3 files changed, 34 insertions, 14 deletions

diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go
index eccd41ff9..a1873086e 100644
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@@ -46,19 +46,32 @@ func devicesFromPath(g *generate.Generator, devicePath string) error {
 		return errors.Wrapf(err, "cannot stat %s", devicePath)
 	}
 	if st.IsDir() {
+		found := false
+		src := resolvedDevicePath
+		dest := src
+		var devmode string
+		if len(devs) > 1 {
+			if len(devs[1]) > 0 && devs[1][0] == '/' {
+				dest = devs[1]
+			} else {
+				devmode = devs[1]
+			}
+		}
 		if len(devs) > 2 {
-			return errors.Wrapf(unix.EINVAL, "not allowed to specify destination with a directory %s", devicePath)
+			if devmode != "" {
+				return errors.Wrapf(unix.EINVAL, "invalid device specification %s", devicePath)
+			}
+			devmode = devs[2]
 		}
-		found := false
+
 		// mount the internal devices recursively
 		if err := filepath.Walk(resolvedDevicePath, func(dpath string, f os.FileInfo, e error) error {
 
 			if f.Mode()&os.ModeDevice == os.ModeDevice {
 				found = true
-				device := dpath
-
-				if len(devs) > 1 {
-					device = fmt.Sprintf("%s:%s", dpath, devs[1])
+				device := fmt.Sprintf("%s:%s", dpath, filepath.Join(dest, strings.TrimPrefix(dpath, src)))
+				if devmode != "" {
+					device = fmt.Sprintf("%s:%s", device, devmode)
 				}
 				if err := addDevice(g, device); err != nil {
 					return errors.Wrapf(err, "failed to add %s device", dpath)
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 31039bfdf..118fbad72 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/containers/image/manifest"
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/pkg/namespaces"
 	"github.com/containers/libpod/pkg/rootless"
@@ -86,6 +87,7 @@ type CreateConfig struct {
 	Env                map[string]string //env
 	ExposedPorts       map[nat.Port]struct{}
 	GroupAdd           []string // group-add
+	HealthCheck        *manifest.Schema2HealthConfig
 	HostAdd            []string //add-host
 	Hostname           string   //hostname
 	Image              string
@@ -361,7 +363,7 @@ func (c *CreateConfig) createExitCommand() []string {
 		command = append(command, []string{"--storage-driver", config.StorageConfig.GraphDriverName}...)
 	}
 	if c.Syslog {
-		command = append(command, "--syslog")
+		command = append(command, "--syslog", "true")
 	}
 	command = append(command, []string{"container", "cleanup"}...)
 
@@ -559,6 +561,10 @@ func (c *CreateConfig) GetContainerCreateOptions(runtime *libpod.Runtime, pod *l
 	// Always use a cleanup process to clean up Podman after termination
 	options = append(options, libpod.WithExitCommand(c.createExitCommand()))
 
+	if c.HealthCheck != nil {
+		options = append(options, libpod.WithHealthCheck(c.HealthCheck))
+		logrus.Debugf("New container has a health check")
+	}
 	return options, nil
 }
 
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 28a636fa6..a61741f73 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -9,7 +9,7 @@ import (
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/storage/pkg/mount"
 	pmount "github.com/containers/storage/pkg/mount"
-	"github.com/docker/docker/daemon/caps"
+	"github.com/docker/docker/oci/caps"
 	"github.com/docker/go-units"
 	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -454,10 +454,6 @@ func findMount(target string, mounts []*pmount.Info) (*pmount.Info, error) {
 }
 
 func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) {
-	if config.PidMode.IsHost() && rootless.IsRootless() {
-		return
-	}
-
 	if !config.Privileged {
 		for _, mp := range []string{
 			"/proc/acpi",
@@ -469,10 +465,15 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
 			"/proc/sched_debug",
 			"/proc/scsi",
 			"/sys/firmware",
+			"/sys/fs/selinux",
 		} {
 			g.AddLinuxMaskedPaths(mp)
 		}
 
+		if config.PidMode.IsHost() && rootless.IsRootless() {
+			return
+		}
+
 		for _, rp := range []string{
 			"/proc/asound",
 			"/proc/bus",
@@ -624,7 +625,7 @@ func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error {
 	if useNotRoot(config.User) {
 		configSpec.Process.Capabilities.Bounding = caplist
 	}
-	caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop)
+	caplist, err = caps.TweakCapabilities(configSpec.Process.Capabilities.Bounding, config.CapAdd, config.CapDrop, nil, false)
 	if err != nil {
 		return err
 	}
@@ -635,7 +636,7 @@ func setupCapabilities(config *CreateConfig, configSpec *spec.Spec) error {
 	configSpec.Process.Capabilities.Effective = caplist
 	configSpec.Process.Capabilities.Ambient = caplist
 	if useNotRoot(config.User) {
-		caplist, err = caps.TweakCapabilities(bounding, config.CapAdd, config.CapDrop)
+		caplist, err = caps.TweakCapabilities(bounding, config.CapAdd, config.CapDrop, nil, false)
 		if err != nil {
 			return err
 		}