From 5ad3127f15ba31cec160e587fffd95d0f1b693bd Mon Sep 17 00:00:00 2001
From: zhouhao <zhouhao@cn.fujitsu.com>
Date: Mon, 20 Mar 2017 16:31:46 +0800
Subject: [PATCH] update runtime-spec version

Signed-off-by: zhouhao <zhouhao@cn.fujitsu.com>
---
 Godeps/Godeps.json                            |    7 +-
 .../runtime-spec/specs-go/config.go           |  362 +++--
 .../runtime-spec/specs-go/state.go            |   14 +-
 .../runtime-spec/specs-go/version.go          |    2 +-
 .../gocapability/capability/capability.go     |   20 +-
 .../capability/capability_linux.go            |   50 +-
 .../syndtr/gocapability/capability/enum.go    |    4 +
 .../gocapability/capability/syscall_linux.go  |    9 +
 cmd/oci-runtime-tool/generate.go              |   10 +-
 cmd/runtimetest/main.go                       |   66 +-
 generate/generate.go                          |  234 ++-
 generate/seccomp/parse_action.go              |   18 +-
 generate/seccomp/parse_architecture.go        |    2 +-
 generate/seccomp/parse_arguments.go           |   12 +-
 generate/seccomp/parse_remove.go              |   24 +-
 generate/seccomp/seccomp_default.go           | 1443 +++++++++--------
 generate/seccomp/syscall_compare.go           |   30 +-
 generate/spec.go                              |   12 +-
 validate/validate.go                          |   30 +-
 19 files changed, 1347 insertions(+), 1002 deletions(-)

diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index 6028c3d4a..54c18a2f4 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -1,7 +1,6 @@
 {
 	"ImportPath": "github.com/opencontainers/runtime-tools",
 	"GoVersion": "go1.4",
-	"GodepVersion": "v75",
 	"Packages": [
 		"./..."
 	],
@@ -34,8 +33,8 @@
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runtime-spec/specs-go",
-			"Comment": "v1.0.0-rc1-31-gbb6925e",
-			"Rev": "bb6925ea99f0e366a3f7d1c975f6577475ca25f0"
+			"Comment": "v1.0.0-rc5-15-g3ca5c6c",
+			"Rev": "3ca5c6c58e3c60cad562f875abfab09b69deb32d"
 		},
 		{
 			"ImportPath": "github.com/satori/go.uuid",
@@ -44,7 +43,7 @@
 		},
 		{
 			"ImportPath": "github.com/syndtr/gocapability/capability",
-			"Rev": "2c00daeb6c3b45114c80ac44119e7b8801fdd852"
+			"Rev": "e7cb7fa329f456b3855136a2642b197bad7366ba"
 		},
 		{
 			"ImportPath": "github.com/urfave/cli",
diff --git a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/config.go b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/config.go
index b2ac75eb4..bd8e96a8a 100644
--- a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -4,33 +4,37 @@ import "os"
 
 // Spec is the base configuration for the container.
 type Spec struct {
-	// Version is the version of the specification that is supported.
+	// Version of the Open Container Runtime Specification with which the bundle complies.
 	Version string `json:"ociVersion"`
-	// Platform is the host information for OS and Arch.
+	// Platform specifies the configuration's target platform.
 	Platform Platform `json:"platform"`
-	// Process is the container's main process.
+	// Process configures the container process.
 	Process Process `json:"process"`
-	// Root is the root information for the container's filesystem.
+	// Root configures the container's root filesystem.
 	Root Root `json:"root"`
-	// Hostname is the container's host name.
+	// Hostname configures the container's hostname.
 	Hostname string `json:"hostname,omitempty"`
-	// Mounts profile configuration for adding mounts to the container's filesystem.
+	// Mounts configures additional mounts (on top of Root).
 	Mounts []Mount `json:"mounts,omitempty"`
-	// Hooks are the commands run at various lifecycle events of the container.
-	Hooks Hooks `json:"hooks"`
-	// Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata.
+	// Hooks configures callbacks for container lifecycle events.
+	Hooks *Hooks `json:"hooks,omitempty"`
+	// Annotations contains arbitrary metadata for the container.
 	Annotations map[string]string `json:"annotations,omitempty"`
 
 	// Linux is platform specific configuration for Linux based containers.
 	Linux *Linux `json:"linux,omitempty" platform:"linux"`
 	// Solaris is platform specific configuration for Solaris containers.
 	Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"`
+	// Windows is platform specific configuration for Windows based containers, including Hyper-V containers.
+	Windows *Windows `json:"windows,omitempty" platform:"windows"`
 }
 
 // Process contains information to start a specific application inside the container.
 type Process struct {
 	// Terminal creates an interactive terminal for the container.
 	Terminal bool `json:"terminal,omitempty"`
+	// ConsoleSize specifies the size of the console.
+	ConsoleSize Box `json:"consoleSize,omitempty"`
 	// User specifies user information for the process.
 	User User `json:"user"`
 	// Args specifies the binary and arguments for the application to execute.
@@ -40,28 +44,51 @@ type Process struct {
 	// Cwd is the current working directory for the process and must be
 	// relative to the container's root.
 	Cwd string `json:"cwd"`
-	// Capabilities are Linux capabilities that are kept for the container.
-	Capabilities []string `json:"capabilities,omitempty" platform:"linux"`
+	// Capabilities are Linux capabilities that are kept for the process.
+	Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
 	// Rlimits specifies rlimit options to apply to the process.
-	Rlimits []Rlimit `json:"rlimits,omitempty"`
+	Rlimits []LinuxRlimit `json:"rlimits,omitempty" platform:"linux"`
 	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
-	NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
-
-	// ApparmorProfile specifies the apparmor profile for the container. (this field is platform dependent)
+	NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
+	// ApparmorProfile specifies the apparmor profile for the container.
 	ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
-	// SelinuxLabel specifies the selinux context that the container process is run as. (this field is platform dependent)
+	// SelinuxLabel specifies the selinux context that the container process is run as.
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
 }
 
-// User specifies Linux/Solaris specific user and group information for the container's
-// main process.
+// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.
+// http://man7.org/linux/man-pages/man7/capabilities.7.html
+type LinuxCapabilities struct {
+	// Bounding is the set of capabilities checked by the kernel.
+	Bounding []string `json:"bounding,omitempty" platform:"linux"`
+	// Effective is the set of capabilities checked by the kernel.
+	Effective []string `json:"effective,omitempty" platform:"linux"`
+	// Inheritable is the capabilities preserved across execve.
+	Inheritable []string `json:"inheritable,omitempty" platform:"linux"`
+	// Permitted is the limiting superset for effective capabilities.
+	Permitted []string `json:"permitted,omitempty" platform:"linux"`
+	// Ambient is the ambient set of capabilities that are kept.
+	Ambient []string `json:"ambient,omitempty" platform:"linux"`
+}
+
+// Box specifies dimensions of a rectangle. Used for specifying the size of a console.
+type Box struct {
+	// Height is the vertical dimension of a box.
+	Height uint `json:"height"`
+	// Width is the horizontal dimension of a box.
+	Width uint `json:"width"`
+}
+
+// User specifies specific user (and group) information for the container process.
 type User struct {
-	// UID is the user id. (this field is platform dependent)
+	// UID is the user id.
 	UID uint32 `json:"uid" platform:"linux,solaris"`
-	// GID is the group id. (this field is platform dependent)
+	// GID is the group id.
 	GID uint32 `json:"gid" platform:"linux,solaris"`
-	// AdditionalGids are additional group ids set for the container's process. (this field is platform dependent)
+	// AdditionalGids are additional group ids set for the container's process.
 	AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
+	// Username is the user name.
+	Username string `json:"username,omitempty" platform:"windows"`
 }
 
 // Root contains information about the container's root filesystem on the host.
@@ -86,10 +113,10 @@ type Mount struct {
 	// Destination is the path where the mount will be placed relative to the container's root.  The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
 	Destination string `json:"destination"`
 	// Type specifies the mount kind.
-	Type string `json:"type"`
+	Type string `json:"type,omitempty"`
 	// Source specifies the source path of the mount.  In the case of bind mounts on
 	// Linux based systems this would be the file on the host.
-	Source string `json:"source"`
+	Source string `json:"source,omitempty"`
 	// Options are fstab style mount options.
 	Options []string `json:"options,omitempty"`
 }
@@ -116,24 +143,24 @@ type Hooks struct {
 // Linux contains platform specific configuration for Linux based containers.
 type Linux struct {
 	// UIDMapping specifies user mappings for supporting user namespaces on Linux.
-	UIDMappings []IDMapping `json:"uidMappings,omitempty"`
+	UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty"`
 	// GIDMapping specifies group mappings for supporting user namespaces on Linux.
-	GIDMappings []IDMapping `json:"gidMappings,omitempty"`
+	GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty"`
 	// Sysctl are a set of key value pairs that are set for the container on start
 	Sysctl map[string]string `json:"sysctl,omitempty"`
 	// Resources contain cgroup information for handling resource constraints
 	// for the container
-	Resources *Resources `json:"resources,omitempty"`
+	Resources *LinuxResources `json:"resources,omitempty"`
 	// CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
 	// The path is expected to be relative to the cgroups mountpoint.
 	// If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
-	CgroupsPath *string `json:"cgroupsPath,omitempty"`
+	CgroupsPath string `json:"cgroupsPath,omitempty"`
 	// Namespaces contains the namespaces that are created and/or joined by the container
-	Namespaces []Namespace `json:"namespaces,omitempty"`
+	Namespaces []LinuxNamespace `json:"namespaces,omitempty"`
 	// Devices are a list of device nodes that are created for the container
-	Devices []Device `json:"devices,omitempty"`
+	Devices []LinuxDevice `json:"devices,omitempty"`
 	// Seccomp specifies the seccomp security settings for the container.
-	Seccomp *Seccomp `json:"seccomp,omitempty"`
+	Seccomp *LinuxSeccomp `json:"seccomp,omitempty"`
 	// RootfsPropagation is the rootfs mount propagation mode for the container.
 	RootfsPropagation string `json:"rootfsPropagation,omitempty"`
 	// MaskedPaths masks over the provided paths inside the container.
@@ -144,21 +171,21 @@ type Linux struct {
 	MountLabel string `json:"mountLabel,omitempty"`
 }
 
-// Namespace is the configuration for a Linux namespace
-type Namespace struct {
+// LinuxNamespace is the configuration for a Linux namespace
+type LinuxNamespace struct {
 	// Type is the type of Linux namespace
-	Type NamespaceType `json:"type"`
+	Type LinuxNamespaceType `json:"type"`
 	// Path is a path to an existing namespace persisted on disk that can be joined
 	// and is of the same type
 	Path string `json:"path,omitempty"`
 }
 
-// NamespaceType is one of the Linux namespaces
-type NamespaceType string
+// LinuxNamespaceType is one of the Linux namespaces
+type LinuxNamespaceType string
 
 const (
 	// PIDNamespace for isolating process IDs
-	PIDNamespace NamespaceType = "pid"
+	PIDNamespace LinuxNamespaceType = "pid"
 	// NetworkNamespace for isolating network devices, stacks, ports, etc
 	NetworkNamespace = "network"
 	// MountNamespace for isolating mount points
@@ -173,18 +200,18 @@ const (
 	CgroupNamespace = "cgroup"
 )
 
-// IDMapping specifies UID/GID mappings
-type IDMapping struct {
-	// HostID is the UID/GID of the host user or group
+// LinuxIDMapping specifies UID/GID mappings
+type LinuxIDMapping struct {
+	// HostID is the starting UID/GID on the host to be mapped to 'ContainerID'
 	HostID uint32 `json:"hostID"`
-	// ContainerID is the UID/GID of the container's user or group
+	// ContainerID is the starting UID/GID in the container
 	ContainerID uint32 `json:"containerID"`
-	// Size is the length of the range of IDs mapped between the two namespaces
+	// Size is the number of IDs to be mapped
 	Size uint32 `json:"size"`
 }
 
-// Rlimit type and restrictions
-type Rlimit struct {
+// LinuxRlimit type and restrictions
+type LinuxRlimit struct {
 	// Type of the rlimit to set
 	Type string `json:"type"`
 	// Hard is the hard limit for the specified type
@@ -193,66 +220,66 @@ type Rlimit struct {
 	Soft uint64 `json:"soft"`
 }
 
