18 files changed, 185 insertions, 88 deletions
diff --git a/pkg/api/handlers/events.go b/pkg/api/handlers/events.go
index 44bf35254..22dad9923 100644
--- a/pkg/api/handlers/events.go
+++ b/pkg/api/handlers/events.go
@@ -1,19 +1,24 @@
 package handlers
 
 import (
+	"encoding/json"
 	"fmt"
 	"net/http"
-	"strings"
-	"time"
 
+	"github.com/containers/libpod/libpod/events"
 	"github.com/containers/libpod/pkg/api/handlers/utils"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )
 
 func GetEvents(w http.ResponseWriter, r *http.Request) {
+	var (
+		fromStart   bool
+		eventsError error
+	)
 	query := struct {
-		Since   time.Time           `schema:"since"`
-		Until   time.Time           `schema:"until"`
+		Since   string              `schema:"since"`
+		Until   string              `schema:"until"`
 		Filters map[string][]string `schema:"filters"`
 	}{}
 	if err := decodeQuery(r, &query); err != nil {
@@ -27,15 +32,30 @@ func GetEvents(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	libpodEvents, err := getRuntime(r).GetEvents(libpodFilters)
-	if err != nil {
-		utils.BadRequest(w, "filters", strings.Join(r.URL.Query()["filters"], ", "), err)
+	if len(query.Since) > 0 || len(query.Until) > 0 {
+		fromStart = true
+	}
+	eventChannel := make(chan *events.Event)
+	go func() {
+		readOpts := events.ReadOptions{FromStart: fromStart, Stream: true, Filters: libpodFilters, EventChannel: eventChannel, Since: query.Since, Until: query.Until}
+		eventsError = getRuntime(r).Events(readOpts)
+	}()
+	if eventsError != nil {
+		utils.InternalServerError(w, eventsError)
 		return
 	}
-
-	var apiEvents = make([]*Event, len(libpodEvents))
-	for _, v := range libpodEvents {
-		apiEvents = append(apiEvents, EventToApiEvent(v))
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	for event := range eventChannel {
+		e := EventToApiEvent(event)
+		//utils.WriteJSON(w, http.StatusOK, e)
+		coder := json.NewEncoder(w)
+		coder.SetEscapeHTML(true)
+		if err := coder.Encode(e); err != nil {
+			logrus.Errorf("unable to write json: %q", err)
+		}
+		if flusher, ok := w.(http.Flusher); ok {
+			flusher.Flush()
+		}
 	}
-	utils.WriteJSON(w, http.StatusOK, apiEvents)
 }
diff --git a/pkg/api/handlers/generic/containers_stats.go b/pkg/api/handlers/generic/containers_stats.go
index f8804b5c0..cbc1be2f0 100644
--- a/pkg/api/handlers/generic/containers_stats.go
+++ b/pkg/api/handlers/generic/containers_stats.go
@@ -19,9 +19,6 @@ import (
 const DefaultStatsPeriod = 5 * time.Second
 
 func StatsContainer(w http.ResponseWriter, r *http.Request) {
-	// 200 no error
-	// 404 no such
-	// 500 internal
 	runtime := r.Context().Value("runtime").(*libpod.Runtime)
 	decoder := r.Context().Value("decoder").(*schema.Decoder)
 
diff --git a/pkg/api/handlers/libpod/containers.go b/pkg/api/handlers/libpod/containers.go
index a64ed446c..e11e26510 100644
--- a/pkg/api/handlers/libpod/containers.go
+++ b/pkg/api/handlers/libpod/containers.go
@@ -56,7 +56,7 @@ func ListContainers(w http.ResponseWriter, r *http.Request) {
 	decoder := r.Context().Value("decoder").(*schema.Decoder)
 	query := struct {
 		All       bool                `schema:"all"`
-		Filter    map[string][]string `schema:"filter"`
+		Filters   map[string][]string `schema:"filters"`
 		Last      int                 `schema:"last"`
 		Namespace bool                `schema:"namespace"`
 		Pod       bool                `schema:"pod"`
@@ -71,6 +71,7 @@ func ListContainers(w http.ResponseWriter, r *http.Request) {
 			errors.Wrapf(err, "Failed to parse parameters for %s", r.URL.String()))
 		return
 	}
+
 	runtime := r.Context().Value("runtime").(*libpod.Runtime)
 	opts := shared.PsOptions{
 		All:       query.All,
@@ -82,8 +83,8 @@ func ListContainers(w http.ResponseWriter, r *http.Request) {
 		Pod:       query.Pod,
 		Sync:      query.Sync,
 	}
-	if len(query.Filter) > 0 {
-		for k, v := range query.Filter {
+	if len(query.Filters) > 0 {
+		for k, v := range query.Filters {
 			for _, val := range v {
 				generatedFunc, err := shared.GenerateContainerFilterFuncs(k, val, runtime)
 				if err != nil {
diff --git a/pkg/api/handlers/libpod/images.go b/pkg/api/handlers/libpod/images.go
index f6459f1eb..bcbe4977e 100644
--- a/pkg/api/handlers/libpod/images.go
+++ b/pkg/api/handlers/libpod/images.go
@@ -304,7 +304,7 @@ func ImagesPull(w http.ResponseWriter, r *http.Request) {
 		return
 	} else if err != nil {
 		origErr := err
-		imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s:%s", docker.Transport.Name(), query.Reference))
+		imageRef, err = alltransports.ParseImageName(fmt.Sprintf("%s://%s", docker.Transport.Name(), query.Reference))
 		if err != nil {
 			utils.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest,
 				errors.Wrapf(origErr, "reference %q must be a docker reference", query.Reference))
diff --git a/pkg/api/server/register_events.go b/pkg/api/server/register_events.go
index a32244f4d..090f66323 100644
--- a/pkg/api/server/register_events.go
+++ b/pkg/api/server/register_events.go
@@ -29,7 +29,7 @@ func (s *APIServer) RegisterEventsHandlers(r *mux.Router) error {
 	//   description: JSON encoded map[string][]string of constraints
 	// responses:
 	//   200:
-	//     $ref: "#/responses/ok"
+	//     description: returns a string of json data describing an event
 	//   500:
 	//     "$ref": "#/responses/InternalError"
 	r.Handle(VersionedPath("/events"), APIHandler(s.Context, handlers.GetEvents))
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index 7bb0f5481..87b11b716 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -106,6 +106,7 @@ func newServer(runtime *libpod.Runtime, duration time.Duration, listener *net.Li
 		server.RegisterContainersHandlers,
 		server.RegisterDistributionHandlers,
 		server.registerExecHandlers,
+		server.RegisterEventsHandlers,
 		server.registerHealthCheckHandlers,
 		server.registerImagesHandlers,
 		server.registerInfoHandlers,
diff --git a/pkg/bindings/connection.go b/pkg/bindings/connection.go
index 116af9709..f270060a6 100644
--- a/pkg/bindings/connection.go
+++ b/pkg/bindings/connection.go
@@ -130,7 +130,7 @@ func (c *Connection) DoRequest(httpBody io.Reader, httpMethod, endpoint string,
 		// if more desirable we could use url to form the encoded endpoint with params
 		r := req.URL.Query()
 		for k, v := range queryParams {
-			r.Add(k, url.QueryEscape(v))
+			r.Add(k, v)
 		}
 		req.URL.RawQuery = r.Encode()
 	}
@@ -155,18 +155,14 @@ func GetConnectionFromContext(ctx context.Context) (*Connection, error) {
 	return conn, nil
 }
 
-// FiltersToHTML converts our typical filter format of a
+// FiltersToString converts our typical filter format of a
 // map[string][]string to a query/html safe string.
-func FiltersToHTML(filters map[string][]string) (string, error) {
+func FiltersToString(filters map[string][]string) (string, error) {
 	lowerCaseKeys := make(map[string][]string)
 	for k, v := range filters {
 		lowerCaseKeys[strings.ToLower(k)] = v
 	}
-	unsafeString, err := jsoniter.MarshalToString(lowerCaseKeys)
-	if err != nil {
-		return "", err
-	}
-	return url.QueryEscape(unsafeString), nil
+	return jsoniter.MarshalToString(lowerCaseKeys)
 }
 
