JavaMuller
diff --git a/‎src/main/java/com/github/dockerjava/api/command/StartContainerCmd.java‎
Lines changed: 8 additions & 7 deletions b/‎src/main/java/com/github/dockerjava/api/command/StartContainerCmd.java‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎src/main/java/com/github/dockerjava/api/model/Capability.java‎
Lines changed: 329 additions & 0 deletions b/‎src/main/java/com/github/dockerjava/api/model/Capability.java‎
Lines changed: 329 additions & 0 deletions
@@ -3,6 +3,7 @@
 import com.github.dockerjava.api.NotFoundException;
 import com.github.dockerjava.api.NotModifiedException;
 import com.github.dockerjava.api.model.Bind;
+import com.github.dockerjava.api.model.Capability;
 import com.github.dockerjava.api.model.Device;
 import com.github.dockerjava.api.model.Link;
 import com.github.dockerjava.api.model.LxcConf;
@@ -41,9 +42,9 @@ public interface StartContainerCmd extends DockerCmd<Void> {
 
 	public RestartPolicy getRestartPolicy();
 
-	public String[] getCapAdd();
+	public Capability[] getCapAdd();
 
-	public String[] getCapDrop();
+	public Capability[] getCapDrop();
 
 	public StartContainerCmd withBinds(Bind... binds);
 
@@ -115,18 +116,18 @@ public interface StartContainerCmd extends DockerCmd<Void> {
 	/**
 	 * Add linux <a
 	 * href="http://man7.org/linux/man-pages/man7/capabilities.7.html">kernel
-	 * capability</a> to the container. For example: adding capability "MKNOD"
+	 * capability</a> to the container. For example: adding {@link Capability#MKNOD}
 	 * allows the container to create special files using the 'mknod' command.
 	 */
-	public StartContainerCmd withCapAdd(String... capAdd);
+	public StartContainerCmd withCapAdd(Capability... capAdd);
 
 	/**
 	 * Drop linux <a
 	 * href="http://man7.org/linux/man-pages/man7/capabilities.7.html">kernel
-	 * capability</a> from the container. For example: dropping capability
-	 * "CHOWN" prevents the container from changing the owner of any files.
+	 * capability</a> from the container. For example: dropping {@link Capability#CHOWN}
+	 * prevents the container from changing the owner of any files.
 	 */
-	public StartContainerCmd withCapDrop(String... capDrop);
+	public StartContainerCmd withCapDrop(Capability... capDrop);
 
