",

+         "enabled" : true,

+         "value" : 536870912,

+         "key" : "NEWPID"

+      },

+      {

+         "enabled" : true,

+         "file" : "net",

+         "key" : "NEWNET",

+         "value" : 1073741824

+      }

+   ]

 }

new file mode 100644

@@ -0,0 +1,143 @@

+// +build linux

+

+package mount

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/label"

+	"github.com/dotcloud/docker/pkg/libcontainer"

+	"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"

+	"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"

+	"github.com/dotcloud/docker/pkg/system"

+	"os"

+	"path/filepath"

+	"syscall"

+)

+

+// default mount point flags

+const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

+

+type mount struct {

+	source string

+	path   string

+	device string

+	flags  int

+	data   string

+}

+

+// InitializeMountNamespace setups up the devices, mount points, and filesystems for use inside a

+// new mount namepsace

+func InitializeMountNamespace(rootfs, console string, container *libcontainer.Container) error {

+	var (

+		err  error

+		flag = syscall.MS_PRIVATE

+	)

+	if container.NoPivotRoot {

+		flag = syscall.MS_SLAVE

+	}

+	if err := system.Mount("", "/", "", uintptr(flag|syscall.MS_REC), ""); err != nil {

+		return fmt.Errorf("mounting / as slave %s", err)

+	}

+	if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {

+		return fmt.Errorf("mouting %s as bind %s", rootfs, err)

+	}

+	if err := mountSystem(rootfs, container); err != nil {

+		return fmt.Errorf("mount system %s", err)

+	}

+	if err := setupBindmounts(rootfs, container.Mounts); err != nil {

+		return fmt.Errorf("bind mounts %s", err)

+	}

+	if err := nodes.CopyN(rootfs, nodes.DefaultNodes); err != nil {

+		return fmt.Errorf("copy dev nodes %s", err)

+	}

+	if restrictionPath := container.Context["restriction_path"]; restrictionPath != "" {

+		if err := restrict.Restrict(rootfs, restrictionPath); err != nil {

+			return fmt.Errorf("restrict %s", err)

+		}

+	}

+	if err := SetupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {

+		return err

+	}

+	if err := system.Chdir(rootfs); err != nil {

+		return fmt.Errorf("chdir into %s %s", rootfs, err)

+	}

+

+	if container.NoPivotRoot {

+		err = MsMoveRoot(rootfs)

+	} else {

+		err = PivotRoot(rootfs)

+	}

+	if err != nil {

+		return err

+	}

+

+	if container.ReadonlyFs {

+		if err := SetReadonly(); err != nil {

+			return fmt.Errorf("set readonly %s", err)

+		}

+	}

+

+	system.Umask(0022)

+

+	return nil

+}

+

+// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts

+// inside the mount namespace

+func mountSystem(rootfs string, container *libcontainer.Container) error {

+	for _, m := range newSystemMounts(rootfs, container.Context["mount_label"], container.Mounts) {

+		if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {

+			return fmt.Errorf("mkdirall %s %s", m.path, err)

+		}

+		if err := system.Mount(m.source, m.path, m.device, uintptr(m.flags), m.data); err != nil {

+			return fmt.Errorf("mounting %s into %s %s", m.source, m.path, err)

+		}

+	}

+	return nil

+}

+

+func setupBindmounts(rootfs string, bindMounts libcontainer.Mounts) error {

+	for _, m := range bindMounts.OfType("bind") {

+		var (

+			flags = syscall.MS_BIND | syscall.MS_REC

+			dest  = filepath.Join(rootfs, m.Destination)

+		)

+		if !m.Writable {

+			flags = flags | syscall.MS_RDONLY

+		}

+		if err := system.Mount(m.Source, dest, "bind", uintptr(flags), ""); err != nil {

+			return fmt.Errorf("mounting %s into %s %s", m.Source, dest, err)

+		}

+		if !m.Writable {

+			if err := system.Mount(m.Source, dest, "bind", uintptr(flags|syscall.MS_REMOUNT), ""); err != nil {

+				return fmt.Errorf("remounting %s into %s %s", m.Source, dest, err)

+			}

+		}

+		if m.Private {

+			if err := system.Mount("", dest, "none", uintptr(syscall.MS_PRIVATE), ""); err != nil {

+				return fmt.Errorf("mounting %s private %s", dest, err)

+			}

+		}

+	}

+	return nil

+}

+

+// TODO: this is crappy right now and should be cleaned up with a better way of handling system and

+// standard bind mounts allowing them to be more dymanic

+func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mount {

+	systemMounts := []mount{

+		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},

+	}

+

+	if len(mounts.OfType("devtmpfs")) == 1 {

+		systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})

+	}

+	systemMounts = append(systemMounts,

+		mount{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},

+		mount{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)})

+

+	if len(mounts.OfType("sysfs")) == 1 {

+		systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})

+	}

+	return systemMounts

+}

new file mode 100644

@@ -0,0 +1,19 @@

+// +build linux

+

+package mount

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/system"

+	"syscall"

+)

+

+func MsMoveRoot(rootfs string) error {

+	if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {