Merge pull request #4082 from kolyshkin/moby-cap

vendor: switch to moby/sys/capability

src/cmd/linuxkit/go.mod

@@ -54,9 +54,9 @@ require (
 	github.com/Code-Hex/vz/v3 v3.0.0
 	github.com/equinix/equinix-sdk-go v0.42.0
 	github.com/in-toto/in-toto-golang v0.5.0
+	github.com/moby/sys/capability v0.3.0
 	github.com/spdx/tools-golang v0.5.3
 	github.com/spf13/cobra v1.8.0
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	gopkg.in/yaml.v3 v3.0.1
 )
 

src/cmd/linuxkit/go.sum

@@ -103,8 +103,6 @@ github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0
 github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE=
-github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
 github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
@@ -247,6 +245,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
+github.com/moby/sys/capability v0.3.0 h1:kEP+y6te0gEXIaeQhIi0s7vKs/w0RPoH1qPa6jROcVg=
+github.com/moby/sys/capability v0.3.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
 github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
@@ -331,8 +331,6 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/surma/gocpio v1.0.2-0.20160926205914-fcb68777e7dc h1:iA3Eg1OVd2o0M4M+0PBsBBssMz98L8CUH7x0xVkuyUA=
 github.com/surma/gocpio v1.0.2-0.20160926205914-fcb68777e7dc/go.mod h1:zaLNaN+EDnfSnNdWPJJf9OZxWF817w5dt8JNzF9LCVI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c h1:+6wg/4ORAbnSoGDzg2Q1i3CeMcT/jjhye/ZfnBHy7/M=
 github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c/go.mod h1:vbbYqJlnswsbJqWUcJN8fKtBhnEgldDrcagTgnBVKKM=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=

src/cmd/linuxkit/moby/config.go

@@ -13,10 +13,10 @@ import (
 	"github.com/containerd/containerd/reference"
 	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/spec"
 	"github.com/linuxkit/linuxkit/src/cmd/linuxkit/util"
+	"github.com/moby/sys/capability"
 	imagespec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	log "github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 	"github.com/xeipuuv/gojsonschema"
 	"gopkg.in/yaml.v3"
 )
@@ -781,7 +781,7 @@ func assignStringEmpty4(v1, v2, v3, v4 string) string {
 
 func getAllCapabilities() []string {
 	var caps []string
-	for _, cap := range capability.List() {
+	for _, cap := range capability.ListKnown() {
 		caps = append(caps, "CAP_"+strings.ToUpper(cap.String()))
 	}
 	return caps

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/.codespellrc

@@ -0,0 +1,3 @@
+[codespell]
+skip = ./.git
+ignore-words-list = nd

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/.golangci.yml

@@ -0,0 +1,6 @@
+linters:
+  enable:
+    - unconvert
+    - unparam
+    - gofumpt
+    - errorlint