-// HugepageLimit structure corresponds to limiting kernel hugepages
-type HugepageLimit struct {
+// LinuxHugepageLimit structure corresponds to limiting kernel hugepages
+type LinuxHugepageLimit struct {
 	// Pagesize is the hugepage size
-	Pagesize *string `json:"pageSize,omitempty"`
+	Pagesize string `json:"pageSize"`
 	// Limit is the limit of "hugepagesize" hugetlb usage
-	Limit *uint64 `json:"limit,omitempty"`
+	Limit uint64 `json:"limit"`
 }
 
-// InterfacePriority for network interfaces
-type InterfacePriority struct {
+// LinuxInterfacePriority for network interfaces
+type LinuxInterfacePriority struct {
 	// Name is the name of the network interface
 	Name string `json:"name"`
 	// Priority for the interface
 	Priority uint32 `json:"priority"`
 }
 
-// blockIODevice holds major:minor format supported in blkio cgroup
-type blockIODevice struct {
+// linuxBlockIODevice holds major:minor format supported in blkio cgroup
+type linuxBlockIODevice struct {
 	// Major is the device's major number.
 	Major int64 `json:"major"`
 	// Minor is the device's minor number.
 	Minor int64 `json:"minor"`
 }
 
-// WeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice
-type WeightDevice struct {
-	blockIODevice
+// LinuxWeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice
+type LinuxWeightDevice struct {
+	linuxBlockIODevice
 	// Weight is the bandwidth rate for the device, range is from 10 to 1000
 	Weight *uint16 `json:"weight,omitempty"`
 	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
 	LeafWeight *uint16 `json:"leafWeight,omitempty"`
 }
 
-// ThrottleDevice struct holds a `major:minor rate_per_second` pair
-type ThrottleDevice struct {
-	blockIODevice
+// LinuxThrottleDevice struct holds a `major:minor rate_per_second` pair
+type LinuxThrottleDevice struct {
+	linuxBlockIODevice
 	// Rate is the IO rate limit per cgroup per device
-	Rate *uint64 `json:"rate,omitempty"`
+	Rate uint64 `json:"rate"`
 }
 
-// BlockIO for Linux cgroup 'blkio' resource management
-type BlockIO struct {
+// LinuxBlockIO for Linux cgroup 'blkio' resource management
+type LinuxBlockIO struct {
 	// Specifies per cgroup weight, range is from 10 to 1000
 	Weight *uint16 `json:"blkioWeight,omitempty"`
 	// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
 	LeafWeight *uint16 `json:"blkioLeafWeight,omitempty"`
 	// Weight per cgroup per device, can override BlkioWeight
-	WeightDevice []WeightDevice `json:"blkioWeightDevice,omitempty"`
+	WeightDevice []LinuxWeightDevice `json:"blkioWeightDevice,omitempty"`
 	// IO read rate limit per cgroup per device, bytes per second
-	ThrottleReadBpsDevice []ThrottleDevice `json:"blkioThrottleReadBpsDevice,omitempty"`
+	ThrottleReadBpsDevice []LinuxThrottleDevice `json:"blkioThrottleReadBpsDevice,omitempty"`
 	// IO write rate limit per cgroup per device, bytes per second
-	ThrottleWriteBpsDevice []ThrottleDevice `json:"blkioThrottleWriteBpsDevice,omitempty"`
+	ThrottleWriteBpsDevice []LinuxThrottleDevice `json:"blkioThrottleWriteBpsDevice,omitempty"`
 	// IO read rate limit per cgroup per device, IO per second
-	ThrottleReadIOPSDevice []ThrottleDevice `json:"blkioThrottleReadIOPSDevice,omitempty"`
+	ThrottleReadIOPSDevice []LinuxThrottleDevice `json:"blkioThrottleReadIOPSDevice,omitempty"`
 	// IO write rate limit per cgroup per device, IO per second
-	ThrottleWriteIOPSDevice []ThrottleDevice `json:"blkioThrottleWriteIOPSDevice,omitempty"`
+	ThrottleWriteIOPSDevice []LinuxThrottleDevice `json:"blkioThrottleWriteIOPSDevice,omitempty"`
 }
 
-// Memory for Linux cgroup 'memory' resource management
-type Memory struct {
+// LinuxMemory for Linux cgroup 'memory' resource management
+type LinuxMemory struct {
 	// Memory limit (in bytes).
 	Limit *uint64 `json:"limit,omitempty"`
 	// Memory reservation or soft_limit (in bytes).
@@ -262,67 +289,67 @@ type Memory struct {
 	// Kernel memory limit (in bytes).
 	Kernel *uint64 `json:"kernel,omitempty"`
 	// Kernel memory limit for tcp (in bytes)
-	KernelTCP *uint64 `json:"kernelTCP"`
+	KernelTCP *uint64 `json:"kernelTCP,omitempty"`
 	// How aggressive the kernel will swap memory pages. Range from 0 to 100.
 	Swappiness *uint64 `json:"swappiness,omitempty"`
 }
 
-// CPU for Linux cgroup 'cpu' resource management
-type CPU struct {
+// LinuxCPU for Linux cgroup 'cpu' resource management
+type LinuxCPU struct {
 	// CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).
 	Shares *uint64 `json:"shares,omitempty"`
 	// CPU hardcap limit (in usecs). Allowed cpu time in a given period.
-	Quota *uint64 `json:"quota,omitempty"`
+	Quota *int64 `json:"quota,omitempty"`
 	// CPU period to be used for hardcapping (in usecs).
 	Period *uint64 `json:"period,omitempty"`
 	// How much time realtime scheduling may use (in usecs).
-	RealtimeRuntime *uint64 `json:"realtimeRuntime,omitempty"`
+	RealtimeRuntime *int64 `json:"realtimeRuntime,omitempty"`
 	// CPU period to be used for realtime scheduling (in usecs).
 	RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"`
 	// CPUs to use within the cpuset. Default is to use any CPU available.
-	Cpus *string `json:"cpus,omitempty"`
+	Cpus string `json:"cpus,omitempty"`
 	// List of memory nodes in the cpuset. Default is to use any available memory node.
-	Mems *string `json:"mems,omitempty"`
+	Mems string `json:"mems,omitempty"`
 }
 
-// Pids for Linux cgroup 'pids' resource management (Linux 4.3)
-type Pids struct {
+// LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3)
+type LinuxPids struct {
 	// Maximum number of PIDs. Default is "no limit".
-	Limit *int64 `json:"limit,omitempty"`
+	Limit int64 `json:"limit"`
 }
 
-// Network identification and priority configuration
-type Network struct {
+// LinuxNetwork identification and priority configuration
+type LinuxNetwork struct {
 	// Set class identifier for container's network packets
-	ClassID *uint32 `json:"classID"`
+	ClassID *uint32 `json:"classID,omitempty"`
 	// Set priority of network traffic for container
-	Priorities []InterfacePriority `json:"priorities,omitempty"`
+	Priorities []LinuxInterfacePriority `json:"priorities,omitempty"`
 }
 
-// Resources has container runtime resource constraints
-type Resources struct {
-	// Devices are a list of device rules for the whitelist controller
-	Devices []DeviceCgroup `json:"devices"`
+// LinuxResources has container runtime resource constraints
+type LinuxResources struct {
+	// Devices configures the device whitelist.
+	Devices []LinuxDeviceCgroup `json:"devices,omitempty"`
 	// DisableOOMKiller disables the OOM killer for out of memory conditions
 	DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
 	// Specify an oom_score_adj for the container.
 	OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
 	// Memory restriction configuration
-	Memory *Memory `json:"memory,omitempty"`
+	Memory *LinuxMemory `json:"memory,omitempty"`
 	// CPU resource restriction configuration
-	CPU *CPU `json:"cpu,omitempty"`
+	CPU *LinuxCPU `json:"cpu,omitempty"`
 	// Task resource restriction configuration.
-	Pids *Pids `json:"pids,omitempty"`
+	Pids *LinuxPids `json:"pids,omitempty"`
 	// BlockIO restriction configuration
-	BlockIO *BlockIO `json:"blockIO,omitempty"`
+	BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
 	// Hugetlb limit (in bytes)
-	HugepageLimits []HugepageLimit `json:"hugepageLimits,omitempty"`
+	HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"`
 	// Network restriction configuration
-	Network *Network `json:"network,omitempty"`
+	Network *LinuxNetwork `json:"network,omitempty"`
 }
 
-// Device represents the mknod information for a Linux special device file
-type Device struct {
+// LinuxDevice represents the mknod information for a Linux special device file
+type LinuxDevice struct {
 	// Path to the device.
 	Path string `json:"path"`
 	// Device type, block, char, etc.
@@ -339,25 +366,18 @@ type Device struct {
 	GID *uint32 `json:"gid,omitempty"`
 }
 
-// DeviceCgroup represents a device rule for the whitelist controller
-type DeviceCgroup struct {
+// LinuxDeviceCgroup represents a device rule for the whitelist controller
+type LinuxDeviceCgroup struct {
 	// Allow or deny
 	Allow bool `json:"allow"`
 	// Device type, block, char, etc.
-	Type *string `json:"type,omitempty"`
+	Type string `json:"type,omitempty"`
 	// Major is the device's major number.
 	Major *int64 `json:"major,omitempty"`
 	// Minor is the device's minor number.
 	Minor *int64 `json:"minor,omitempty"`
 	// Cgroup access permissions format, rwm.
-	Access *string `json:"access,omitempty"`
-}
-
-// Seccomp represents syscall restrictions
-type Seccomp struct {
-	DefaultAction Action    `json:"defaultAction"`
-	Architectures []Arch    `json:"architectures"`
-	Syscalls      []Syscall `json:"syscalls,omitempty"`
+	Access string `json:"access,omitempty"`
 }
 
 // Solaris contains platform specific configuration for Solaris application containers.
@@ -369,26 +389,26 @@ type Solaris struct {
 	// The maximum amount of shared memory allowed for this container.
 	MaxShmMemory string `json:"maxShmMemory,omitempty"`
 	// Specification for automatic creation of network resources for this container.
-	Anet []Anet `json:"anet,omitempty"`
+	Anet []SolarisAnet `json:"anet,omitempty"`
 	// Set limit on the amount of CPU time that can be used by container.
-	CappedCPU *CappedCPU `json:"cappedCPU,omitempty"`
+	CappedCPU *SolarisCappedCPU `json:"cappedCPU,omitempty"`
 	// The physical and swap caps on the memory that can be used by this container.
-	CappedMemory *CappedMemory `json:"cappedMemory,omitempty"`
+	CappedMemory *SolarisCappedMemory `json:"cappedMemory,omitempty"`
 }
 
-// CappedCPU allows users to set limit on the amount of CPU time that can be used by container.
-type CappedCPU struct {
+// SolarisCappedCPU allows users to set limit on the amount of CPU time that can be used by container.
+type SolarisCappedCPU struct {
 	Ncpus string `json:"ncpus,omitempty"`
 }
 
-// CappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
-type CappedMemory struct {
+// SolarisCappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
+type SolarisCappedMemory struct {
 	Physical string `json:"physical,omitempty"`
 	Swap     string `json:"swap,omitempty"`
 }
 
-// Anet provides the specification for automatic creation of network resources for this container.
-type Anet struct {
+// SolarisAnet provides the specification for automatic creation of network resources for this container.
+type SolarisAnet struct {
 	// Specify a name for the automatically created VNIC datalink.
 	Linkname string `json:"linkname,omitempty"`
 	// Specify the link over which the VNIC will be created.
@@ -405,6 +425,65 @@ type Anet struct {
 	Macaddress string `json:"macAddress,omitempty"`
 }
 