 // IsInformation returns true if the response code is 1xx
diff --git a/pkg/bindings/containers/containers.go b/pkg/bindings/containers/containers.go
index 334a656d4..04f7f8802 100644
--- a/pkg/bindings/containers/containers.go
+++ b/pkg/bindings/containers/containers.go
@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/containers/libpod/cmd/podman/shared"
 	"github.com/containers/libpod/libpod"
+	lpapiv2 "github.com/containers/libpod/pkg/api/handlers/libpod"
 	"github.com/containers/libpod/pkg/bindings"
 )
 
@@ -15,13 +15,16 @@ import (
 // the most recent number of containers.  The pod and size booleans indicate that pod information and rootfs
 // size information should also be included.  Finally, the sync bool synchronizes the OCI runtime and
 // container state.
-func List(ctx context.Context, filters map[string][]string, last *int, pod, size, sync *bool) ([]*shared.PsContainerOutput, error) { // nolint:typecheck
+func List(ctx context.Context, filters map[string][]string, all *bool, last *int, pod, size, sync *bool) ([]lpapiv2.ListContainer, error) { // nolint:typecheck
 	conn, err := bindings.GetConnectionFromContext(ctx)
 	if err != nil {
 		return nil, err
 	}
-	var images []*shared.PsContainerOutput
+	var containers []lpapiv2.ListContainer
 	params := make(map[string]string)
+	if all != nil {
+		params["all"] = strconv.FormatBool(*all)
+	}
 	if last != nil {
 		params["last"] = strconv.Itoa(*last)
 	}
@@ -35,7 +38,7 @@ func List(ctx context.Context, filters map[string][]string, last *int, pod, size
 		params["sync"] = strconv.FormatBool(*sync)
 	}
 	if filters != nil {
-		filterString, err := bindings.FiltersToHTML(filters)
+		filterString, err := bindings.FiltersToString(filters)
 		if err != nil {
 			return nil, err
 		}
@@ -43,9 +46,9 @@ func List(ctx context.Context, filters map[string][]string, last *int, pod, size
 	}
 	response, err := conn.DoRequest(nil, http.MethodGet, "/containers/json", params)
 	if err != nil {
-		return images, err
+		return containers, err
 	}
-	return images, response.Process(nil)
+	return containers, response.Process(&containers)
 }
 
