From 2db754f3ee37a088b5417b8bade535f9f82acfa7 Mon Sep 17 00:00:00 2001
From: Michael Crosby <michael@crosbymichael.com>
Date: Wed, 30 Apr 2014 17:18:07 -0700
Subject: [PATCH] Export more functions from libcontainer
 Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com>
 (github: crosbymichael)

---
 libcontainer/nsinit/command.go     | 16 +++-------------
 libcontainer/nsinit/exec.go        | 11 +++++++++++
 libcontainer/nsinit/execin.go      |  2 +-
 libcontainer/nsinit/init.go        | 15 +++++++--------
 libcontainer/nsinit/unsupported.go |  4 ++++
 5 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/libcontainer/nsinit/command.go b/libcontainer/nsinit/command.go
index 153a48a..3c7a035 100644
--- a/libcontainer/nsinit/command.go
+++ b/libcontainer/nsinit/command.go
@@ -1,10 +1,11 @@
 package nsinit
 
 import (
-	"github.com/dotcloud/docker/pkg/libcontainer"
-	"github.com/dotcloud/docker/pkg/system"
 	"os"
 	"os/exec"
+
+	"github.com/dotcloud/docker/pkg/libcontainer"
+	"github.com/dotcloud/docker/pkg/system"
 )
 
 // CommandFactory takes the container's configuration and options passed by the
@@ -34,14 +35,3 @@ func (c *DefaultCommandFactory) Create(container *libcontainer.Container, consol
 	command.ExtraFiles = []*os.File{pipe}
 	return command
 }
-
-// GetNamespaceFlags parses the container's Namespaces options to set the correct
-// flags on clone, unshare, and setns
-func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
-	for _, ns := range namespaces {
-		if ns.Enabled {
-			flag |= ns.Value
-		}
-	}
-	return flag
-}
diff --git a/libcontainer/nsinit/exec.go b/libcontainer/nsinit/exec.go
index 64d35e5..45a2a8b 100644
--- a/libcontainer/nsinit/exec.go
+++ b/libcontainer/nsinit/exec.go
@@ -142,3 +142,14 @@ func DeletePid(path string) error {
 	}
 	return err
 }
+
+// GetNamespaceFlags parses the container's Namespaces options to set the correct
+// flags on clone, unshare, and setns
+func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
+	for _, ns := range namespaces {
+		if ns.Enabled {
+			flag |= ns.Value
+		}
+	}
+	return flag
+}
diff --git a/libcontainer/nsinit/execin.go b/libcontainer/nsinit/execin.go
index c4ddb78..8507d9b 100644
--- a/libcontainer/nsinit/execin.go
+++ b/libcontainer/nsinit/execin.go
@@ -82,7 +82,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s
 		os.Exit(state.Sys().(syscall.WaitStatus).ExitStatus())
 	}
 dropAndExec:
-	if err := finalizeNamespace(container); err != nil {
+	if err := FinalizeNamespace(container); err != nil {
 		return -1, err
 	}
 	err = label.SetProcessLabel(processLabel)
diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go
index 52708f4..02785bf 100644
--- a/libcontainer/nsinit/init.go
+++ b/libcontainer/nsinit/init.go
@@ -54,23 +54,22 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
 	}
 
 	label.Init()
+
 	if err := mount.InitializeMountNamespace(rootfs, consolePath, container); err != nil {
 		return fmt.Errorf("setup mount namespace %s", err)
 	}
 	if err := system.Sethostname(container.Hostname); err != nil {
 		return fmt.Errorf("sethostname %s", err)
 	}
-	if err := finalizeNamespace(container); err != nil {
+	if err := FinalizeNamespace(container); err != nil {
 		return fmt.Errorf("finalize namespace %s", err)
 	}
 
-	if profile := container.Context["apparmor_profile"]; profile != "" {
-		if err := apparmor.ApplyProfile(os.Getpid(), profile); err != nil {
-			return err
-		}
-	}
 	runtime.LockOSThread()
 
+	if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
+		return err
+	}
 	if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
 		return fmt.Errorf("set process label %s", err)
 	}
@@ -113,10 +112,10 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex
 	return nil
 }
 
-// finalizeNamespace drops the caps, sets the correct user
+// FinalizeNamespace drops the caps, sets the correct user
 // and working dir, and closes any leaky file descriptors
 // before execing the command inside the namespace
-func finalizeNamespace(container *libcontainer.Container) error {
+func FinalizeNamespace(container *libcontainer.Container) error {
 	if err := capabilities.DropCapabilities(container); err != nil {
 		return fmt.Errorf("drop capabilities %s", err)
 	}
diff --git a/libcontainer/nsinit/unsupported.go b/libcontainer/nsinit/unsupported.go
index 135c0ef..6274870 100644
--- a/libcontainer/nsinit/unsupported.go
+++ b/libcontainer/nsinit/unsupported.go
@@ -17,3 +17,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s
 func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, console string, syncPipe *SyncPipe, args []string) error {
 	return libcontainer.ErrUnsupported
 }
+
+func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
+	return 0
+}