+// Windows defines the runtime configuration for Windows based containers, including Hyper-V containers.
+type Windows struct {
+	// Resources contains information for handling resource constraints for the container.
+	Resources *WindowsResources `json:"resources,omitempty"`
+}
+
+// WindowsResources has container runtime resource constraints for containers running on Windows.
+type WindowsResources struct {
+	// Memory restriction configuration.
+	Memory *WindowsMemoryResources `json:"memory,omitempty"`
+	// CPU resource restriction configuration.
+	CPU *WindowsCPUResources `json:"cpu,omitempty"`
+	// Storage restriction configuration.
+	Storage *WindowsStorageResources `json:"storage,omitempty"`
+	// Network restriction configuration.
+	Network *WindowsNetworkResources `json:"network,omitempty"`
+}
+
+// WindowsMemoryResources contains memory resource management settings.
+type WindowsMemoryResources struct {
+	// Memory limit in bytes.
+	Limit *uint64 `json:"limit,omitempty"`
+	// Memory reservation in bytes.
+	Reservation *uint64 `json:"reservation,omitempty"`
+}
+
+// WindowsCPUResources contains CPU resource management settings.
+type WindowsCPUResources struct {
+	// Number of CPUs available to the container.
+	Count *uint64 `json:"count,omitempty"`
+	// CPU shares (relative weight to other containers with cpu shares). Range is from 1 to 10000.
+	Shares *uint16 `json:"shares,omitempty"`
+	// Percent of available CPUs usable by the container.
+	Percent *uint8 `json:"percent,omitempty"`
+}
+
+// WindowsStorageResources contains storage resource management settings.
+type WindowsStorageResources struct {
+	// Specifies maximum Iops for the system drive.
+	Iops *uint64 `json:"iops,omitempty"`
+	// Specifies maximum bytes per second for the system drive.
+	Bps *uint64 `json:"bps,omitempty"`
+	// Sandbox size specifies the minimum size of the system drive in bytes.
+	SandboxSize *uint64 `json:"sandboxSize,omitempty"`
+}
+
+// WindowsNetworkResources contains network resource management settings.
+type WindowsNetworkResources struct {
+	// EgressBandwidth is the maximum egress bandwidth in bytes per second.
+	EgressBandwidth *uint64 `json:"egressBandwidth,omitempty"`
+}
+
+// LinuxSeccomp represents syscall restrictions
+type LinuxSeccomp struct {
+	DefaultAction LinuxSeccompAction `json:"defaultAction"`
+	Architectures []Arch             `json:"architectures,omitempty"`
+	Syscalls      []LinuxSyscall     `json:"syscalls"`
+}
+
 // Arch used for additional architectures
 type Arch string
 
@@ -427,45 +506,48 @@ const (
 	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
 	ArchS390        Arch = "SCMP_ARCH_S390"
 	ArchS390X       Arch = "SCMP_ARCH_S390X"
+	ArchPARISC      Arch = "SCMP_ARCH_PARISC"
+	ArchPARISC64    Arch = "SCMP_ARCH_PARISC64"
 )
 
-// Action taken upon Seccomp rule match
-type Action string
+// LinuxSeccompAction taken upon Seccomp rule match
+type LinuxSeccompAction string
 
 // Define actions for Seccomp rules
 const (
-	ActKill  Action = "SCMP_ACT_KILL"
-	ActTrap  Action = "SCMP_ACT_TRAP"
-	ActErrno Action = "SCMP_ACT_ERRNO"
-	ActTrace Action = "SCMP_ACT_TRACE"
-	ActAllow Action = "SCMP_ACT_ALLOW"
+	ActKill  LinuxSeccompAction = "SCMP_ACT_KILL"
+	ActTrap  LinuxSeccompAction = "SCMP_ACT_TRAP"
+	ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"
+	ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"
+	ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"
 )
 
-// Operator used to match syscall arguments in Seccomp
-type Operator string
+// LinuxSeccompOperator used to match syscall arguments in Seccomp
+type LinuxSeccompOperator string
 
 // Define operators for syscall arguments in Seccomp
 const (
-	OpNotEqual     Operator = "SCMP_CMP_NE"
-	OpLessThan     Operator = "SCMP_CMP_LT"
-	OpLessEqual    Operator = "SCMP_CMP_LE"
-	OpEqualTo      Operator = "SCMP_CMP_EQ"
-	OpGreaterEqual Operator = "SCMP_CMP_GE"
-	OpGreaterThan  Operator = "SCMP_CMP_GT"
-	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
+	OpNotEqual     LinuxSeccompOperator = "SCMP_CMP_NE"
+	OpLessThan     LinuxSeccompOperator = "SCMP_CMP_LT"
+	OpLessEqual    LinuxSeccompOperator = "SCMP_CMP_LE"
+	OpEqualTo      LinuxSeccompOperator = "SCMP_CMP_EQ"
+	OpGreaterEqual LinuxSeccompOperator = "SCMP_CMP_GE"
+	OpGreaterThan  LinuxSeccompOperator = "SCMP_CMP_GT"
+	OpMaskedEqual  LinuxSeccompOperator = "SCMP_CMP_MASKED_EQ"
 )
 
-// Arg used for matching specific syscall arguments in Seccomp
-type Arg struct {
-	Index    uint     `json:"index"`
-	Value    uint64   `json:"value"`
-	ValueTwo uint64   `json:"valueTwo"`
-	Op       Operator `json:"op"`
+// LinuxSeccompArg used for matching specific syscall arguments in Seccomp
+type LinuxSeccompArg struct {
+	Index    uint                 `json:"index"`
+	Value    uint64               `json:"value"`
+	ValueTwo uint64               `json:"valueTwo"`
+	Op       LinuxSeccompOperator `json:"op"`
 }
 
-// Syscall is used to match a syscall in Seccomp
-type Syscall struct {
-	Name   string `json:"name"`
-	Action Action `json:"action"`
-	Args   []Arg  `json:"args,omitempty"`
+// LinuxSyscall is used to match a syscall in Seccomp
+type LinuxSyscall struct {
+	Names   []string           `json:"names"`
+	Action  LinuxSeccompAction `json:"action"`
+	Args    []LinuxSeccompArg  `json:"args"`
+	Comment string             `json:"comment"`
 }
diff --git a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/state.go b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/state.go
index 445f8c5c0..b5dd3bee8 100644
--- a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/state.go
+++ b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/state.go
@@ -3,15 +3,15 @@ package specs
 // State holds information about the runtime state of the container.
 type State struct {
 	// Version is the version of the specification that is supported.
-	Version string `json:"version"`
+	Version string `json:"ociVersion"`
 	// ID is the container ID
 	ID string `json:"id"`
-	// Status is the runtime state of the container.
+	// Status is the runtime status of the container.
 	Status string `json:"status"`
-	// Pid is the process id for the container's main process.
+	// Pid is the process ID for the container process.
 	Pid int `json:"pid"`
-	// BundlePath is the path to the container's bundle directory.
-	BundlePath string `json:"bundlePath"`
-	// Annotations are the annotations associated with the container.
-	Annotations map[string]string `json:"annotations"`
+	// Bundle is the path to the container's bundle directory.
+	Bundle string `json:"bundle"`
+	// Annotations are key values associated with the container.
+	Annotations map[string]string `json:"annotations,omitempty"`
 }
diff --git a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/version.go b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/version.go
index 2db1b8018..dfcf0090e 100644
--- a/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/version.go
+++ b/Godeps/_workspace/src/github.com/opencontainers/runtime-spec/specs-go/version.go
@@ -11,7 +11,7 @@ const (
 	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
-	VersionDev = "-rc1-dev"
+	VersionDev = "-rc5-dev"
 )
 
 // Version is the specification version that the package types support.
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
index c13f4e52a..c07c55794 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
@@ -10,42 +10,42 @@ package capability
 type Capabilities interface {
 	// Get check whether a capability present in the given
 	// capabilities set. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Get(which CapType, what Cap) bool
 
 	// Empty check whether all capability bits of the given capabilities
 	// set are zero. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Empty(which CapType) bool
 
 	// Full check whether all capability bits of the given capabilities
 	// set are one. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Full(which CapType) bool
 
 	// Set sets capabilities of the given capabilities sets. The
 	// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Set(which CapType, caps ...Cap)
 
 	// Unset unsets capabilities of the given capabilities sets. The
 	// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
 	Unset(which CapType, caps ...Cap)
 
 	// Fill sets all bits of the given capabilities kind to one. The
-	// 'kind' value should be one or combination (OR'ed) of CAPS or
-	// BOUNDS.
+	// 'kind' value should be one or combination (OR'ed) of CAPS,
+	// BOUNDS or AMBS.
 	Fill(kind CapType)
 
 	// Clear sets all bits of the given capabilities kind to zero. The
-	// 'kind' value should be one or combination (OR'ed) of CAPS or
-	// BOUNDS.
+	// 'kind' value should be one or combination (OR'ed) of CAPS,
+	// BOUNDS or AMBS.
 	Clear(kind CapType)
 
 	// String return current capabilities state of the given capabilities
 	// set as string. The 'which' value should be one of EFFECTIVE,
-	// PERMITTED, INHERITABLE or BOUNDING.
+	// PERMITTED, INHERITABLE BOUNDING or AMBIENT
 	StringCap(which CapType) string
 
 	// String return current capabilities state as string.
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
index 3dfcd398d..6d2135ac5 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
@@ -235,9 +235,10 @@ func (c *capsV1) Apply(kind CapType) error {
 }
 
 type capsV3 struct {
-	hdr    capHeader
-	data   [2]capData
-	bounds [2]uint32
+	hdr     capHeader
+	data    [2]capData
+	bounds  [2]uint32
+	ambient [2]uint32
 }
 
 func (c *capsV3) Get(which CapType, what Cap) bool {
@@ -256,6 +257,8 @@ func (c *capsV3) Get(which CapType, what Cap) bool {
 		return (1<<uint(what))&c.data[i].inheritable != 0
 	case BOUNDING:
 		return (1<<uint(what))&c.bounds[i] != 0
+	case AMBIENT:
+		return (1<<uint(what))&c.ambient[i] != 0
 	}
 
 	return false
@@ -275,6 +278,9 @@ func (c *capsV3) getData(which CapType, dest []uint32) {
 	case BOUNDING:
 		dest[0] = c.bounds[0]
 		dest[1] = c.bounds[1]
+	case AMBIENT:
+		dest[0] = c.ambient[0]
+		dest[1] = c.ambient[1]
 	}
 }
 
@@ -313,6 +319,9 @@ func (c *capsV3) Set(which CapType, caps ...Cap) {
 		if which&BOUNDING != 0 {
 			c.bounds[i] |= 1 << uint(what)
 		}
+		if which&AMBIENT != 0 {
+			c.ambient[i] |= 1 << uint(what)
+		}
 	}
 }
 
@@ -336,6 +345,9 @@ func (c *capsV3) Unset(which CapType, caps ...Cap) {
 		if which&BOUNDING != 0 {
 			c.bounds[i] &= ^(1 << uint(what))
 		}
+		if which&AMBIENT != 0 {
+			c.ambient[i] &= ^(1 << uint(what))
+		}
 	}
 }
 
@@ -353,6 +365,10 @@ func (c *capsV3) Fill(kind CapType) {
 		c.bounds[0] = 0xffffffff
 		c.bounds[1] = 0xffffffff
 	}
+	if kind&AMBS == AMBS {
+		c.ambient[0] = 0xffffffff
+		c.ambient[1] = 0xffffffff
+	}
 }
 
 func (c *capsV3) Clear(kind CapType) {
@@ -369,6 +385,10 @@ func (c *capsV3) Clear(kind CapType) {
 		c.bounds[0] = 0
 		c.bounds[1] = 0
 	}
+	if kind&AMBS == AMBS {
+		c.ambient[0] = 0
+		c.ambient[1] = 0
+	}
 }
 
 func (c *capsV3) StringCap(which CapType) (ret string) {
@@ -410,6 +430,10 @@ func (c *capsV3) Load() (err error) {
 			fmt.Sscanf(line[4:], "nd:  %08x%08x", &c.bounds[1], &c.bounds[0])
 			break
 		}
+		if strings.HasPrefix(line, "CapA") {
+			fmt.Sscanf(line[4:], "mb:  %08x%08x", &c.ambient[1], &c.ambient[0])
+			break
+		}
 	}
 	f.Close()
 
@@ -442,7 +466,25 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 
 	if kind&CAPS == CAPS {
-		return capset(&c.hdr, &c.data[0])
+		err = capset(&c.hdr, &c.data[0])
+		if err != nil {
+			return
+		}
+	}
+
+	if kind&AMBS == AMBS {
+		for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+			action := pr_CAP_AMBIENT_LOWER
+			if c.Get(AMBIENT, i) {
+				action = pr_CAP_AMBIENT_RAISE
+			}
+			err := prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
+			// Ignore EINVAL as not supported on kernels before 4.3
+			if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL {
+				err = nil
+				continue
+			}
+		}
 	}
 
 	return
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
index fd0ce7fe8..693817317 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
@@ -20,6 +20,8 @@ func (c CapType) String() string {
 		return "bounding"
 	case CAPS:
 		return "caps"
+	case AMBIENT:
+		return "ambient"
 	}
 	return "unknown"
 }
@@ -29,9 +31,11 @@ const (
 	PERMITTED
 	INHERITABLE
 	BOUNDING
+	AMBIENT
 
