@@ -1112,12 +1112,9 @@ func (container *Container) unmountVolumes(forceSyscall bool) error {

 func (container *Container) networkMounts() []execdriver.Mount {

 	var mounts []execdriver.Mount

-	mode := "Z"

-	if container.hostConfig.NetworkMode.IsContainer() {

-		mode = "z"

-	}

+	shared := container.hostConfig.NetworkMode.IsContainer()

 	if container.ResolvConfPath != "" {

-		label.Relabel(container.ResolvConfPath, container.MountLabel, mode)

+		label.Relabel(container.ResolvConfPath, container.MountLabel, shared)

 		writable := !container.hostConfig.ReadonlyRootfs

 		if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {

 			writable = m.RW

@@ -1130,7 +1127,7 @@ func (container *Container) networkMounts() []execdriver.Mount {

 		})

 	}

 	if container.HostnamePath != "" {

-		label.Relabel(container.HostnamePath, container.MountLabel, mode)

+		label.Relabel(container.HostnamePath, container.MountLabel, shared)

 		writable := !container.hostConfig.ReadonlyRootfs

 		if m, exists := container.MountPoints["/etc/hostname"]; exists {

 			writable = m.RW

@@ -1143,7 +1140,7 @@ func (container *Container) networkMounts() []execdriver.Mount {

 		})

 	}

 	if container.HostsPath != "" {

-		label.Relabel(container.HostsPath, container.MountLabel, mode)

+		label.Relabel(container.HostsPath, container.MountLabel, shared)

 		writable := !container.hostConfig.ReadonlyRootfs

 		if m, exists := container.MountPoints["/etc/hosts"]; exists {

 			writable = m.RW

@@ -59,7 +59,7 @@ func createContainerPlatformSpecificSettings(container *Container, config *runco

 			return err

 		}

-		if err := label.Relabel(v.Path(), container.MountLabel, "z"); err != nil {

+		if err := label.Relabel(v.Path(), container.MountLabel, true); err != nil {

 			return err

 		}

@@ -355,7 +355,8 @@ func (daemon *Daemon) registerMountPoints(container *Container, hostConfig *runc

 			}

 		}

-		if err := label.Relabel(bind.Source, container.MountLabel, bind.Mode); err != nil {

+		shared := label.IsShared(bind.Mode)

+		if err := label.Relabel(bind.Source, container.MountLabel, shared); err != nil {

 			return err

 		}

 		binds[bind.Destination] = true

@@ -42,7 +42,7 @@ clone git github.com/endophage/gotuf 9bcdad0308e34a49f38448b8ad436ad8860825ce

 clone git github.com/jfrazelle/go 6e461eb70cb4187b41a84e9a567d7137bdbe0f16

 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

-clone git github.com/opencontainers/runc v0.0.3 # libcontainer

+clone git github.com/opencontainers/runc v0.0.4 # libcontainer

 # libcontainer deps (see src/github.com/docker/libcontainer/update-vendor.sh)

 clone git github.com/coreos/go-systemd v3

 clone git github.com/godbus/dbus v2

@@ -83,7 +83,7 @@ type data struct {

 	pid    int

 }

-func (m *Manager) Apply(pid int) error {

+func (m *Manager) Apply(pid int) (err error) {

 	if m.Cgroups == nil {

 		return nil

 	}

@@ -235,12 +235,12 @@ func getCgroupData(c *configs.Cgroup, pid int) (*data, error) {

 	}, nil

 }

-func (raw *data) parent(subsystem, mountpoint, src string) (string, error) {

-	initPath, err := cgroups.GetInitCgroupDir(subsystem)

+func (raw *data) parent(subsystem, mountpoint, root string) (string, error) {

+	initPath, err := cgroups.GetThisCgroupDir(subsystem)

 	if err != nil {

 		return "", err

 	}

-	relDir, err := filepath.Rel(src, initPath)

+	relDir, err := filepath.Rel(root, initPath)

 	if err != nil {

 		return "", err

 	}

@@ -248,7 +248,7 @@ func (raw *data) parent(subsystem, mountpoint, src string) (string, error) {

 }

 func (raw *data) path(subsystem string) (string, error) {

-	mnt, src, err := cgroups.FindCgroupMountpointAndSource(subsystem)

+	mnt, root, err := cgroups.FindCgroupMountpointAndRoot(subsystem)

 	// If we didn't mount the subsystem, there is no point we make the path.

 	if err != nil {

 		return "", err

@@ -259,7 +259,7 @@ func (raw *data) path(subsystem string) (string, error) {

 		return filepath.Join(raw.root, filepath.Base(mnt), raw.cgroup), nil

 	}

-	parent, err := raw.parent(subsystem, mnt, src)

+	parent, err := raw.parent(subsystem, mnt, root)

 	if err != nil {

 		return "", err

 	}

@@ -17,7 +17,7 @@ import (

 type MemoryGroup struct {

 }

-func (s *MemoryGroup) Apply(d *data) error {

+func (s *MemoryGroup) Apply(d *data) (err error) {

 	path, err := d.path("memory")

 	if err != nil {

 		if cgroups.IsNotFound(err) {

@@ -28,21 +28,22 @@ func (s *MemoryGroup) Apply(d *data) error {

 	if err := os.MkdirAll(path, 0755); err != nil {

 		return err

 	}

+

+	defer func() {

+		if err != nil {

+			os.RemoveAll(path)

+		}

+	}()

+

 	if err := s.Set(path, d.c); err != nil {

 		return err

 	}

 	// We need to join memory cgroup after set memory limits, because

 	// kmem.limit_in_bytes can only be set when the cgroup is empty.

-	_, err = d.join("memory")

-	if err != nil {

+	if _, err = d.join("memory"); err != nil {

 		return err

 	}

-	defer func() {

-		if err != nil {

-			os.RemoveAll(path)

-		}

-	}()

 	return nil

 }

@@ -21,6 +21,9 @@ const cgroupNamePrefix = "name="

 // https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt

 func FindCgroupMountpoint(subsystem string) (string, error) {

+	// We are not using mount.GetMounts() because it's super-inefficient,

+	// parsing it directly sped up x10 times because of not using Sscanf.

+	// It was one of two major performance drawbacks in container start.

 	f, err := os.Open("/proc/self/mountinfo")

 	if err != nil {

 		return "", err

@@ -44,7 +47,7 @@ func FindCgroupMountpoint(subsystem string) (string, error) {

 	return "", NewNotFoundError(subsystem)

 }

-func FindCgroupMountpointAndSource(subsystem string) (string, string, error) {

+func FindCgroupMountpointAndRoot(subsystem string) (string, string, error) {

 	f, err := os.Open("/proc/self/mountinfo")

 	if err != nil {

 		return "", "", err

@@ -69,16 +72,29 @@ func FindCgroupMountpointAndSource(subsystem string) (string, string, error) {

 }

 func FindCgroupMountpointDir() (string, error) {

-	mounts, err := mount.GetMounts()

+	f, err := os.Open("/proc/self/mountinfo")

 	if err != nil {

 		return "", err

 	}

+	defer f.Close()

-	for _, mount := range mounts {

-		if mount.Fstype == "cgroup" {

-			return filepath.Dir(mount.Mountpoint), nil

+	scanner := bufio.NewScanner(f)

+	for scanner.Scan() {

+		text := scanner.Text()

+		fields := strings.Split(text, " ")

+		// Safe as mountinfo encodes mountpoints with spaces as \040.

+		index := strings.Index(text, " - ")

+		postSeparatorFields := strings.Fields(text[index+3:])

+		if len(postSeparatorFields) < 3 {

+			return "", fmt.Errorf("Error found less than 3 fields post '-' in %q", text)

+		}

+		if postSeparatorFields[0] == "cgroup" {

+			return filepath.Dir(fields[4]), nil

 		}

 	}

+	if err := scanner.Err(); err != nil {

+		return "", err

+	}

 	return "", NewNotFoundError("cgroup")

 }

@@ -1,5 +1,11 @@

 package configs

+import (

+	"bytes"

+	"encoding/json"

+	"os/exec"

+)

+

 type Rlimit struct {

 	Type int    `json:"type"`

 	Hard uint64 `json:"hard"`

@@ -13,36 +19,46 @@ type IDMap struct {

 	Size        int `json:"size"`

 }

+// Seccomp represents syscall restrictions

 type Seccomp struct {

-	Syscalls []*Syscall `json:"syscalls"`

+	DefaultAction Action     `json:"default_action"`

+	Syscalls      []*Syscall `json:"syscalls"`

 }

+// An action to be taken upon rule match in Seccomp

 type Action int

 const (

-	Kill Action = iota - 3

+	Kill Action = iota - 4

+	Errno

 	Trap

 	Allow

 )

+// A comparison operator to be used when matching syscall arguments in Seccomp

 type Operator int

 const (

 	EqualTo Operator = iota

 	NotEqualTo

-	GreatherThan

+	GreaterThan

+	GreaterThanOrEqualTo

 	LessThan

+	LessThanOrEqualTo

 	MaskEqualTo

 )

+// A rule to match a specific syscall argument in Seccomp

 type Arg struct {

-	Index int      `json:"index"`

-	Value uint32   `json:"value"`

-	Op    Operator `json:"op"`

+	Index    uint     `json:"index"`

+	Value    uint64   `json:"value"`

+	ValueTwo uint64   `json:"value_two"`

+	Op       Operator `json:"op"`

 }

+// An rule to match a syscall in Seccomp

 type Syscall struct {

-	Value  int    `json:"value"`

+	Name   string `json:"name"`

 	Action Action `json:"action"`

 	Args   []*Arg `json:"args"`

 }

@@ -117,6 +133,12 @@ type Config struct {

 	// If Rlimits are not set, the container will inherit rlimits from the parent process

 	Rlimits []Rlimit `json:"rlimits"`

+	// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores

+	// for a process. Valid values are between the range [-1000, '1000'], where processes with

+	// higher scores are preferred for being killed.

+	// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/

+	OomScoreAdj int `json:"oom_score_adj"`

+

 	// AdditionalGroups specifies the gids that should be added to supplementary groups

 	// in addition to those that the user belongs to.

 	AdditionalGroups []string `json:"additional_groups"`

@@ -140,7 +162,79 @@ type Config struct {

 	Sysctl map[string]string `json:"sysctl"`

 	// Seccomp allows actions to be taken whenever a syscall is made within the container.

-	// By default, all syscalls are allowed with actions to allow, trap, kill, or return an errno

-	// can be specified on a per syscall basis.

+	// A number of rules are given, each having an action to be taken if a syscall matches it.

+	// A default action to be taken if no rules match is also given.

 	Seccomp *Seccomp `json:"seccomp"`

+

+	// Hooks are a collection of actions to perform at various container lifecycle events.

+	// Hooks are not able to be marshaled to json but they are also not needed to.

+	Hooks *Hooks `json:"-"`

+}

+

+type Hooks struct {

+	// Prestart commands are executed after the container namespaces are created,

+	// but before the user supplied command is executed from init.

+	Prestart []Hook

+

+	// Poststop commands are executed after the container init process exits.

+	Poststop []Hook

+}

+

+// HookState is the payload provided to a hook on execution.

+type HookState struct {

+	ID   string `json:"id"`

+	Pid  int    `json:"pid"`

+	Root string `json:"root"`

+}

+

+type Hook interface {

+	// Run executes the hook with the provided state.

+	Run(HookState) error

+}

+

+// NewFunctionHooks will call the provided function when the hook is run.

+func NewFunctionHook(f func(HookState) error) FuncHook {

+	return FuncHook{

+		run: f,

+	}

+}

+

+type FuncHook struct {

+	run func(HookState) error

+}

+

+func (f FuncHook) Run(s HookState) error {

+	return f.run(s)

+}

+

+type Command struct {

+	Path string   `json:"path"`

+	Args []string `json:"args"`

+	Env  []string `json:"env"`

+	Dir  string   `json:"dir"`

+}

+

+// NewCommandHooks will execute the provided command when the hook is run.

+func NewCommandHook(cmd Command) CommandHook {

+	return CommandHook{

+		Command: cmd,

+	}

+}

+

+type CommandHook struct {

+	Command

+}

+

+func (c Command) Run(s HookState) error {

+	b, err := json.Marshal(s)

+	if err != nil {

+		return err

+	}

+	cmd := exec.Cmd{

+		Path:  c.Path,

+		Args:  c.Args,

+		Env:   c.Env,

+		Stdin: bytes.NewReader(b),

+	}

+	return cmd.Run()

 }

@@ -25,10 +25,3 @@ type Mount struct {

 	// Optional Command to be run after Source is mounted.