 	/**
 	 * @throws NotFoundException
 
@@ -0,0 +1,329 @@
+package com.github.dockerjava.api.model;
+
+/**
+ * The Linux capabilities supported by Docker.
+ * The list of capabilities is defined in Docker's types.go,
+ * {@link #ALL} was added manually.
+ * 
+ * @see <a href="http://man7.org/linux/man-pages/man7/capabilities.7.html">http://man7.org/linux/man-pages/man7/capabilities.7.html</a>
+ */
+public enum Capability {
+	/**
+	 * This meta capability includes all Linux capabilities.
+	 */
+	ALL,
+	/**
+	 * <ul>
+	 *   <li>Enable and disable kernel auditing.
+	 *   <li>Change auditing filter rules.
+	 *   <li>Retrieve auditing status and filtering rules.
+	 * </ul>
+	 */
+	AUDIT_CONTROL,
+	/**
+	 * Write records to kernel auditing log.
+	 */
+	AUDIT_WRITE,
+	/**
+	 * Employ features that can block system suspend.
+	 */
+	BLOCK_SUSPEND,
+	/**
+	 * Make arbitrary changes to file UIDs and GIDs (see chown(2)).
+	 */
+	CHOWN,
+	/**
+	 * Bypass file read, write, and execute permission checks.
+	 * (DAC is an abbreviation of "discretionary access control".)
+	 */
+	DAC_OVERRIDE,
+	/**
+	 * Bypass file read permission checks and directory read and
+	 * execute permission checks.
+	 */
+	DAC_READ_SEARCH,
+	/**
+	 * <ul>
+	 *   <li>Bypass permission checks on operations that normally require
+	 *     the file system UID of the process to match the UID of the file
+	 *     (e.g., chmod(2), utime(2)), excluding those operations covered
+	 *     by the {@link #DAC_OVERRIDE} and{@link #DAC_READ_SEARCH}.
+	 *   <li>Set extended file attributes (see chattr(1)) on arbitrary files.
+	 *   <li>Set Access Control Lists (ACLs) on arbitrary files.
+	 *   <li>Ignore directory sticky bit on file deletion.
+	 *   <li>Specify O_NOATIME for arbitrary files in open(2)and fcntl(2).
+	 * </ul>
+	 */
+	FOWNER,
+	/**
+	 * <ul>
+	 *   <li>Don't clear set-user-ID and set-group-ID permission bits when
+	 *     a file is modified.
+	 *   <li>Set the set-group-ID bit for a file whose GID does not match
+	 *     the file system or any of the supplementary GIDs of the calling
+	 *     process.
+	 * </ul>
+	 */
+	FSETID,
+	/**
+	 * Permit memory locking (mlock(2), mlockall(2), mmap(2), shmctl(2)).
+	 */
+	IPC_LOCK,
+	/**
+	 * Bypass permission checks for operations on System V IPC objects.
+	 */
+	IPC_OWNER,
+	/**
+	 * Bypass permission checks for sending signals (see kill(2)).
+	 * This includes use of the ioctl(2) KDSIGACCEPT operation.
+	 */
+	KILL,
+	/**
+	 * Establish leases on arbitrary files (see fcntl(2)).
+	 */
+	LEASE,
+	/**
+	 * Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1)).
+	 */
+	LINUX_IMMUTABLE,
+	/**
+	 * Override Mandatory Access Control (MAC).
+	 * Implemented for the Smack Linux Security Module (LSM).
+	 */
+	MAC_ADMIN,
+	/**
+	 * Allow MAC configuration or state changes. Implemented for the Smack LSM.
+	 */
+	MAC_OVERRIDE,
+	/**
+	 * Create special files using mknod(2).
+	 */
+	MKNOD,
+	/**
+	 * Perform various network-related operations:
+	 * <ul>
+	 *   <li>Interface configuration.
+	 *   <li>Administration of IP firewall, masquerading, and accounting.
+	 *   <li>Modify routing tables.
+	 *   <li>Bind to any address for transparent proxying.
+	 *   <li>Set type-of-service (TOS).
+	 *   <li>Clear driver statistics.
+	 *   <li>Set promiscuous mode.
+	 *   <li>Enabling multicasting.
+	 *   <li>Use setsockopt(2) to set the following socket options: SO_DEBUG,
+	 *     SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6),
+	 *     SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
+	 * </ul>
+	 */
+	NET_ADMIN,
+	/**
+	 * Bind a socket to Internet domain privileged ports (port numbers less
+	 * than 1024).
+	 */
+	NET_BIND_SERVICE,
+	/**