 	CAPS   = EFFECTIVE | PERMITTED | INHERITABLE
 	BOUNDS = BOUNDING
+	AMBS   = AMBIENT
 )
 
 //go:generate go run enumgen/gen.go
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
index dd6f45406..eb7170083 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
@@ -38,6 +38,15 @@ func capset(hdr *capHeader, data *capData) (err error) {
 	return
 }
 
+// not yet in syscall
+const (
+	pr_CAP_AMBIENT           = 47
+	pr_CAP_AMBIENT_IS_SET    = uintptr(1)
+	pr_CAP_AMBIENT_RAISE     = uintptr(2)
+	pr_CAP_AMBIENT_LOWER     = uintptr(3)
+	pr_CAP_AMBIENT_CLEAR_ALL = uintptr(4)
+)
+
 func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
 	_, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
 	if e1 != 0 {
diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go
index c0e857e4b..6be5f6dd5 100644
--- a/cmd/oci-runtime-tool/generate.go
+++ b/cmd/oci-runtime-tool/generate.go
@@ -52,8 +52,8 @@ var generateFlags = []cli.Flag{
 	cli.IntFlag{Name: "linux-network-classid", Usage: "specifies class identifier tagged by container's network packets"},
 	cli.StringSliceFlag{Name: "linux-network-priorities", Usage: "specifies priorities of network traffic"},
 	cli.Int64Flag{Name: "linux-pids-limit", Usage: "maximum number of PIDs"},
-	cli.Uint64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"},
-	cli.Uint64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"},
+	cli.Int64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"},
+	cli.Int64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"},
 	cli.StringSliceFlag{Name: "masked-paths", Usage: "specifies paths can not be read inside container"},
 	cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"},
 	cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"},
@@ -385,11 +385,11 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 	}
 
 	if context.IsSet("linux-cpu-quota") {
-		g.SetLinuxResourcesCPUQuota(context.Uint64("linux-cpu-quota"))
+		g.SetLinuxResourcesCPUQuota(context.Int64("linux-cpu-quota"))
 	}
 
 	if context.IsSet("linux-realtime-runtime") {
-		g.SetLinuxResourcesCPURealtimeRuntime(context.Uint64("linux-realtime-runtime"))
+		g.SetLinuxResourcesCPURealtimeRuntime(context.Int64("linux-realtime-runtime"))
 	}
 
 	if context.IsSet("linux-pids-limit") {
@@ -644,7 +644,7 @@ var deviceType = map[string]bool{
 
 // addDevice takes the raw string passed with the --device flag, parses it, and add it
 func addDevice(device string, g *generate.Generator) error {
-	dev := rspec.Device{}
+	dev := rspec.LinuxDevice{}
 
 	// The required part and optional part are separated by ":"
 	argsParts := strings.Split(device, ":")
diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go
index ade271cff..baf9fed12 100644
--- a/cmd/runtimetest/main.go
+++ b/cmd/runtimetest/main.go
@@ -165,9 +165,25 @@ func validateCapabilities(spec *rspec.Spec) error {
 		return err
 	}
 
-	expectedCaps := make(map[string]bool)
-	for _, ec := range spec.Process.Capabilities {
-		expectedCaps[ec] = true
+	expectedCaps1 := make(map[string]bool)
+	expectedCaps2 := make(map[string]bool)
+	expectedCaps3 := make(map[string]bool)
+	expectedCaps4 := make(map[string]bool)
+	expectedCaps5 := make(map[string]bool)
+	for _, ec := range spec.Process.Capabilities.Bounding {
+		expectedCaps1[ec] = true
+	}
+	for _, ec := range spec.Process.Capabilities.Effective {
+		expectedCaps2[ec] = true
+	}
+	for _, ec := range spec.Process.Capabilities.Inheritable {
+		expectedCaps3[ec] = true
+	}
+	for _, ec := range spec.Process.Capabilities.Permitted {
+		expectedCaps4[ec] = true
+	}
+	for _, ec := range spec.Process.Capabilities.Ambient {
+		expectedCaps5[ec] = true
 	}
 
 	for _, cap := range capability.List() {
@@ -176,8 +192,40 @@ func validateCapabilities(spec *rspec.Spec) error {
 		}
 
 		capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
-		expectedSet := expectedCaps[capKey]
-		actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
+		expectedSet := expectedCaps1[capKey]
+		actuallySet := processCaps.Get(capability.BOUNDING, cap)
+		if expectedSet != actuallySet {
+			if expectedSet {
+				return fmt.Errorf("Expected Capability %v not set for process", cap.String())
+			}
+			return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
+		}
+		expectedSet = expectedCaps2[capKey]
+		actuallySet = processCaps.Get(capability.EFFECTIVE, cap)
+		if expectedSet != actuallySet {
+			if expectedSet {
+				return fmt.Errorf("Expected Capability %v not set for process", cap.String())
+			}
+			return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
+		}
+		expectedSet = expectedCaps3[capKey]
+		actuallySet = processCaps.Get(capability.INHERITABLE, cap)
+		if expectedSet != actuallySet {
+			if expectedSet {
+				return fmt.Errorf("Expected Capability %v not set for process", cap.String())
+			}
+			return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
+		}
+		expectedSet = expectedCaps4[capKey]
+		actuallySet = processCaps.Get(capability.PERMITTED, cap)
+		if expectedSet != actuallySet {
+			if expectedSet {
+				return fmt.Errorf("Expected Capability %v not set for process", cap.String())
+			}
+			return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
+		}
+		expectedSet = expectedCaps5[capKey]
+		actuallySet = processCaps.Get(capability.AMBIENT, cap)
 		if expectedSet != actuallySet {
 			if expectedSet {
 				return fmt.Errorf("Expected Capability %v not set for process", cap.String())
@@ -423,8 +471,8 @@ func validateOOMScoreAdj(spec *rspec.Spec) error {
 	return nil
 }
 
-func getIDMappings(path string) ([]rspec.IDMapping, error) {
-	var idMaps []rspec.IDMapping
+func getIDMappings(path string) ([]rspec.LinuxIDMapping, error) {
+	var idMaps []rspec.LinuxIDMapping
 	f, err := os.Open(path)
 	if err != nil {
 		return nil, err
@@ -451,7 +499,7 @@ func getIDMappings(path string) ([]rspec.IDMapping, error) {
 			if err != nil {
 				return nil, err
 			}
-			idMaps = append(idMaps, rspec.IDMapping{HostID: uint32(hostID), ContainerID: uint32(containerID), Size: uint32(mapSize)})
+			idMaps = append(idMaps, rspec.LinuxIDMapping{HostID: uint32(hostID), ContainerID: uint32(containerID), Size: uint32(mapSize)})
 		} else {
 			return nil, fmt.Errorf("invalid format in %v", path)
 		}
@@ -460,7 +508,7 @@ func getIDMappings(path string) ([]rspec.IDMapping, error) {
 	return idMaps, nil
 }
 
-func validateIDMappings(mappings []rspec.IDMapping, path string, property string) error {
+func validateIDMappings(mappings []rspec.LinuxIDMapping, path string, property string) error {
 	idMaps, err := getIDMappings(path)
 	if err != nil {
 		return fmt.Errorf("can not get items: %v", err)
diff --git a/generate/generate.go b/generate/generate.go
index 678c968c9..f8a6294ec 100644
--- a/generate/generate.go
+++ b/generate/generate.go
@@ -54,23 +54,89 @@ func New() Generator {
 				"TERM=xterm",
 			},
 			Cwd: "/",
-			Capabilities: []string{
-				"CAP_CHOWN",
-				"CAP_DAC_OVERRIDE",
-				"CAP_FSETID",
-				"CAP_FOWNER",
-				"CAP_MKNOD",
-				"CAP_NET_RAW",
-				"CAP_SETGID",
-				"CAP_SETUID",
-				"CAP_SETFCAP",
-				"CAP_SETPCAP",
-				"CAP_NET_BIND_SERVICE",
-				"CAP_SYS_CHROOT",
-				"CAP_KILL",
-				"CAP_AUDIT_WRITE",
+			Capabilities: &rspec.LinuxCapabilities{
+				Bounding: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Permitted: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Inheritable: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Effective: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
+				Ambient: []string{
+					"CAP_CHOWN",
+					"CAP_DAC_OVERRIDE",
+					"CAP_FSETID",
+					"CAP_FOWNER",
+					"CAP_MKNOD",
+					"CAP_NET_RAW",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETFCAP",
+					"CAP_SETPCAP",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_SYS_CHROOT",
+					"CAP_KILL",
+					"CAP_AUDIT_WRITE",
+				},
 			},
-			Rlimits: []rspec.Rlimit{
+			Rlimits: []rspec.LinuxRlimit{
 				{
 					Type: "RLIMIT_NOFILE",
 					Hard: uint64(1024),
@@ -118,15 +184,15 @@ func New() Generator {
 			},
 		},
 		Linux: &rspec.Linux{
-			Resources: &rspec.Resources{
-				Devices: []rspec.DeviceCgroup{
+			Resources: &rspec.LinuxResources{
+				Devices: []rspec.LinuxDeviceCgroup{
 					{
 						Allow:  false,
-						Access: strPtr("rwm"),
+						Access: "rwm",
 					},
 				},
 			},
-			Namespaces: []rspec.Namespace{
+			Namespaces: []rspec.LinuxNamespace{
 				{
 					Type: "pid",
 				},
@@ -143,7 +209,7 @@ func New() Generator {
 					Type: "mount",
 				},
 			},
-			Devices: []rspec.Device{},
+			Devices: []rspec.LinuxDevice{},
 		},
 	}
 	spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)
@@ -368,7 +434,7 @@ func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64)
 		}
 	}
 
-	newRlimit := rspec.Rlimit{
+	newRlimit := rspec.LinuxRlimit{
 		Type: rType,
 		Hard: rHard,
 		Soft: rSoft,
@@ -395,7 +461,7 @@ func (g *Generator) ClearProcessRlimits() {
 	if g.spec == nil {
 		return
 	}
-	g.spec.Process.Rlimits = []rspec.Rlimit{}
+	g.spec.Process.Rlimits = []rspec.LinuxRlimit{}
 }
 
 // ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids.
@@ -426,7 +492,7 @@ func (g *Generator) SetProcessSelinuxLabel(label string) {
 // SetLinuxCgroupsPath sets g.spec.Linux.CgroupsPath.
 func (g *Generator) SetLinuxCgroupsPath(path string) {
 	g.initSpecLinux()
-	g.spec.Linux.CgroupsPath = strPtr(path)
+	g.spec.Linux.CgroupsPath = path
 }
 
 // SetLinuxMountLabel sets g.spec.Linux.MountLabel.
@@ -454,7 +520,7 @@ func (g *Generator) SetLinuxResourcesCPUShares(shares uint64) {
 }
 
 // SetLinuxResourcesCPUQuota sets g.spec.Linux.Resources.CPU.Quota.
-func (g *Generator) SetLinuxResourcesCPUQuota(quota uint64) {
+func (g *Generator) SetLinuxResourcesCPUQuota(quota int64) {
 	g.initSpecLinuxResourcesCPU()
 	g.spec.Linux.Resources.CPU.Quota = &quota
 }
@@ -466,7 +532,7 @@ func (g *Generator) SetLinuxResourcesCPUPeriod(period uint64) {
 }
 
 // SetLinuxResourcesCPURealtimeRuntime sets g.spec.Linux.Resources.CPU.RealtimeRuntime.
-func (g *Generator) SetLinuxResourcesCPURealtimeRuntime(time uint64) {
+func (g *Generator) SetLinuxResourcesCPURealtimeRuntime(time int64) {
 	g.initSpecLinuxResourcesCPU()
 	g.spec.Linux.Resources.CPU.RealtimeRuntime = &time
 }
@@ -480,13 +546,13 @@ func (g *Generator) SetLinuxResourcesCPURealtimePeriod(period uint64) {
 // SetLinuxResourcesCPUCpus sets g.spec.Linux.Resources.CPU.Cpus.
 func (g *Generator) SetLinuxResourcesCPUCpus(cpus string) {
 	g.initSpecLinuxResourcesCPU()
-	g.spec.Linux.Resources.CPU.Cpus = &cpus
+	g.spec.Linux.Resources.CPU.Cpus = cpus
 }
 