 	PostmountCmds []Command `json:"postmount_cmds"`

 }

-

-type Command struct {

-	Path string   `json:"path"`

-	Args []string `json:"args"`

-	Env  []string `json:"env"`

-	Dir  string   `json:"dir"`

-}

@@ -185,6 +185,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c

 		parentPipe: parentPipe,

 		manager:    c.cgroupManager,

 		config:     c.newInitConfig(p),

+		container:  c,

 	}, nil

 }

@@ -247,6 +248,17 @@ func (c *linuxContainer) Destroy() error {

 		err = rerr

 	}

 	c.initProcess = nil

+	if c.config.Hooks != nil {

+		s := configs.HookState{

+			ID:   c.id,

+			Root: c.config.Rootfs,

+		}

+		for _, hook := range c.config.Hooks.Poststop {

+			if err := hook.Run(s); err != nil {

+				return err

+			}

+		}

+	}

 	return err

 }

@@ -299,7 +311,7 @@ func (c *linuxContainer) checkCriuVersion() error {

 	return nil

 }

-const descriptors_filename = "descriptors.json"

+const descriptorsFilename = "descriptors.json"

 func (c *linuxContainer) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount) {

 	mountDest := m.Destination

@@ -406,7 +418,7 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {

 		return err

 	}

-	err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptors_filename), fdsJSON, 0655)

+	err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0655)

 	if err != nil {

 		return err

 	}

@@ -532,13 +544,19 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {

 			break

 		}

 	}

+	for _, i := range criuOpts.VethPairs {

+		veth := new(criurpc.CriuVethPair)

+		veth.IfOut = proto.String(i.HostInterfaceName)

+		veth.IfIn = proto.String(i.ContainerInterfaceName)

+		req.Opts.Veths = append(req.Opts.Veths, veth)

+	}

 	var (

 		fds    []string

 		fdJSON []byte

 	)

-	if fdJSON, err = ioutil.ReadFile(filepath.Join(criuOpts.ImagesDirectory, descriptors_filename)); err != nil {

+	if fdJSON, err = ioutil.ReadFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename)); err != nil {

 		return err

 	}

@@ -568,6 +586,7 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *

 		return err

 	}

+	logPath := filepath.Join(opts.WorkDirectory, req.GetOpts().GetLogFile())

 	criuClient := os.NewFile(uintptr(fds[0]), "criu-transport-client")

 	criuServer := os.NewFile(uintptr(fds[1]), "criu-transport-server")

 	defer criuClient.Close()

@@ -631,7 +650,8 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *

 			return err

 		}

 		if !resp.GetSuccess() {

-			return fmt.Errorf("criu failed: type %s errno %d", req.GetType().String(), resp.GetCrErrno())

+			typeString := req.GetType().String()

+			return fmt.Errorf("criu failed: type %s errno %d\nlog file: %s", typeString, resp.GetCrErrno(), logPath)

 		}

 		t := resp.GetType()

@@ -671,7 +691,7 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *

 		return err

 	}

 	if !st.Success() {

-		return fmt.Errorf("criu failed: %s", st.String())

+		return fmt.Errorf("criu failed: %s\nlog file: %s", st.String(), logPath)

 	}

 	return nil

 }

@@ -5,6 +5,11 @@ type CriuPageServerInfo struct {

 	Port    int32  // port number of CRIU page server

 }

+type VethPairName struct {

+	ContainerInterfaceName string

+	HostInterfaceName      string

+}

+

 type CriuOpts struct {

 	ImagesDirectory         string             // directory for storing image files

 	WorkDirectory           string             // directory to cd and write logs/pidfiles/stats to

@@ -14,4 +19,5 @@ type CriuOpts struct {

 	ShellJob                bool               // allow to dump and restore shell jobs

 	FileLocks               bool               // handle file locks, for safety

 	PageServer              CriuPageServerInfo // allow to dump to criu page server

+	VethPairs               []VethPairName     // pass the veth to criu when restore

 }

@@ -5,7 +5,9 @@ package libcontainer

 import (

 	"encoding/json"

 	"fmt"

+	"io/ioutil"