+	 * (Unused) Make socket broadcasts, and listen to multicasts.
+	 */
+	NET_BROADCAST,
+	/**
+	 * <ul>
+	 *   <li>Use RAW and PACKET sockets.
+	 *   <li>Bind to any address for transparent proxying.
+	 * </ul>
+	 */
+	NET_RAW,
+	/**
+	 * Set file capabilities.
+	 */
+	SETFCAP,
+	/**
+	 * <ul>
+	 *   <li>Make arbitrary manipulations of process GIDs and supplementary
+	 *     GID list.
+	 *   <li>Forge GID when passing socket credentials via UNIX domain
+	 *     sockets.
+	 * </ul>
+	 */
+	SETGID,
+	/**
+	 * If file capabilities are not supported:
+	 * <ul>
+	 *   <li>grant or remove any capability in the caller's permitted
+	 *     capability set to or from any other process. (This property of
+	 *     CAP_SETPCAP is not available when the kernel is configured to
+	 *     support file capabilities, since CAP_SETPCAP has entirely different
+	 *     semantics for such kernels.)
+	 * </ul>
+	 * <p>
+	 * If file capabilities are supported:
+	 * <ul>
+	 *   <li>Add any capability from the calling thread's bounding set to its
+	 *     inheritable set.
+	 *   <li>Drop capabilities from the bounding set (via prctl(2)
+	 *     PR_CAPBSET_DROP).
+	 *   <li>Make changes to the securebits flags.
+	 * </ul>
+	 */
+	SETPCAP,
+	/**
+	 * <ul>
+	 *   <li>Make arbitrary manipulations of process UIDs (setuid(2),
+	 *     setreuid(2), setresuid(2), setfsuid(2)).
+	 *   <li>Make forged UID when passing socket credentials via UNIX domain
+	 *     sockets.
+	 * </ul>
+	 */
+	SETUID,
+	/**
+	 * <ul>
+	 *   <li>Perform a range of system administration operations including:
+	 *     quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2),
+	 *     and setdomainname(2).
+	 *   <li>Perform privileged syslog(2) operations (since Linux 2.6.37,
+	 *     CAP_SYSLOG should be used to permit such operations).
+	 *   <li>Perform VM86_REQUEST_IRQ vm86(2) command.
+	 *   <li>Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects.
+	 *   <li>Perform operations on trusted and security Extended Attributes
+	 *     (see attr(5)).
+	 *   <li>Use lookup_dcookie(2)
+	 *   <li>Use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25)
+	 *     IOPRIO_CLASS_IDLE I/O scheduling classes.
+	 *   <li>Forge UID when passing socket credentials.
+	 *   <li>Exceed /proc/sys/fs/file-max, the system-wide limit on the number of
+	 *     open files, in system calls that open files (e.g., accept(2), execve(2),
+	 *     open(2), pipe(2)).
+	 *   <li>Employ CLONE_* flags that create new namespaces with clone(2) and
+	 *     unshare(2).
+	 *   <li>Call perf_event_open(2).
+	 *   <li>Access privileged perf event information.
+	 *   <li>Call setns(2).
+	 *   <li>Call fanotify_init(2).
+	 *   <li>Perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations.
+	 *   <li>Perform madvise(2) MADV_HWPOISON operation.
+	 *   <li>Employ the TIOCSTI ioctl(2) to insert characters into the input queue
+	 *     of a terminal other than the caller's controlling terminal.
+	 *   <li>Employ the obsolete nfsservctl(2) system call.
+	 *   <li>Employ the obsolete bdflush(2) system call.
+	 *   <li>Perform various privileged block-device ioctl(2) operations.
+	 *   <li>Perform various privileged file-system ioctl(2) operations.
+	 *   <li>Perform administrative operations on many device drivers.
+	 * </ul>
+	 */
+	SYS_ADMIN,
+	/**
+	 * Use reboot(2) and kexec_load(2).
+	 */
+	SYS_BOOT,
+	/**
+	 * Use chroot(2).
+	 */
+	SYS_CHROOT,
+	/**
+	 * <ul>
+	 *   <li>Perform privileged syslog(2) operations. See syslog(2) for information
+	 *     on which operations require privilege.
+	 *   <li>View kernel addresses exposed via /proc and other interfaces when
+	 *     /proc/sys/kernel/kptr_restrict has the value 1. (See the discussion of the