 // SetLinuxResourcesCPUMems sets g.spec.Linux.Resources.CPU.Mems.
 func (g *Generator) SetLinuxResourcesCPUMems(mems string) {
 	g.initSpecLinuxResourcesCPU()
-	g.spec.Linux.Resources.CPU.Mems = &mems
+	g.spec.Linux.Resources.CPU.Mems = mems
 }
 
 // SetLinuxResourcesMemoryLimit sets g.spec.Linux.Resources.Memory.Limit.
@@ -540,7 +606,7 @@ func (g *Generator) AddLinuxResourcesNetworkPriorities(name string, prio uint32)
 			return
 		}
 	}
-	interfacePrio := new(rspec.InterfacePriority)
+	interfacePrio := new(rspec.LinuxInterfacePriority)
 	interfacePrio.Name = name
 	interfacePrio.Priority = prio
 	g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities, *interfacePrio)
@@ -560,7 +626,7 @@ func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
 // SetLinuxResourcesPidsLimit sets g.spec.Linux.Resources.Pids.Limit.
 func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
 	g.initSpecLinuxResourcesPids()
-	g.spec.Linux.Resources.Pids.Limit = &limit
+	g.spec.Linux.Resources.Pids.Limit = limit
 }
 
 // ClearLinuxSysctl clears g.spec.Linux.Sysctl.
@@ -590,12 +656,12 @@ func (g *Generator) ClearLinuxUIDMappings() {
 	if g.spec == nil || g.spec.Linux == nil {
 		return
 	}
-	g.spec.Linux.UIDMappings = []rspec.IDMapping{}
+	g.spec.Linux.UIDMappings = []rspec.LinuxIDMapping{}
 }
 
 // AddLinuxUIDMapping adds uidMap into g.spec.Linux.UIDMappings.
 func (g *Generator) AddLinuxUIDMapping(hid, cid, size uint32) {
-	idMapping := rspec.IDMapping{
+	idMapping := rspec.LinuxIDMapping{
 		HostID:      hid,
 		ContainerID: cid,
 		Size:        size,
@@ -610,12 +676,12 @@ func (g *Generator) ClearLinuxGIDMappings() {
 	if g.spec == nil || g.spec.Linux == nil {
 		return
 	}
-	g.spec.Linux.GIDMappings = []rspec.IDMapping{}
+	g.spec.Linux.GIDMappings = []rspec.LinuxIDMapping{}
 }
 
 // AddLinuxGIDMapping adds gidMap into g.spec.Linux.GIDMappings.
 func (g *Generator) AddLinuxGIDMapping(hid, cid, size uint32) {
-	idMapping := rspec.IDMapping{
+	idMapping := rspec.LinuxIDMapping{
 		HostID:      hid,
 		ContainerID: cid,
 		Size:        size,
@@ -764,7 +830,11 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
 		}
 		g.initSpecLinux()
-		g.spec.Process.Capabilities = finalCapList
+		g.spec.Process.Capabilities.Bounding = finalCapList
+		g.spec.Process.Capabilities.Effective = finalCapList
+		g.spec.Process.Capabilities.Inheritable = finalCapList
+		g.spec.Process.Capabilities.Permitted = finalCapList
+		g.spec.Process.Capabilities.Ambient = finalCapList
 		g.spec.Process.SelinuxLabel = ""
 		g.spec.Process.ApparmorProfile = ""
 		g.spec.Linux.Seccomp = nil
@@ -776,7 +846,11 @@ func (g *Generator) ClearProcessCapabilities() {
 	if g.spec == nil {
 		return
 	}
-	g.spec.Process.Capabilities = []string{}
+	g.spec.Process.Capabilities.Bounding = []string{}
+	g.spec.Process.Capabilities.Effective = []string{}
+	g.spec.Process.Capabilities.Inheritable = []string{}
+	g.spec.Process.Capabilities.Permitted = []string{}
+	g.spec.Process.Capabilities.Ambient = []string{}
 }
 
 // AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
@@ -787,13 +861,42 @@ func (g *Generator) AddProcessCapability(c string) error {
 	}
 
 	g.initSpec()
-	for _, cap := range g.spec.Process.Capabilities {
+
+	for _, cap := range g.spec.Process.Capabilities.Bounding {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Effective {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Inheritable {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Permitted {
 		if strings.ToUpper(cap) == cp {
 			return nil
 		}
 	}
+	g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
+
+	for _, cap := range g.spec.Process.Capabilities.Ambient {
+		if strings.ToUpper(cap) == cp {
+			return nil
+		}
+	}
+	g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
 
-	g.spec.Process.Capabilities = append(g.spec.Process.Capabilities, cp)
 	return nil
 }
 
@@ -805,9 +908,38 @@ func (g *Generator) DropProcessCapability(c string) error {
 	}
 
 	g.initSpec()
-	for i, cap := range g.spec.Process.Capabilities {
+
+	for i, cap := range g.spec.Process.Capabilities.Bounding {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding[:i], g.spec.Process.Capabilities.Bounding[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Effective {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective[:i], g.spec.Process.Capabilities.Effective[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Inheritable {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable[:i], g.spec.Process.Capabilities.Inheritable[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Permitted {
+		if strings.ToUpper(cap) == cp {
+			g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted[:i], g.spec.Process.Capabilities.Permitted[i+1:]...)
+			return nil
+		}
+	}
+
+	for i, cap := range g.spec.Process.Capabilities.Ambient {
 		if strings.ToUpper(cap) == cp {
-			g.spec.Process.Capabilities = append(g.spec.Process.Capabilities[:i], g.spec.Process.Capabilities[i+1:]...)
+			g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient[:i], g.spec.Process.Capabilities.Ambient[i+1:]...)
 			return nil
 		}
 	}
@@ -815,24 +947,24 @@ func (g *Generator) DropProcessCapability(c string) error {
 	return nil
 }
 
-func mapStrToNamespace(ns string, path string) (rspec.Namespace, error) {
+func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {
 	switch ns {
 	case "network":
-		return rspec.Namespace{Type: rspec.NetworkNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.NetworkNamespace, Path: path}, nil
 	case "pid":
-		return rspec.Namespace{Type: rspec.PIDNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.PIDNamespace, Path: path}, nil
 	case "mount":
-		return rspec.Namespace{Type: rspec.MountNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.MountNamespace, Path: path}, nil
 	case "ipc":
-		return rspec.Namespace{Type: rspec.IPCNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.IPCNamespace, Path: path}, nil
 	case "uts":
-		return rspec.Namespace{Type: rspec.UTSNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.UTSNamespace, Path: path}, nil
 	case "user":
-		return rspec.Namespace{Type: rspec.UserNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.UserNamespace, Path: path}, nil
 	case "cgroup":
-		return rspec.Namespace{Type: rspec.CgroupNamespace, Path: path}, nil
+		return rspec.LinuxNamespace{Type: rspec.CgroupNamespace, Path: path}, nil
 	default:
-		return rspec.Namespace{}, fmt.Errorf("Should not reach here!")
+		return rspec.LinuxNamespace{}, fmt.Errorf("Should not reach here!")
 	}
 }
 
@@ -841,7 +973,7 @@ func (g *Generator) ClearLinuxNamespaces() {
 	if g.spec == nil || g.spec.Linux == nil {
 		return
 	}
-	g.spec.Linux.Namespaces = []rspec.Namespace{}
+	g.spec.Linux.Namespaces = []rspec.LinuxNamespace{}
 }
 
 // AddOrReplaceLinuxNamespace adds or replaces a namespace inside
@@ -886,7 +1018,7 @@ func (g *Generator) RemoveLinuxNamespace(ns string) error {
 func (g *Generator) AddDevice(path, devType string, major, minor int64, fileMode *os.FileMode, uid, gid *uint32) {
 	g.initSpecLinux()
 
-	device := rspec.Device{
+	device := rspec.LinuxDevice{
 		Path:     path,
 		Type:     devType,
 		Major:    major,
diff --git a/generate/seccomp/parse_action.go b/generate/seccomp/parse_action.go
index 13cace24f..853b9c23d 100644
--- a/generate/seccomp/parse_action.go
+++ b/generate/seccomp/parse_action.go
@@ -20,7 +20,7 @@ type SyscallOpts struct {
 
 // ParseSyscallFlag takes a SyscallOpts struct and the seccomp configuration
 // and sets the new syscall rule accordingly
-func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
+func ParseSyscallFlag(args SyscallOpts, config *rspec.LinuxSeccomp) error {
 	var arguments []string
 	if args.Index != "" && args.Value != "" && args.ValueTwo != "" && args.Operator != "" {
 		arguments = []string{args.Action, args.Syscall, args.Index, args.Value,
@@ -34,7 +34,7 @@ func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
 		return fmt.Errorf("default action already set as %s", action)
 	}
 
-	var newSyscall rspec.Syscall
+	var newSyscall rspec.LinuxSyscall
 	numOfArgs := len(arguments)
 	if numOfArgs == 6 || numOfArgs == 2 {
 		argStruct, err := parseArguments(arguments[1:])
@@ -67,7 +67,7 @@ func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
 	return nil
 }
 
-var actions = map[string]rspec.Action{
+var actions = map[string]rspec.LinuxSeccompAction{
 	"allow": rspec.ActAllow,
 	"errno": rspec.ActErrno,
 	"kill":  rspec.ActKill,
@@ -76,7 +76,7 @@ var actions = map[string]rspec.Action{
 }
 
 // Take passed action, return the SCMP_ACT_<ACTION> version of it
-func parseAction(action string) (rspec.Action, error) {
+func parseAction(action string) (rspec.LinuxSeccompAction, error) {
 	a, ok := actions[action]
 	if !ok {
 		return "", fmt.Errorf("unrecognized action: %s", action)
@@ -86,7 +86,7 @@ func parseAction(action string) (rspec.Action, error) {
 
 // ParseDefaultAction sets the default action of the seccomp configuration
 // and then removes any rules that were already specified with this action
-func ParseDefaultAction(action string, config *rspec.Seccomp) error {
+func ParseDefaultAction(action string, config *rspec.LinuxSeccomp) error {
 	if action == "" {
 		return nil
 	}
@@ -104,7 +104,7 @@ func ParseDefaultAction(action string, config *rspec.Seccomp) error {
 }
 
 // ParseDefaultActionForce simply sets the default action of the seccomp configuration
-func ParseDefaultActionForce(action string, config *rspec.Seccomp) error {
+func ParseDefaultActionForce(action string, config *rspec.LinuxSeccomp) error {
 	if action == "" {
 		return nil
 	}
@@ -117,9 +117,9 @@ func ParseDefaultActionForce(action string, config *rspec.Seccomp) error {
 	return nil
 }
 
-func newSyscallStruct(name string, action rspec.Action, args []rspec.Arg) rspec.Syscall {
-	syscallStruct := rspec.Syscall{
-		Name:   name,
+func newSyscallStruct(name string, action rspec.LinuxSeccompAction, args []rspec.LinuxSeccompArg) rspec.LinuxSyscall {
+	syscallStruct := rspec.LinuxSyscall{
+		Names:  []string{name},
 		Action: action,
 		Args:   args,
 	}
diff --git a/generate/seccomp/parse_architecture.go b/generate/seccomp/parse_architecture.go
index 9d45fabc6..fc482445e 100644
--- a/generate/seccomp/parse_architecture.go
+++ b/generate/seccomp/parse_architecture.go
@@ -8,7 +8,7 @@ import (
 
 // ParseArchitectureFlag takes the raw string passed with the --arch flag, parses it
 // and updates the Seccomp config accordingly
-func ParseArchitectureFlag(architectureArg string, config *rspec.Seccomp) error {
+func ParseArchitectureFlag(architectureArg string, config *rspec.LinuxSeccomp) error {
 	correctedArch, err := parseArch(architectureArg)
 	if err != nil {
 		return err
diff --git a/generate/seccomp/parse_arguments.go b/generate/seccomp/parse_arguments.go
index 72f0b13d8..2b4c394e6 100644
--- a/generate/seccomp/parse_arguments.go
+++ b/generate/seccomp/parse_arguments.go
@@ -9,8 +9,8 @@ import (
 