 	"os"

+	"strconv"

 	"strings"

 	"syscall"

@@ -13,7 +15,6 @@ import (

 	"github.com/opencontainers/runc/libcontainer/cgroups"

 	"github.com/opencontainers/runc/libcontainer/configs"

 	"github.com/opencontainers/runc/libcontainer/netlink"

-	"github.com/opencontainers/runc/libcontainer/seccomp"

 	"github.com/opencontainers/runc/libcontainer/system"

 	"github.com/opencontainers/runc/libcontainer/user"

 	"github.com/opencontainers/runc/libcontainer/utils"

@@ -239,6 +240,11 @@ func setupRlimits(config *configs.Config) error {

 	return nil

 }

+func setOomScoreAdj(oomScoreAdj int) error {

+	path := "/proc/self/oom_score_adj"

+	return ioutil.WriteFile(path, []byte(strconv.Itoa(oomScoreAdj)), 0700)

+}

+

 // killCgroupProcesses freezes then iterates over all the processes inside the

 // manager's cgroups sending a SIGKILL to each process then waiting for them to

 // exit.

@@ -270,61 +276,3 @@ func killCgroupProcesses(m cgroups.Manager) error {

 	}

 	return nil

 }

-

-func finalizeSeccomp(config *initConfig) error {

-	if config.Config.Seccomp == nil {

-		return nil

-	}

-	context := seccomp.New()

-	for _, s := range config.Config.Seccomp.Syscalls {

-		ss := &seccomp.Syscall{

-			Value:  uint32(s.Value),

-			Action: seccompAction(s.Action),

-		}

-		if len(s.Args) > 0 {

-			ss.Args = seccompArgs(s.Args)

-		}

-		context.Add(ss)

-	}

-	return context.Load()

-}

-

-func seccompAction(a configs.Action) seccomp.Action {

-	switch a {

-	case configs.Kill:

-		return seccomp.Kill

-	case configs.Trap:

-		return seccomp.Trap

-	case configs.Allow:

-		return seccomp.Allow

-	}

-	return seccomp.Error(syscall.Errno(int(a)))

-}

-

-func seccompArgs(args []*configs.Arg) seccomp.Args {

-	var sa []seccomp.Arg

-	for _, a := range args {

-		sa = append(sa, seccomp.Arg{

-			Index: uint32(a.Index),

-			Op:    seccompOperator(a.Op),

-			Value: uint(a.Value),

-		})

-	}

-	return seccomp.Args{sa}

-}

-

-func seccompOperator(o configs.Operator) seccomp.Operator {

-	switch o {

-	case configs.EqualTo:

-		return seccomp.EqualTo

-	case configs.NotEqualTo:

-		return seccomp.NotEqualTo

-	case configs.GreatherThan:

-		return seccomp.GreatherThan

-	case configs.LessThan:

-		return seccomp.LessThan

-	case configs.MaskEqualTo:

-		return seccomp.MaskEqualTo

-	}

-	return 0

-}

@@ -29,7 +29,7 @@ func SetFileCreateLabel(fileLabel string) error {

 	return nil

 }

-func Relabel(path string, fileLabel string, relabel string) error {

+func Relabel(path string, fileLabel string, shared bool) error {

 	return nil

 }

@@ -59,3 +59,13 @@ func DupSecOpt(src string) []string {

 func DisableSecOpt() []string {

 	return nil

 }

+

+// Validate checks that the label does not include unexpected options

+func Validate(label string) error {

+	return nil

+}

+

+// IsShared checks that the label includes a "shared" mark

+func IsShared(label string) bool {

+	return false

+}

@@ -9,6 +9,8 @@ import (

 	"github.com/opencontainers/runc/libcontainer/selinux"

 )

+var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")

+

 // InitLabels returns the process label and file labels to be used within

 // the container.  A list of options can be passed into this function to alter

 // the labels.  The labels returned will include a random MCS String, that is

@@ -95,28 +97,24 @@ func SetFileCreateLabel(fileLabel string) error {

 	return nil

 }

-// Change the label of path to the filelabel string.  If the relabel string

-// is "z", relabel will change the MCS label to s0.  This will allow all

-// containers to share the content.  If the relabel string is a "Z" then

-// the MCS label should continue to be used.  SELinux will use this field

-// to make sure the content can not be shared by other containes.