 // Prune removes stopped and exited containers from local storage.  The optional filters can be
@@ -62,7 +65,7 @@ func Prune(ctx context.Context, filters map[string][]string) ([]string, error) {
 	}
 	params := make(map[string]string)
 	if filters != nil {
-		filterString, err := bindings.FiltersToHTML(filters)
+		filterString, err := bindings.FiltersToString(filters)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/bindings/images/images.go b/pkg/bindings/images/images.go
index deaf93f0e..b19482943 100644
--- a/pkg/bindings/images/images.go
+++ b/pkg/bindings/images/images.go
@@ -38,7 +38,7 @@ func List(ctx context.Context, all *bool, filters map[string][]string) ([]*handl
 		params["all"] = strconv.FormatBool(*all)
 	}
 	if filters != nil {
-		strFilters, err := bindings.FiltersToHTML(filters)
+		strFilters, err := bindings.FiltersToString(filters)
 		if err != nil {
 			return nil, err
 		}
@@ -155,7 +155,7 @@ func Prune(ctx context.Context, filters map[string][]string) ([]string, error) {
 	}
 	params := make(map[string]string)
 	if filters != nil {
-		stringFilter, err := bindings.FiltersToHTML(filters)
+		stringFilter, err := bindings.FiltersToString(filters)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/bindings/images/search.go b/pkg/bindings/images/search.go
index d98ddf18d..58b25425b 100644
--- a/pkg/bindings/images/search.go
+++ b/pkg/bindings/images/search.go
@@ -26,7 +26,7 @@ func Search(ctx context.Context, term string, limit *int, filters map[string][]s
 		params["limit"] = strconv.Itoa(*limit)
 	}
 	if filters != nil {
-		stringFilter, err := bindings.FiltersToHTML(filters)
+		stringFilter, err := bindings.FiltersToString(filters)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/bindings/pods/pods.go b/pkg/bindings/pods/pods.go
index a6b74c21d..d079f01c2 100644
--- a/pkg/bindings/pods/pods.go
+++ b/pkg/bindings/pods/pods.go
@@ -97,7 +97,7 @@ func List(ctx context.Context, filters map[string][]string) (*[]libpod.PodInspec
 	}
 	params := make(map[string]string)
 	if filters != nil {
-		stringFilter, err := bindings.FiltersToHTML(filters)
+		stringFilter, err := bindings.FiltersToString(filters)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
new file mode 100644
index 000000000..dcf255378
--- /dev/null
+++ b/pkg/seccomp/seccomp.go
@@ -0,0 +1,54 @@
+package seccomp
+
+import (
+	"sort"
+
+	"github.com/pkg/errors"
+)
+
+// ContianerImageLabel is the key of the image annotation embedding a seccomp
+// profile.
+const ContainerImageLabel = "io.containers.seccomp.profile"
+
+// Policy denotes a seccomp policy.
+type Policy int
+
+const (
+	// PolicyDefault - if set use SecurityConfig.SeccompProfilePath,
+	// otherwise use the default profile.  The SeccompProfilePath might be
+	// explicitly set by the user.
+	PolicyDefault Policy = iota
+	// PolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
+	// otherwise follow SeccompPolicyDefault.
+	PolicyImage
+)
+
+// Map for easy lookups of supported policies.
+var supportedPolicies = map[string]Policy{
+	"":        PolicyDefault,
+	"default": PolicyDefault,
+	"image":   PolicyImage,
+}
+
+// LookupPolicy looksup the corresponding Policy for the specified
+// string. If none is found, an errors is returned including the list of
+// supported policies.
+//
+// Note that an empty string resolved to SeccompPolicyDefault.
+func LookupPolicy(s string) (Policy, error) {
+	policy, exists := supportedPolicies[s]
+	if exists {
+		return policy, nil
+	}
+
+	// Sort the keys first as maps are non-deterministic.
+	keys := []string{}
+	for k := range supportedPolicies {
+		if k != "" {
+			keys = append(keys, k)
+		}
+	}
+	sort.Strings(keys)
+
+	return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
+}
diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go
index 32d8cb4de..5f39b6d0d 100644
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	"github.com/containers/libpod/pkg/rootless"
@@ -90,6 +91,42 @@ func devicesFromPath(g *generate.Generator, devicePath string) error {
 	return addDevice(g, strings.Join(append([]string{resolvedDevicePath}, devs[1:]...), ":"))
 }
 
+func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error {
+	for _, deviceCgroupRule := range deviceCgroupRules {
+		if err := validateDeviceCgroupRule(deviceCgroupRule); err != nil {
+			return err
+		}
+		ss := parseDeviceCgroupRule(deviceCgroupRule)
+		if len(ss[0]) != 5 {
+			return errors.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
+		}
+		matches := ss[0]
+		var major, minor *int64
+		if matches[2] == "*" {
+			majorDev := int64(-1)
+			major = &majorDev
+		} else {
+			majorDev, err := strconv.ParseInt(matches[2], 10, 64)
+			if err != nil {
+				return errors.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
+			}
+			major = &majorDev
+		}
+		if matches[3] == "*" {
+			minorDev := int64(-1)
+			minor = &minorDev
+		} else {
+			minorDev, err := strconv.ParseInt(matches[2], 10, 64)
+			if err != nil {
+				return errors.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
+			}
+			minor = &minorDev
+		}
+		g.AddLinuxResourcesDevice(true, matches[1], major, minor, matches[4])
+	}
+	return nil
+}
+
 func addDevice(g *generate.Generator, device string) error {
 	src, dst, permissions, err := ParseDevice(device)
 	if err != nil {
diff --git a/pkg/spec/config_linux_cgo.go b/pkg/spec/config_linux_cgo.go
index ae83c9d52..05f42c4da 100644
--- a/pkg/spec/config_linux_cgo.go
+++ b/pkg/spec/config_linux_cgo.go
@@ -5,9 +5,10 @@ package createconfig
 import (
 	"io/ioutil"
 