+	 *      kptr_restrict in proc(5).)
+	 * </ul>
+	 */
+	SYSLOG,
+	/**
+	 * <ul>
+	 *   <li>Load and unload kernel modules (see init_module(2) and delete_module(2))
+	 *   <li>In kernels before 2.6.25: drop capabilities from the system-wide
+	 *     capability bounding set.
+	 * </ul>
+	 */
+	SYS_MODULE,
+	/**
+	 * <ul>
+	 *   <li>Raise process nice value (nice(2), setpriority(2)) and change the nice
+	 *     value for arbitrary processes.
+	 *   <li>Set real-time scheduling policies for calling process, and set scheduling
+	 *     policies and priorities for arbitrary processes (sched_setscheduler(2),
+	 *     sched_setparam(2)).
+	 *   <li>Set CPU affinity for arbitrary processes (sched_setaffinity(2)).
+	 *   <li>Set I/O scheduling class and priority for arbitrary processes
+	 *     (ioprio_set(2)).
+	 *   <li>Apply migrate_pages(2) to arbitrary processes and allow processes to be
+	 *     migrated to arbitrary nodes.
+	 *   <li>Apply move_pages(2) to arbitrary processes.
+	 *   <li>Use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).
+	 * </ul>
+	 */
+	SYS_NICE,
+	/**
+	 * Use acct(2).
+	 */
+	SYS_PACCT,
+	/**
+	 * <ul>
+	 *   <li>Trace arbitrary processes using ptrace(2).
+	 *   <li>Apply get_robust_list(2) to arbitrary processes.
+	 *   <li>Inspect processes using kcmp(2).
+	 * </ul>
+	 */
+	SYS_PTRACE,
+	/**
+	 * <ul>
+	 *   <li>Perform I/O port operations (iopl(2) and ioperm(2)).
+	 *   <li>Access /proc/kcore.
+	 *   <li>Employ the FIBMAP ioctl(2) operation.
+	 *   <li>Open devices for accessing x86 model-specific registers (MSRs, see
+	 *     msr(4)).
+	 *   <li>Update /proc/sys/vm/mmap_min_addr.
+	 *   <li>Create memory mappings at addresses below the value specified by
+	 *     /proc/sys/vm/mmap_min_addr.
+	 *   <li>Map files in /proc/pci/bus.
+	 *   <li>Open /dev/mem and /dev/kmem.
+	 *   <li>Perform various SCSI device commands.
+	 *   <li>Perform certain operations on hpsa(4) and cciss(4) devices.
+	 *   <li>Perform a range of device-specific operations on other devices.
+	 * </ul>
+	 */
+	SYS_RAWIO,
+	/**
+	 * <ul>
+	 *   <li>Use reserved space on ext2 file systems.
+	 *   <li>Make ioctl(2) calls controlling ext3 journaling.
+	 *   <li>Override disk quota limits.
+	 *   <li>Increase resource limits (see setrlimit(2)).
+	 *   <li>Override RLIMIT_NPROC resource limit.
+	 *   <li>Override maximum number of consoles on console allocation.
+	 *   <li>Override maximum number of keymaps.
+	 *   <li>Allow more than 64hz interrupts from the real-time clock.
+	 *   <li>Raise msg_qbytes limit for a System V message queue above the limit
+	 *     in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2)).
+	 *   <li>Override the /proc/sys/fs/pipe-size-max limit when setting the capacity
+	 *     of a pipe using the F_SETPIPE_SZ fcntl(2) command.
+	 *   <li>Use F_SETPIPE_SZ to increase the capacity of a pipe above the limit
+	 *     specified by /proc/sys/fs/pipe-max-size.
+	 *   <li>Override /proc/sys/fs/mqueue/queues_max limit when creating POSIX
+	 *     message queues (see mq_overview(7)).
+	 *   <li>Employ prctl(2) PR_SET_MM operation.
+	 *   <li>Set /proc/PID/oom_score_adj to a value lower than the value last set
+	 *     by a process with CAP_SYS_RESOURCE.
+	 * </ul>
+	 */
+	SYS_RESOURCE,
+	/**
+	 * <ul>
+	 *   <li>Set system clock (settimeofday(2), stime(2), adjtimex(2)).
+	 *   <li>Set real-time (hardware) clock.
+	 * </ul>
+	 */
+	SYS_TIME,
+	/**
+	 * <ul>
+	 *   <li>Use vhangup(2).
+	 *   <li>Employ various privileged ioctl(2) operations on virtual terminals.
+	 * </ul>
+	 */
+	SYS_TTY_CONFIG,
+	/**
+	 * Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and
+	 * CLOCK_BOOTTIME_ALARM timers).
+	 */
+	WAKE_ALARM
+}