-func Relabel(path string, fileLabel string, relabel string) error {

-	exclude_path := []string{"/", "/usr", "/etc"}

-	if fileLabel == "" {

+// Change the label of path to the filelabel string.

+// It changes the MCS label to s0 if shared is true.

+// This will allow all containers to share the content.

+func Relabel(path string, fileLabel string, shared bool) error {

+	if !selinux.SelinuxEnabled() {

 		return nil

 	}

-	if !strings.ContainsAny(relabel, "zZ") {

+

+	if fileLabel == "" {

 		return nil

 	}

-	for _, p := range exclude_path {

-		if path == p {

-			return fmt.Errorf("Relabeling of %s is not allowed", path)

-		}

-	}

-	if strings.Contains(relabel, "z") && strings.Contains(relabel, "Z") {

-		return fmt.Errorf("Bad SELinux option z and Z can not be used together")

+

+	exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true}

+	if exclude_paths[path] {

+		return fmt.Errorf("Relabeling of %s is not allowed", path)

 	}

-	if strings.Contains(relabel, "z") {

+

+	if shared {

 		c := selinux.NewContext(fileLabel)

 		c["level"] = "s0"

 		fileLabel = c.Get()

@@ -161,3 +159,16 @@ func DupSecOpt(src string) []string {

 func DisableSecOpt() []string {

 	return selinux.DisableSecOpt()

 }

+

+// Validate checks that the label does not include unexpected options

+func Validate(label string) error {

+	if strings.Contains(label, "z") && strings.Contains(label, "Z") {

+		return ErrIncompatibleLabel

+	}

+	return nil

+}

+

+// IsShared checks that the label includes a "shared" mark

+func IsShared(label string) bool {

+	return strings.Contains(label, "z")

+}

@@ -1,4 +1,4 @@

-// +build arm ppc64

+// +build arm ppc64 ppc64le

 package netlink

@@ -1,4 +1,4 @@

-// +build !arm,!ppc64

+// +build !arm,!ppc64,!ppc64le

 package netlink

@@ -13,6 +13,7 @@ import (

 	"syscall"

 	"github.com/opencontainers/runc/libcontainer/cgroups"

+	"github.com/opencontainers/runc/libcontainer/configs"

 	"github.com/opencontainers/runc/libcontainer/system"

 )

@@ -138,11 +139,9 @@ func (p *setnsProcess) terminate() error {

 func (p *setnsProcess) wait() (*os.ProcessState, error) {

 	err := p.cmd.Wait()

-	if err != nil {

-		return p.cmd.ProcessState, err

-	}

-	return p.cmd.ProcessState, nil

+	// Return actual ProcessState even on Wait error

+	return p.cmd.ProcessState, err

 }

 func (p *setnsProcess) pid() int {

@@ -175,9 +174,9 @@ func (p *initProcess) externalDescriptors() []string {

 	return p.fds

 }

-func (p *initProcess) start() error {

+func (p *initProcess) start() (err error) {

 	defer p.parentPipe.Close()

-	err := p.cmd.Start()

+	err = p.cmd.Start()

 	p.childPipe.Close()

 	if err != nil {

 		return newSystemError(err)

@@ -202,6 +201,18 @@ func (p *initProcess) start() error {

 			p.manager.Destroy()

 		}

 	}()

+	if p.config.Config.Hooks != nil {

+		s := configs.HookState{

+			ID:   p.container.id,

+			Pid:  p.pid(),

+			Root: p.config.Config.Rootfs,

+		}

+		for _, hook := range p.config.Config.Hooks.Prestart {

+			if err := hook.Run(s); err != nil {

+				return newSystemError(err)

+			}

+		}

+	}

 	if err := p.createNetworkInterfaces(); err != nil {

 		return newSystemError(err)

 	}

@@ -286,9 +297,7 @@ func (p *initProcess) setExternalDescriptors(newFds []string) {

 }

 func getPipeFds(pid int) ([]string, error) {

-	var fds []string

-

-	fds = make([]string, 3)

+	fds := make([]string, 3)

 	dirPath := filepath.Join("/proc", strconv.Itoa(pid), "/fd")

 	for i := 0; i < 3; i++ {

@@ -27,6 +27,8 @@ func setupRootfs(config *configs.Config, console *linuxConsole) (err error) {

 	if err := prepareRoot(config); err != nil {

 		return newSystemError(err)