+	"github.com/containers/libpod/pkg/seccomp"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
-	seccomp "github.com/seccomp/containers-golang"
+	goSeccomp "github.com/seccomp/containers-golang"
 	"github.com/sirupsen/logrus"
 )
 
@@ -15,9 +16,9 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
 	var seccompConfig *spec.LinuxSeccomp
 	var err error
 
-	if config.SeccompPolicy == SeccompPolicyImage && config.SeccompProfileFromImage != "" {
+	if config.SeccompPolicy == seccomp.PolicyImage && config.SeccompProfileFromImage != "" {
 		logrus.Debug("Loading seccomp profile from the security config")
-		seccompConfig, err = seccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
+		seccompConfig, err = goSeccomp.LoadProfile(config.SeccompProfileFromImage, configSpec)
 		if err != nil {
 			return nil, errors.Wrap(err, "loading seccomp profile failed")
 		}
@@ -30,13 +31,13 @@ func getSeccompConfig(config *SecurityConfig, configSpec *spec.Spec) (*spec.Linu
 		if err != nil {
 			return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
-		seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec)
+		seccompConfig, err = goSeccomp.LoadProfile(string(seccompProfile), configSpec)
 		if err != nil {
 			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
 	} else {
 		logrus.Debug("Loading default seccomp profile")
-		seccompConfig, err = seccomp.GetDefaultProfile(configSpec)
+		seccompConfig, err = goSeccomp.GetDefaultProfile(configSpec)
 		if err != nil {
 			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
 		}
diff --git a/pkg/spec/config_unsupported.go b/pkg/spec/config_unsupported.go
index a2c7f4416..be3e7046d 100644
--- a/pkg/spec/config_unsupported.go
+++ b/pkg/spec/config_unsupported.go
@@ -30,3 +30,7 @@ func makeThrottleArray(throttleInput []string, rateType int) ([]spec.LinuxThrott
 func devicesFromPath(g *generate.Generator, devicePath string) error {
 	return errors.New("function not implemented")
 }
+
+func deviceCgroupRules(g *generate.Generator, deviceCgroupRules []string) error {
+	return errors.New("function not implemented")
+}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index fb222083b..8010be0d4 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -2,7 +2,6 @@ package createconfig
 
 import (
 	"os"
-	"sort"
 	"strconv"
 	"strings"
 	"syscall"
@@ -11,6 +10,7 @@ import (
 	"github.com/containers/libpod/libpod"
 	"github.com/containers/libpod/libpod/define"
 	"github.com/containers/libpod/pkg/namespaces"
+	"github.com/containers/libpod/pkg/seccomp"
 	"github.com/containers/storage"
 	"github.com/docker/go-connections/nat"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -38,6 +38,7 @@ type CreateResourceConfig struct {
 	CPUs              float64  // cpus
 	CPUsetCPUs        string
 	CPUsetMems        string   // cpuset-mems
+	DeviceCgroupRules []string //device-cgroup-rule
 	DeviceReadBps     []string // device-read-bps
 	DeviceReadIOps    []string // device-read-iops
 	DeviceWriteBps    []string // device-write-bps
@@ -107,48 +108,6 @@ type NetworkConfig struct {
 	PublishAll   bool     //publish-all
 }
 