 // parseArguments takes a list of arguments (delimArgs). It parses and fills out
 // the argument information and returns a slice of arg structs
-func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
-	nilArgSlice := []rspec.Arg{}
+func parseArguments(delimArgs []string) ([]rspec.LinuxSeccompArg, error) {
+	nilArgSlice := []rspec.LinuxSeccompArg{}
 	numberOfArgs := len(delimArgs)
 
 	// No parameters passed with syscall
@@ -40,14 +40,14 @@ func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
 			return nilArgSlice, err
 		}
 
-		argStruct := rspec.Arg{
+		argStruct := rspec.LinuxSeccompArg{
 			Index:    uint(syscallIndex),
 			Value:    syscallValue,
 			ValueTwo: syscallValueTwo,
 			Op:       syscallOp,
 		}
 
-		argSlice := []rspec.Arg{}
+		argSlice := []rspec.LinuxSeccompArg{}
 		argSlice = append(argSlice, argStruct)
 		return argSlice, nil
 	}
@@ -55,8 +55,8 @@ func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
 	return nilArgSlice, fmt.Errorf("incorrect number of arguments passed with syscall: %d", numberOfArgs)
 }
 
-func parseOperator(operator string) (rspec.Operator, error) {
-	operators := map[string]rspec.Operator{
+func parseOperator(operator string) (rspec.LinuxSeccompOperator, error) {
+	operators := map[string]rspec.LinuxSeccompOperator{
 		"NE": rspec.OpNotEqual,
 		"LT": rspec.OpLessThan,
 		"LE": rspec.OpLessEqual,
diff --git a/generate/seccomp/parse_remove.go b/generate/seccomp/parse_remove.go
index ce68e66d0..ef5870e9d 100644
--- a/generate/seccomp/parse_remove.go
+++ b/generate/seccomp/parse_remove.go
@@ -10,7 +10,7 @@ import (
 
 // RemoveAction takes the argument string that was passed with the --remove flag,
 // parses it, and updates the Seccomp config accordingly
-func RemoveAction(arguments string, config *rspec.Seccomp) error {
+func RemoveAction(arguments string, config *rspec.LinuxSeccomp) error {
 	if config == nil {
 		return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
 	}
@@ -22,28 +22,27 @@ func RemoveAction(arguments string, config *rspec.Seccomp) error {
 		syscallsToRemove = append(syscallsToRemove, arguments)
 	}
 
-	for _, syscall := range syscallsToRemove {
-		for counter, syscallStruct := range config.Syscalls {
-			if syscallStruct.Name == syscall {
-				config.Syscalls = append(config.Syscalls[:counter], config.Syscalls[counter+1:]...)
-			}
+	for counter, syscallStruct := range config.Syscalls {
+		if reflect.DeepEqual(syscallsToRemove, syscallStruct.Names) {
+			config.Syscalls = append(config.Syscalls[:counter], config.Syscalls[counter+1:]...)
 		}
 	}
+
 	return nil
 }
 
 // RemoveAllSeccompRules removes all seccomp syscall rules
-func RemoveAllSeccompRules(config *rspec.Seccomp) error {
+func RemoveAllSeccompRules(config *rspec.LinuxSeccomp) error {
 	if config == nil {
 		return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
 	}
-	newSyscallSlice := []rspec.Syscall{}
+	newSyscallSlice := []rspec.LinuxSyscall{}
 	config.Syscalls = newSyscallSlice
 	return nil
 }
 
 // RemoveAllMatchingRules will remove any syscall rules that match the specified action
-func RemoveAllMatchingRules(config *rspec.Seccomp, action string) error {
+func RemoveAllMatchingRules(config *rspec.LinuxSeccomp, action string) error {
 	if config == nil {
 		return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
 	}
@@ -53,16 +52,11 @@ func RemoveAllMatchingRules(config *rspec.Seccomp, action string) error {
 		return err
 	}
 
-	syscallsToRemove := []string{}
 	for _, syscall := range config.Syscalls {
 		if reflect.DeepEqual(syscall.Action, seccompAction) {
-			syscallsToRemove = append(syscallsToRemove, syscall.Name)
+			RemoveAction(strings.Join(syscall.Names, ","), config)
 		}
 	}
 
-	for i := range syscallsToRemove {
-		RemoveAction(syscallsToRemove[i], config)
-	}
-
 	return nil
 }
diff --git a/generate/seccomp/seccomp_default.go b/generate/seccomp/seccomp_default.go
index 2e1d46870..28140cbfc 100644
--- a/generate/seccomp/seccomp_default.go
+++ b/generate/seccomp/seccomp_default.go
@@ -32,829 +32,829 @@ func arches() []rspec.Arch {
 }
 
 // DefaultProfile defines the whitelist for the default seccomp profile.
-func DefaultProfile(rs *specs.Spec) *rspec.Seccomp {
+func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
 