 	}

+

+	setupDev := len(config.Devices) == 0

 	for _, m := range config.Mounts {

 		for _, precmd := range m.PremountCmds {

 			if err := mountCmd(precmd); err != nil {

@@ -43,14 +45,16 @@ func setupRootfs(config *configs.Config, console *linuxConsole) (err error) {

 			}

 		}

 	}

-	if err := createDevices(config); err != nil {

-		return newSystemError(err)

-	}

-	if err := setupPtmx(config, console); err != nil {

-		return newSystemError(err)

-	}

-	if err := setupDevSymlinks(config.Rootfs); err != nil {

-		return newSystemError(err)

+	if !setupDev {

+		if err := createDevices(config); err != nil {

+			return newSystemError(err)

+		}

+		if err := setupPtmx(config, console); err != nil {

+			return newSystemError(err)

+		}

+		if err := setupDevSymlinks(config.Rootfs); err != nil {

+			return newSystemError(err)

+		}

 	}

 	if err := syscall.Chdir(config.Rootfs); err != nil {

 		return newSystemError(err)

@@ -63,8 +67,10 @@ func setupRootfs(config *configs.Config, console *linuxConsole) (err error) {

 	if err != nil {

 		return newSystemError(err)

 	}

-	if err := reOpenDevNull(config.Rootfs); err != nil {

-		return newSystemError(err)

+	if !setupDev {

+		if err := reOpenDevNull(config.Rootfs); err != nil {

+			return newSystemError(err)

+		}

 	}

 	if config.Readonlyfs {

 		if err := setReadonly(); err != nil {

@@ -131,6 +137,11 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {

 			return err

 		}

 		return syscall.Mount(m.Source, dest, m.Device, uintptr(m.Flags), data)

+	case "securityfs":

+		if err := os.MkdirAll(dest, 0755); err != nil {

+			return err

+		}

+		return syscall.Mount(m.Source, dest, m.Device, uintptr(m.Flags), data)

 	case "bind":

 		stat, err := os.Stat(m.Source)

 		if err != nil {

@@ -160,7 +171,11 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {

 			}

 		}

 		if m.Relabel != "" {

-			if err := label.Relabel(m.Source, mountLabel, m.Relabel); err != nil {

+			if err := label.Validate(m.Relabel); err != nil {

+				return err

+			}

+			shared := label.IsShared(m.Relabel)

+			if err := label.Relabel(m.Source, mountLabel, shared); err != nil {

 				return err

 			}

 		}

deleted file mode 100644

@@ -1,34 +0,0 @@

-// +build linux

-

-package seccomp

-

-import "strings"

-

-type bpfLabel struct {

-	label    string

-	location uint32

-}

-

-type bpfLabels []bpfLabel

-

-// labelIndex returns the index for the label if it exists in the slice.

-// if it does not exist in the slice it appends the label lb to the end

-// of the slice and returns the index.

-func labelIndex(labels *bpfLabels, lb string) uint32 {

-	var id uint32

-	for id = 0; id < uint32(len(*labels)); id++ {

-		if strings.EqualFold(lb, (*labels)[id].label) {

-			return id

-		}

-	}

-	*labels = append(*labels, bpfLabel{lb, 0xffffffff})

-	return id

-}

-

-func scmpBpfStmt(code uint16, k uint32) sockFilter {

-	return sockFilter{code, 0, 0, k}

-}

-

-func scmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter {

-	return sockFilter{code, jt, jf, k}

-}

new file mode 100644

@@ -0,0 +1,53 @@

+package seccomp

+

+import (

+	"fmt"

+

+	"github.com/opencontainers/runc/libcontainer/configs"

+)

+

+// ConvertStringToOperator converts a string into a Seccomp comparison operator.

+// Comparison operators use the names they are assigned by Libseccomp's header.

+// Attempting to convert a string that is not a valid operator results in an

+// error.

+func ConvertStringToOperator(in string) (configs.Operator, error) {

+	switch in {

+	case "SCMP_CMP_NE":

+		return configs.NotEqualTo, nil

+	case "SCMP_CMP_LT":