-// SeccompPolicy determines which seccomp profile gets applied to the container.
-type SeccompPolicy int
-
-const (
-	// SeccompPolicyDefault - if set use SecurityConfig.SeccompProfilePath,
-	// otherwise use the default profile.  The SeccompProfilePath might be
-	// explicitly set by the user.
-	SeccompPolicyDefault SeccompPolicy = iota
-	// SeccompPolicyImage - if set use SecurityConfig.SeccompProfileFromImage,
-	// otherwise follow SeccompPolicyDefault.
-	SeccompPolicyImage
-)
-
-// Map for easy lookups of supported policies.
-var supportedSeccompPolicies = map[string]SeccompPolicy{
-	"":        SeccompPolicyDefault,
-	"default": SeccompPolicyDefault,
-	"image":   SeccompPolicyImage,
-}
-
-// LookupSeccompPolicy looksup the corresponding SeccompPolicy for the specified
-// string. If none is found, an errors is returned including the list of
-// supported policies.
-// Note that an empty string resolved to SeccompPolicyDefault.
-func LookupSeccompPolicy(s string) (SeccompPolicy, error) {
-	policy, exists := supportedSeccompPolicies[s]
-	if exists {
-		return policy, nil
-	}
-
-	// Sort the keys first as maps are non-deterministic.
-	keys := []string{}
-	for k := range supportedSeccompPolicies {
-		if k != "" {
-			keys = append(keys, k)
-		}
-	}
-	sort.Strings(keys)
-
-	return -1, errors.Errorf("invalid seccomp policy %q: valid policies are %+q", s, keys)
-}
-
 // SecurityConfig configures the security features for the container
 type SecurityConfig struct {
 	CapAdd                  []string // cap-add
@@ -158,7 +117,7 @@ type SecurityConfig struct {
 	ApparmorProfile         string   //SecurityOpts
 	SeccompProfilePath      string   //SecurityOpts
 	SeccompProfileFromImage string   // seccomp profile from the container image
-	SeccompPolicy           SeccompPolicy
+	SeccompPolicy           seccomp.Policy
 	SecurityOpts            []string
 	Privileged              bool              //privileged
 	ReadOnlyRootfs          bool              //read-only
diff --git a/pkg/spec/parse.go b/pkg/spec/parse.go
index 6fa0b0636..a5dfccdb9 100644
--- a/pkg/spec/parse.go
+++ b/pkg/spec/parse.go
@@ -2,12 +2,17 @@ package createconfig
 
 import (
 	"fmt"
+	"regexp"
 	"strconv"
 	"strings"
 
 	"github.com/docker/go-units"
+	"github.com/pkg/errors"
 )
 
+// deviceCgroupRulegex defines the valid format of device-cgroup-rule
+var deviceCgroupRuleRegex = regexp.MustCompile(`^([acb]) ([0-9]+|\*):([0-9]+|\*) ([rwm]{1,3})$`)
+
 // Pod signifies a kernel namespace is being shared
 // by a container with the pod it is associated with
 const Pod = "pod"
@@ -205,3 +210,16 @@ func IsValidDeviceMode(mode string) bool {
 	}
 	return true
 }
+
+// validateDeviceCgroupRule validates the format of deviceCgroupRule
+func validateDeviceCgroupRule(deviceCgroupRule string) error {
+	if !deviceCgroupRuleRegex.MatchString(deviceCgroupRule) {
+		return errors.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
+	}
+	return nil
+}
+
+// parseDeviceCgroupRule matches and parses the deviceCgroupRule into slice
+func parseDeviceCgroupRule(deviceCgroupRule string) [][]string {
+	return deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
+}
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index cae055bb0..b2a152a2d 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -232,6 +232,12 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
 				return nil, err
 			}
 		}
+		if len(config.Resources.DeviceCgroupRules) != 0 {
+			if err := deviceCgroupRules(&g, config.Resources.DeviceCgroupRules); err != nil {
+				return nil, err
+			}
+			addedResources = true
+		}
 	}
 
 	// SECURITY OPTS