-	syscalls := []rspec.Syscall{
+	syscalls := []rspec.LinuxSyscall{
 		{
-			Name:   "accept",
+			Names:  []string{"accept"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "accept4",
+			Names:  []string{"accept4"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "access",
+			Names:  []string{"access"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "alarm",
+			Names:  []string{"alarm"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "bind",
+			Names:  []string{"bind"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "brk",
+			Names:  []string{"brk"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "capget",
+			Names:  []string{"capget"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "capset",
+			Names:  []string{"capset"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "chdir",
+			Names:  []string{"chdir"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "chmod",
+			Names:  []string{"chmod"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "chown",
+			Names:  []string{"chown"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "chown32",
+			Names:  []string{"chown32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 
 		{
-			Name:   "clock_getres",
+			Names:  []string{"clock_getres"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "clock_gettime",
+			Names:  []string{"clock_gettime"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "clock_nanosleep",
+			Names:  []string{"clock_nanosleep"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "close",
+			Names:  []string{"close"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "connect",
+			Names:  []string{"connect"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "copy_file_range",
+			Names:  []string{"copy_file_range"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "creat",
+			Names:  []string{"creat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "dup",
+			Names:  []string{"dup"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "dup2",
+			Names:  []string{"dup2"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "dup3",
+			Names:  []string{"dup3"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_create",
+			Names:  []string{"epoll_create"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_create1",
+			Names:  []string{"epoll_create1"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_ctl",
+			Names:  []string{"epoll_ctl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_ctl_old",
+			Names:  []string{"epoll_ctl_old"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_pwait",
+			Names:  []string{"epoll_pwait"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_wait",
+			Names:  []string{"epoll_wait"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "epoll_wait_old",
+			Names:  []string{"epoll_wait_old"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "eventfd",
+			Names:  []string{"eventfd"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "eventfd2",
+			Names:  []string{"eventfd2"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "execve",
+			Names:  []string{"execve"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "execveat",
+			Names:  []string{"execveat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "exit",
+			Names:  []string{"exit"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "exit_group",
+			Names:  []string{"exit_group"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "faccessat",
+			Names:  []string{"faccessat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fadvise64",
+			Names:  []string{"fadvise64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fadvise64_64",
+			Names:  []string{"fadvise64_64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fallocate",
+			Names:  []string{"fallocate"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fanotify_mark",
+			Names:  []string{"fanotify_mark"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fchdir",
+			Names:  []string{"fchdir"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fchmod",
+			Names:  []string{"fchmod"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fchmodat",
+			Names:  []string{"fchmodat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fchown",
+			Names:  []string{"fchown"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fchown32",
+			Names:  []string{"fchown32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fchownat",
+			Names:  []string{"fchownat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fcntl",
+			Names:  []string{"fcntl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fcntl64",
+			Names:  []string{"fcntl64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fdatasync",
+			Names:  []string{"fdatasync"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fgetxattr",
+			Names:  []string{"fgetxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "flistxattr",
+			Names:  []string{"flistxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "flock",
+			Names:  []string{"flock"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fork",
+			Names:  []string{"fork"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fremovexattr",
+			Names:  []string{"fremovexattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fsetxattr",
+			Names:  []string{"fsetxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fstat",
+			Names:  []string{"fstat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fstat64",
+			Names:  []string{"fstat64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fstatat64",
+			Names:  []string{"fstatat64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fstatfs",
+			Names:  []string{"fstatfs"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fstatfs64",
+			Names:  []string{"fstatfs64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "fsync",
+			Names:  []string{"fsync"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ftruncate",
+			Names:  []string{"ftruncate"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ftruncate64",
+			Names:  []string{"ftruncate64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "futex",
+			Names:  []string{"futex"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "futimesat",
+			Names:  []string{"futimesat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getcpu",
+			Names:  []string{"getcpu"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getcwd",
+			Names:  []string{"getcwd"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getdents",
+			Names:  []string{"getdents"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getdents64",
+			Names:  []string{"getdents64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getegid",
+			Names:  []string{"getegid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getegid32",
+			Names:  []string{"getegid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "geteuid",
+			Names:  []string{"geteuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "geteuid32",
+			Names:  []string{"geteuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getgid",
+			Names:  []string{"getgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getgid32",
+			Names:  []string{"getgid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getgroups",
+			Names:  []string{"getgroups"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getgroups32",
+			Names:  []string{"getgroups32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getitimer",
+			Names:  []string{"getitimer"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getpeername",
+			Names:  []string{"getpeername"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getpgid",
+			Names:  []string{"getpgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getpgrp",
+			Names:  []string{"getpgrp"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getpid",
+			Names:  []string{"getpid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getppid",
+			Names:  []string{"getppid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getpriority",
+			Names:  []string{"getpriority"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getrandom",
+			Names:  []string{"getrandom"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getresgid",
+			Names:  []string{"getresgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getresgid32",
+			Names:  []string{"getresgid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getresuid",
+			Names:  []string{"getresuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getresuid32",
+			Names:  []string{"getresuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getrlimit",
+			Names:  []string{"getrlimit"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "get_robust_list",
+			Names:  []string{"get_robust_list"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getrusage",
+			Names:  []string{"getrusage"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getsid",
+			Names:  []string{"getsid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getsockname",
+			Names:  []string{"getsockname"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getsockopt",
+			Names:  []string{"getsockopt"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "get_thread_area",
+			Names:  []string{"get_thread_area"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "gettid",
+			Names:  []string{"gettid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "gettimeofday",
+			Names:  []string{"gettimeofday"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getuid",
+			Names:  []string{"getuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getuid32",
+			Names:  []string{"getuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "getxattr",
+			Names:  []string{"getxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "inotify_add_watch",
+			Names:  []string{"inotify_add_watch"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "inotify_init",
+			Names:  []string{"inotify_init"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "inotify_init1",
+			Names:  []string{"inotify_init1"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "inotify_rm_watch",
+			Names:  []string{"inotify_rm_watch"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "io_cancel",
+			Names:  []string{"io_cancel"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ioctl",
+			Names:  []string{"ioctl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "io_destroy",
+			Names:  []string{"io_destroy"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "io_getevents",
+			Names:  []string{"io_getevents"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ioprio_get",
+			Names:  []string{"ioprio_get"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ioprio_set",
+			Names:  []string{"ioprio_set"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "io_setup",
+			Names:  []string{"io_setup"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "io_submit",
+			Names:  []string{"io_submit"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ipc",
+			Names:  []string{"ipc"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "kill",
+			Names:  []string{"kill"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lchown",
+			Names:  []string{"lchown"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lchown32",
+			Names:  []string{"lchown32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lgetxattr",
+			Names:  []string{"lgetxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "link",
+			Names:  []string{"link"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "linkat",
+			Names:  []string{"linkat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "listen",
+			Names:  []string{"listen"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "listxattr",
+			Names:  []string{"listxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "llistxattr",
+			Names:  []string{"llistxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "_llseek",
+			Names:  []string{"_llseek"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lremovexattr",
+			Names:  []string{"lremovexattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lseek",
+			Names:  []string{"lseek"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lsetxattr",
+			Names:  []string{"lsetxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lstat",
+			Names:  []string{"lstat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "lstat64",
+			Names:  []string{"lstat64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "madvise",
+			Names:  []string{"madvise"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "memfd_create",
+			Names:  []string{"memfd_create"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mincore",
+			Names:  []string{"mincore"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mkdir",
+			Names:  []string{"mkdir"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mkdirat",
+			Names:  []string{"mkdirat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mknod",
+			Names:  []string{"mknod"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mknodat",
+			Names:  []string{"mknodat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mlock",
+			Names:  []string{"mlock"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mlock2",
+			Names:  []string{"mlock2"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mlockall",
+			Names:  []string{"mlockall"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mmap",
+			Names:  []string{"mmap"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mmap2",
+			Names:  []string{"mmap2"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mprotect",
+			Names:  []string{"mprotect"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mq_getsetattr",
+			Names:  []string{"mq_getsetattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mq_notify",
+			Names:  []string{"mq_notify"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mq_open",
+			Names:  []string{"mq_open"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mq_timedreceive",
+			Names:  []string{"mq_timedreceive"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mq_timedsend",
+			Names:  []string{"mq_timedsend"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mq_unlink",
+			Names:  []string{"mq_unlink"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "mremap",
+			Names:  []string{"mremap"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "msgctl",
+			Names:  []string{"msgctl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "msgget",
+			Names:  []string{"msgget"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "msgrcv",
+			Names:  []string{"msgrcv"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "msgsnd",
+			Names:  []string{"msgsnd"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "msync",
+			Names:  []string{"msync"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "munlock",
+			Names:  []string{"munlock"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "munlockall",
+			Names:  []string{"munlockall"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "munmap",
+			Names:  []string{"munmap"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "nanosleep",
+			Names:  []string{"nanosleep"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "newfstatat",
+			Names:  []string{"newfstatat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "_newselect",
+			Names:  []string{"_newselect"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "open",
+			Names:  []string{"open"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "openat",
+			Names:  []string{"openat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "pause",
+			Names:  []string{"pause"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "personality",
+			Names:  []string{"personality"},
 			Action: rspec.ActAllow,
-			Args: []rspec.Arg{
+			Args: []rspec.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x0,
@@ -863,9 +863,9 @@ func DefaultProfile(rs *specs.Spec) *rspec.Seccomp {
 			},
 		},
 		{
-			Name:   "personality",
+			Names:  []string{"personality"},
 			Action: rspec.ActAllow,
-			Args: []rspec.Arg{
+			Args: []rspec.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0x0008,
@@ -874,9 +874,9 @@ func DefaultProfile(rs *specs.Spec) *rspec.Seccomp {
 			},
 		},
 		{
-			Name:   "personality",
+			Names:  []string{"personality"},
 			Action: rspec.ActAllow,
-			Args: []rspec.Arg{
+			Args: []rspec.LinuxSeccompArg{
 				{
 					Index: 0,
 					Value: 0xffffffff,
@@ -885,913 +885,930 @@ func DefaultProfile(rs *specs.Spec) *rspec.Seccomp {
 			},
 		},
 		{
-			Name:   "pipe",
+			Names:  []string{"pipe"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "pipe2",
+			Names:  []string{"pipe2"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "poll",
+			Names:  []string{"poll"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ppoll",
+			Names:  []string{"ppoll"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "prctl",
+			Names:  []string{"prctl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "pread64",
+			Names:  []string{"pread64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "preadv",
+			Names:  []string{"preadv"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "prlimit64",
+			Names:  []string{"prlimit64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "pselect6",
+			Names:  []string{"pselect6"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "pwrite64",
+			Names:  []string{"pwrite64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "pwritev",
+			Names:  []string{"pwritev"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "read",
+			Names:  []string{"read"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "readahead",
+			Names:  []string{"readahead"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "readlink",
+			Names:  []string{"readlink"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "readlinkat",
+			Names:  []string{"readlinkat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "readv",
+			Names:  []string{"readv"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "recv",
+			Names:  []string{"recv"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "recvfrom",
+			Names:  []string{"recvfrom"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "recvmmsg",
+			Names:  []string{"recvmmsg"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "recvmsg",
+			Names:  []string{"recvmsg"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "remap_file_pages",
+			Names:  []string{"remap_file_pages"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "removexattr",
+			Names:  []string{"removexattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rename",
+			Names:  []string{"rename"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "renameat",
+			Names:  []string{"renameat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "renameat2",
+			Names:  []string{"renameat2"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "restart_syscall",
+			Names:  []string{"restart_syscall"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rmdir",
+			Names:  []string{"rmdir"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigaction",
+			Names:  []string{"rt_sigaction"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigpending",
+			Names:  []string{"rt_sigpending"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigprocmask",
+			Names:  []string{"rt_sigprocmask"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigqueueinfo",
+			Names:  []string{"rt_sigqueueinfo"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigreturn",
+			Names:  []string{"rt_sigreturn"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigsuspend",
+			Names:  []string{"rt_sigsuspend"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_sigtimedwait",
+			Names:  []string{"rt_sigtimedwait"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "rt_tgsigqueueinfo",
+			Names:  []string{"rt_tgsigqueueinfo"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_getaffinity",
+			Names:  []string{"sched_getaffinity"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_getattr",
+			Names:  []string{"sched_getattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_getparam",
+			Names:  []string{"sched_getparam"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_get_priority_max",
+			Names:  []string{"sched_get_priority_max"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_get_priority_min",
+			Names:  []string{"sched_get_priority_min"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_getscheduler",
+			Names:  []string{"sched_getscheduler"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_rr_get_interval",
+			Names:  []string{"sched_rr_get_interval"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_setaffinity",
+			Names:  []string{"sched_setaffinity"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_setattr",
+			Names:  []string{"sched_setattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_setparam",
+			Names:  []string{"sched_setparam"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_setscheduler",
+			Names:  []string{"sched_setscheduler"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sched_yield",
+			Names:  []string{"sched_yield"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "seccomp",
+			Names:  []string{"seccomp"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "select",
+			Names:  []string{"select"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "semctl",
+			Names:  []string{"semctl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "semget",
+			Names:  []string{"semget"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "semop",
+			Names:  []string{"semop"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "semtimedop",
+			Names:  []string{"semtimedop"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "send",
+			Names:  []string{"send"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sendfile",
+			Names:  []string{"sendfile"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sendfile64",
+			Names:  []string{"sendfile64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sendmmsg",
+			Names:  []string{"sendmmsg"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sendmsg",
+			Names:  []string{"sendmsg"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sendto",
+			Names:  []string{"sendto"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setfsgid",
+			Names:  []string{"setfsgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setfsgid32",
+			Names:  []string{"setfsgid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setfsuid",
+			Names:  []string{"setfsuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setfsuid32",
+			Names:  []string{"setfsuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setgid",
+			Names:  []string{"setgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setgid32",
+			Names:  []string{"setgid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setgroups",
+			Names:  []string{"setgroups"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setgroups32",
+			Names:  []string{"setgroups32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setitimer",
+			Names:  []string{"setitimer"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setpgid",
+			Names:  []string{"setpgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setpriority",
+			Names:  []string{"setpriority"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setregid",
+			Names:  []string{"setregid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setregid32",
+			Names:  []string{"setregid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setresgid",
+			Names:  []string{"setresgid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setresgid32",
+			Names:  []string{"setresgid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setresuid",
+			Names:  []string{"setresuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setresuid32",
+			Names:  []string{"setresuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setreuid",
+			Names:  []string{"setreuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setreuid32",
+			Names:  []string{"setreuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setrlimit",
+			Names:  []string{"setrlimit"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "set_robust_list",
+			Names:  []string{"set_robust_list"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setsid",
+			Names:  []string{"setsid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setsockopt",
+			Names:  []string{"setsockopt"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "set_thread_area",
+			Names:  []string{"set_thread_area"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "set_tid_address",
+			Names:  []string{"set_tid_address"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setuid",
+			Names:  []string{"setuid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setuid32",
+			Names:  []string{"setuid32"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "setxattr",
+			Names:  []string{"setxattr"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "shmat",
+			Names:  []string{"shmat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "shmctl",
+			Names:  []string{"shmctl"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "shmdt",
+			Names:  []string{"shmdt"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "shmget",
+			Names:  []string{"shmget"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "shutdown",
+			Names:  []string{"shutdown"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sigaltstack",
+			Names:  []string{"sigaltstack"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "signalfd",
+			Names:  []string{"signalfd"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "signalfd4",
+			Names:  []string{"signalfd4"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sigreturn",
+			Names:  []string{"sigreturn"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "socket",
+			Names:  []string{"socket"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "socketcall",
+			Names:  []string{"socketcall"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "socketpair",
+			Names:  []string{"socketpair"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "splice",
+			Names:  []string{"splice"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "stat",
+			Names:  []string{"stat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "stat64",
+			Names:  []string{"stat64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "statfs",
+			Names:  []string{"statfs"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "statfs64",
+			Names:  []string{"statfs64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "symlink",
+			Names:  []string{"symlink"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "symlinkat",
+			Names:  []string{"symlinkat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sync",
+			Names:  []string{"sync"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sync_file_range",
+			Names:  []string{"sync_file_range"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "syncfs",
+			Names:  []string{"syncfs"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "sysinfo",
+			Names:  []string{"sysinfo"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "syslog",
+			Names:  []string{"syslog"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "tee",
+			Names:  []string{"tee"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "tgkill",
+			Names:  []string{"tgkill"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "time",
+			Names:  []string{"time"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timer_create",
+			Names:  []string{"timer_create"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timer_delete",
+			Names:  []string{"timer_delete"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timerfd_create",
+			Names:  []string{"timerfd_create"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timerfd_gettime",
+			Names:  []string{"timerfd_gettime"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timerfd_settime",
+			Names:  []string{"timerfd_settime"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timer_getoverrun",
+			Names:  []string{"timer_getoverrun"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timer_gettime",
+			Names:  []string{"timer_gettime"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "timer_settime",
+			Names:  []string{"timer_settime"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "times",
+			Names:  []string{"times"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "tkill",
+			Names:  []string{"tkill"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "truncate",
+			Names:  []string{"truncate"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "truncate64",
+			Names:  []string{"truncate64"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "ugetrlimit",
+			Names:  []string{"ugetrlimit"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "umask",
+			Names:  []string{"umask"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "uname",
+			Names:  []string{"uname"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "unlink",
+			Names:  []string{"unlink"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "unlinkat",
+			Names:  []string{"unlinkat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "utime",
+			Names:  []string{"utime"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "utimensat",
+			Names:  []string{"utimensat"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "utimes",
+			Names:  []string{"utimes"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "vfork",
+			Names:  []string{"vfork"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "vmsplice",
+			Names:  []string{"vmsplice"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "wait4",
+			Names:  []string{"wait4"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "waitid",
+			Names:  []string{"waitid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "waitpid",
+			Names:  []string{"waitpid"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "write",
+			Names:  []string{"write"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 		{
-			Name:   "writev",
+			Names:  []string{"writev"},
 			Action: rspec.ActAllow,
-			Args:   []rspec.Arg{},
+			Args:   []rspec.LinuxSeccompArg{},
 		},
 	}
 	var sysCloneFlagsIndex uint
 
 	capSysAdmin := false
 	var cap string
+	var caps []string
 
-	for _, cap = range rs.Process.Capabilities {
+	for _, cap = range rs.Process.Capabilities.Bounding {
+		caps = append(caps, cap)
+	}
+	for _, cap = range rs.Process.Capabilities.Effective {
+		caps = append(caps, cap)
+	}
+	for _, cap = range rs.Process.Capabilities.Inheritable {
+		caps = append(caps, cap)
+	}
+	for _, cap = range rs.Process.Capabilities.Permitted {
+		caps = append(caps, cap)
+	}
+	for _, cap = range rs.Process.Capabilities.Ambient {
+		caps = append(caps, cap)
+	}
+
+	for _, cap = range caps {
 		switch cap {
 		case "CAP_DAC_READ_SEARCH":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "open_by_handle_at",
+					Names:  []string{"open_by_handle_at"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_ADMIN":
 			capSysAdmin = true
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "bpf",
+					Names:  []string{"bpf"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "clone",
+					Names:  []string{"clone"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "fanotify_init",
+					Names:  []string{"fanotify_init"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "lookup_dcookie",
+					Names:  []string{"lookup_dcookie"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "mount",
+					Names:  []string{"mount"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "name_to_handle_at",
+					Names:  []string{"name_to_handle_at"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "perf_event_open",
+					Names:  []string{"perf_event_open"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "setdomainname",
+					Names:  []string{"setdomainname"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "sethostname",
+					Names:  []string{"sethostname"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "setns",
+					Names:  []string{"setns"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "umount",
+					Names:  []string{"umount"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "umount2",
+					Names:  []string{"umount2"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "unshare",
+					Names:  []string{"unshare"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_BOOT":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "reboot",
+					Names:  []string{"reboot"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_CHROOT":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "chroot",
+					Names:  []string{"chroot"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_MODULE":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "delete_module",
+					Names:  []string{"delete_module"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "init_module",
+					Names:  []string{"init_module"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "finit_module",
+					Names:  []string{"finit_module"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "query_module",
+					Names:  []string{"query_module"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_PACCT":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "acct",
+					Names:  []string{"acct"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_PTRACE":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "kcmp",
+					Names:  []string{"kcmp"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "process_vm_readv",
+					Names:  []string{"process_vm_readv"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "process_vm_writev",
+					Names:  []string{"process_vm_writev"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "ptrace",
+					Names:  []string{"ptrace"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_RAWIO":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "iopl",
+					Names:  []string{"iopl"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "ioperm",
+					Names:  []string{"ioperm"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_TIME":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "settimeofday",
+					Names:  []string{"settimeofday"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "stime",
+					Names:  []string{"stime"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 				{
-					Name:   "adjtimex",
+					Names:  []string{"adjtimex"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		case "CAP_SYS_TTY_CONFIG":
-			syscalls = append(syscalls, []rspec.Syscall{
+			syscalls = append(syscalls, []rspec.LinuxSyscall{
 				{
-					Name:   "vhangup",
+					Names:  []string{"vhangup"},
 					Action: rspec.ActAllow,
-					Args:   []rspec.Arg{},
+					Args:   []rspec.LinuxSeccompArg{},
 				},
 			}...)
 		}
 	}
 
 	if !capSysAdmin {
-		syscalls = append(syscalls, []rspec.Syscall{
+		syscalls = append(syscalls, []rspec.LinuxSyscall{
 			{
-				Name:   "clone",
+				Names:  []string{"clone"},
 				Action: rspec.ActAllow,
-				Args: []rspec.Arg{
+				Args: []rspec.LinuxSeccompArg{
 					{
 						Index:    sysCloneFlagsIndex,
 						Value:    syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
@@ -1807,62 +1824,62 @@ func DefaultProfile(rs *specs.Spec) *rspec.Seccomp {
 	arch := runtime.GOARCH
 	switch arch {
 	case "arm", "arm64":
-		syscalls = append(syscalls, []rspec.Syscall{
+		syscalls = append(syscalls, []rspec.LinuxSyscall{
 			{
-				Name:   "breakpoint",
+				Names:  []string{"breakpoint"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 			{
-				Name:   "cacheflush",
+				Names:  []string{"cacheflush"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 			{
-				Name:   "set_tls",
+				Names:  []string{"set_tls"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 		}...)
 	case "amd64", "x32":
-		syscalls = append(syscalls, []rspec.Syscall{
+		syscalls = append(syscalls, []rspec.LinuxSyscall{
 			{
-				Name:   "arch_prctl",
+				Names:  []string{"arch_prctl"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 		}...)
 		fallthrough
 	case "x86":
-		syscalls = append(syscalls, []rspec.Syscall{
+		syscalls = append(syscalls, []rspec.LinuxSyscall{
 			{
-				Name:   "modify_ldt",
+				Names:  []string{"modify_ldt"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 		}...)
 	case "s390", "s390x":
-		syscalls = append(syscalls, []rspec.Syscall{
+		syscalls = append(syscalls, []rspec.LinuxSyscall{
 			{
-				Name:   "s390_pci_mmio_read",
+				Names:  []string{"s390_pci_mmio_read"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 			{
-				Name:   "s390_pci_mmio_write",
+				Names:  []string{"s390_pci_mmio_write"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 			{
-				Name:   "s390_runtime_instr",
+				Names:  []string{"s390_runtime_instr"},
 				Action: rspec.ActAllow,
-				Args:   []rspec.Arg{},
+				Args:   []rspec.LinuxSeccompArg{},
 			},
 		}...)
 		/* Flags parameter of the clone syscall is the 2nd on s390 */
 	}
 
-	return &rspec.Seccomp{
+	return &rspec.LinuxSeccomp{
 		DefaultAction: rspec.ActErrno,
 		Architectures: arches(),
 		Syscalls:      syscalls,
diff --git a/generate/seccomp/syscall_compare.go b/generate/seccomp/syscall_compare.go
index 01dc2e30c..dbf2aec1c 100644
--- a/generate/seccomp/syscall_compare.go
+++ b/generate/seccomp/syscall_compare.go
@@ -11,12 +11,12 @@ import (
 
 // Determine if a new syscall rule should be appended, overwrite an existing rule
 // or if no action should be taken at all
-func decideCourseOfAction(newSyscall *rspec.Syscall, syscalls []rspec.Syscall) (string, error) {
+func decideCourseOfAction(newSyscall *rspec.LinuxSyscall, syscalls []rspec.LinuxSyscall) (string, error) {
 	ruleForSyscallAlreadyExists := false
 
 	var sliceOfDeterminedActions []string
 	for i, syscall := range syscalls {
-		if syscall.Name == newSyscall.Name {
+		if sameName(&syscall, newSyscall) {
 			ruleForSyscallAlreadyExists = true
 
 			if identical(newSyscall, &syscall) {
@@ -83,16 +83,16 @@ func decideCourseOfAction(newSyscall *rspec.Syscall, syscalls []rspec.Syscall) (
 	return "", fmt.Errorf("Trouble determining action: %s", sliceOfDeterminedActions)
 }
 
-func hasArguments(config *rspec.Syscall) bool {
-	nilSyscall := new(rspec.Syscall)
+func hasArguments(config *rspec.LinuxSyscall) bool {
+	nilSyscall := new(rspec.LinuxSyscall)
 	return !sameArgs(nilSyscall, config)
 }
 
-func identical(config1, config2 *rspec.Syscall) bool {
+func identical(config1, config2 *rspec.LinuxSyscall) bool {
 	return reflect.DeepEqual(config1, config2)
 }
 
-func identicalExceptAction(config1, config2 *rspec.Syscall) bool {
+func identicalExceptAction(config1, config2 *rspec.LinuxSyscall) bool {
 	samename := sameName(config1, config2)
 	sameAction := sameAction(config1, config2)
 	sameArgs := sameArgs(config1, config2)
@@ -100,7 +100,7 @@ func identicalExceptAction(config1, config2 *rspec.Syscall) bool {
 	return samename && !sameAction && sameArgs
 }
 
-func identicalExceptArgs(config1, config2 *rspec.Syscall) bool {
+func identicalExceptArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	samename := sameName(config1, config2)
 	sameAction := sameAction(config1, config2)
 	sameArgs := sameArgs(config1, config2)
@@ -108,33 +108,33 @@ func identicalExceptArgs(config1, config2 *rspec.Syscall) bool {
 	return samename && sameAction && !sameArgs
 }
 
-func sameName(config1, config2 *rspec.Syscall) bool {
-	return config1.Name == config2.Name
+func sameName(config1, config2 *rspec.LinuxSyscall) bool {
+	return reflect.DeepEqual(config1.Names, config2.Names)
 }
 
-func sameAction(config1, config2 *rspec.Syscall) bool {
+func sameAction(config1, config2 *rspec.LinuxSyscall) bool {
 	return config1.Action == config2.Action
 }
 
-func sameArgs(config1, config2 *rspec.Syscall) bool {
+func sameArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return reflect.DeepEqual(config1.Args, config2.Args)
 }
 
-func bothHaveArgs(config1, config2 *rspec.Syscall) bool {
+func bothHaveArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return hasArguments(config1) && hasArguments(config2)
 }
 
-func onlyOneHasArgs(config1, config2 *rspec.Syscall) bool {
+func onlyOneHasArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	conf1 := hasArguments(config1)
 	conf2 := hasArguments(config2)
 
 	return (conf1 && !conf2) || (!conf1 && conf2)
 }
 
-func neitherHasArgs(config1, config2 *rspec.Syscall) bool {
+func neitherHasArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return !hasArguments(config1) && !hasArguments(config2)
 }
 
-func firstParamOnlyHasArgs(config1, config2 *rspec.Syscall) bool {
+func firstParamOnlyHasArgs(config1, config2 *rspec.LinuxSyscall) bool {
 	return !hasArguments(config1) && hasArguments(config2)
 }
diff --git a/generate/spec.go b/generate/spec.go
index 657ed8b24..4498aa14f 100644
--- a/generate/spec.go
+++ b/generate/spec.go
@@ -34,41 +34,41 @@ func (g *Generator) initSpecLinuxSysctl() {
 func (g *Generator) initSpecLinuxSeccomp() {
 	g.initSpecLinux()
 	if g.spec.Linux.Seccomp == nil {
-		g.spec.Linux.Seccomp = &rspec.Seccomp{}
+		g.spec.Linux.Seccomp = &rspec.LinuxSeccomp{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResources() {
 	g.initSpecLinux()
 	if g.spec.Linux.Resources == nil {
-		g.spec.Linux.Resources = &rspec.Resources{}
+		g.spec.Linux.Resources = &rspec.LinuxResources{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesCPU() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.CPU == nil {
-		g.spec.Linux.Resources.CPU = &rspec.CPU{}
+		g.spec.Linux.Resources.CPU = &rspec.LinuxCPU{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesMemory() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.Memory == nil {
-		g.spec.Linux.Resources.Memory = &rspec.Memory{}
+		g.spec.Linux.Resources.Memory = &rspec.LinuxMemory{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesNetwork() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.Network == nil {
-		g.spec.Linux.Resources.Network = &rspec.Network{}
+		g.spec.Linux.Resources.Network = &rspec.LinuxNetwork{}
 	}
 }
 
 func (g *Generator) initSpecLinuxResourcesPids() {
 	g.initSpecLinuxResources()
 	if g.spec.Linux.Resources.Pids == nil {
-		g.spec.Linux.Resources.Pids = &rspec.Pids{}
+		g.spec.Linux.Resources.Pids = &rspec.LinuxPids{}
 	}
 }
diff --git a/validate/validate.go b/validate/validate.go
index fbe6557a7..0e95948d4 100644
--- a/validate/validate.go
+++ b/validate/validate.go
@@ -256,7 +256,25 @@ func (v *Validator) CheckProcess() (msgs []string) {
 		}
 	}
 
-	for _, capability := range process.Capabilities {
+	var caps []string
+
+	for _, cap := range process.Capabilities.Bounding {
+		caps = append(caps, cap)
+	}
+	for _, cap := range process.Capabilities.Effective {
+		caps = append(caps, cap)
+	}
+	for _, cap := range process.Capabilities.Inheritable {
+		caps = append(caps, cap)
+	}
+	for _, cap := range process.Capabilities.Permitted {
+		caps = append(caps, cap)
+	}
+	for _, cap := range process.Capabilities.Ambient {
+		caps = append(caps, cap)
+	}
+
+	for _, capability := range caps {
 		if err := CapValid(capability, v.HostSpecific); err != nil {
 			msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
 		}
@@ -588,7 +606,7 @@ func envValid(env string) bool {
 	return true
 }
 
-func rlimitValid(rlimit rspec.Rlimit) error {
+func rlimitValid(rlimit rspec.LinuxRlimit) error {
 	if rlimit.Hard < rlimit.Soft {
 		return fmt.Errorf("hard limit of rlimit %s should not be less than soft limit", rlimit.Type)
 	}
@@ -600,7 +618,7 @@ func rlimitValid(rlimit rspec.Rlimit) error {
 	return fmt.Errorf("rlimit type %q is invalid", rlimit.Type)
 }
 
-func namespaceValid(ns rspec.Namespace) bool {
+func namespaceValid(ns rspec.LinuxNamespace) bool {
 	switch ns.Type {
 	case rspec.PIDNamespace:
 	case rspec.NetworkNamespace:
@@ -615,7 +633,7 @@ func namespaceValid(ns rspec.Namespace) bool {
 	return true
 }
 
-func deviceValid(d rspec.Device) bool {
+func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {
 	case "b":
 	case "c":
@@ -636,7 +654,7 @@ func deviceValid(d rspec.Device) bool {
 	return true
 }
 
-func seccompActionValid(secc rspec.Action) bool {
+func seccompActionValid(secc rspec.LinuxSeccompAction) bool {
 	switch secc {
 	case "":
 	case rspec.ActKill:
@@ -650,7 +668,7 @@ func seccompActionValid(secc rspec.Action) bool {
 	return true
 }
 
-func syscallValid(s rspec.Syscall) bool {
+func syscallValid(s rspec.LinuxSyscall) bool {
 	if !seccompActionValid(s.Action) {
 		return false
 	}