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/CHANGELOG.md

@@ -0,0 +1,90 @@
+# Changelog
+This file documents all notable changes made to this project since the initial fork
+from https://github.com/syndtr/gocapability/commit/42c35b4376354fd5.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.3.0] - 2024-09-25
+
+### Added
+* Added [ListKnown] and [ListSupported] functions. (#153)
+* [LastCap] is now available on non-Linux platforms (where it returns an error). (#152)
+
+### Changed
+* [List] is now deprecated in favor of [ListKnown] and [ListSupported]. (#153)
+
+### Fixed
+* Various documentation improvements. (#151)
+* Fix "generated code" comment. (#153)
+
+## [0.2.0] - 2024-09-16
+
+This is the first release after the move to a new home in
+github.com/moby/sys/capability.
+
+### Fixed
+ * Fixed URLs in documentation to reflect the new home.
+
+## [0.1.1] - 2024-08-01
+
+This is a maintenance release, fixing a few minor issues.
+
+### Fixed
+ * Fixed future kernel compatibility, for real this time. [#11]
+ * Fixed [LastCap] to be a function. [#12]
+
+## [0.1.0] - 2024-07-31
+
+This is an initial release since the fork.
+
+### Breaking changes
+
+ * The `CAP_LAST_CAP` variable is removed; users need to modify the code to
+   use [LastCap] to get the value. [#6]
+ * The code now requires Go >= 1.21.
+
+### Added
+ * `go.mod` and `go.sum` files. [#2]
+ * New [LastCap] function. [#6]
+ * Basic CI using GHA infra. [#8], [#9]
+ * README and CHANGELOG. [#10]
+
+### Fixed
+ * Fixed ambient capabilities error handling in [Apply]. [#3]
+ * Fixed future kernel compatibility. [#1]
+ * Fixed various linter warnings. [#4], [#7]
+
+### Changed
+ * Go build tags changed from old-style (`+build`) to new Go 1.17+ style (`go:build`). [#2]
+
+### Removed
+ * Removed support for capabilities v1 and v2. [#1]
+ * Removed init function so programs that use this package start faster. [#6]
+ * Removed `CAP_LAST_CAP` (use [LastCap] instead). [#6]
+
+<!-- Doc links. -->
+[Apply]: https://pkg.go.dev/github.com/moby/sys/capability#Capabilities.Apply
+[LastCap]: https://pkg.go.dev/github.com/moby/sys/capability#LastCap
+[List]: https://pkg.go.dev/github.com/moby/sys/capability#List
+[ListKnown]: https://pkg.go.dev/github.com/moby/sys/capability#ListKnown
+[ListSupported]: https://pkg.go.dev/github.com/moby/sys/capability#ListSupported
+
+<!-- Minor releases. -->
+[0.3.0]: https://github.com/moby/sys/releases/tag/capability%2Fv0.3.0
+[0.2.0]: https://github.com/moby/sys/releases/tag/capability%2Fv0.2.0
+[0.1.1]: https://github.com/kolyshkin/capability/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/kolyshkin/capability/compare/42c35b4376354fd5...v0.1.0
+
+<!-- PRs in 0.1.x releases. -->
+[#1]: https://github.com/kolyshkin/capability/pull/1
+[#2]: https://github.com/kolyshkin/capability/pull/2
+[#3]: https://github.com/kolyshkin/capability/pull/3
+[#4]: https://github.com/kolyshkin/capability/pull/4
+[#6]: https://github.com/kolyshkin/capability/pull/6
+[#7]: https://github.com/kolyshkin/capability/pull/7
+[#8]: https://github.com/kolyshkin/capability/pull/8
+[#9]: https://github.com/kolyshkin/capability/pull/9
+[#10]: https://github.com/kolyshkin/capability/pull/10
+[#11]: https://github.com/kolyshkin/capability/pull/11
+[#12]: https://github.com/kolyshkin/capability/pull/12

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/LICENSE

@@ -1,3 +1,4 @@
+Copyright 2023 The Capability Authors.
 Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
 All rights reserved.
 

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/README.md

@@ -0,0 +1,13 @@
+This is a fork of (apparently no longer maintained)
+https://github.com/syndtr/gocapability package. It provides basic primitives to
+work with [Linux capabilities][capabilities(7)].
+
+For changes, see [CHANGELOG.md](./CHANGELOG.md).
+
+[![Go Reference](https://pkg.go.dev/badge/github.com/moby/sys/capability/capability.svg)](https://pkg.go.dev/github.com/moby/sys/capability)
+
+## Alternatives
+
+ * https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap
+
+[capabilities(7)]: https://man7.org/linux/man-pages/man7/capabilities.7.html

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/capability.go

@@ -1,8 +1,9 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
+// Copyright 2023 The Capability Authors.
+// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
 // All rights reserved.
 //
-// Use of this source code is governed by a BSD-style license that can be
+// Use of this source code is governed by a BSD-style
-// found in the LICENSE file.
+// license that can be found in the LICENSE file.
 
 // Package capability provides utilities for manipulating POSIX capabilities.
 package capability
@@ -60,26 +61,27 @@ type Capabilities interface {
 	Apply(kind CapType) error
 }
 
-// NewPid initializes a new Capabilities object for given pid when
+// NewPid initializes a new [Capabilities] object for given pid when
 // it is nonzero, or for the current process if pid is 0.
 //
-// Deprecated: Replace with NewPid2.  For example, replace:
+// Deprecated: Replace with [NewPid2] followed by [Capabilities.Load].
+// For example, replace:
 //
-//    c, err := NewPid(0)
+//	c, err := NewPid(0)
-//    if err != nil {
+//	if err != nil {
-//      return err
+//		return err
-//    }
+//	}
 //
 // with:
 //
-//    c, err := NewPid2(0)
+//	c, err := NewPid2(0)
-//    if err != nil {
+//	if err != nil {
-//      return err
+//		return err
-//    }
+//	}
-//    err = c.Load()
+//	err = c.Load()
-//    if err != nil {
+//	if err != nil {
-//      return err
+//		return err
-//    }
+//	}
 func NewPid(pid int) (Capabilities, error) {
 	c, err := newPid(pid)
 	if err != nil {
@@ -89,33 +91,34 @@ func NewPid(pid int) (Capabilities, error) {
 	return c, err
 }
 
-// NewPid2 initializes a new Capabilities object for given pid when
+// NewPid2 initializes a new [Capabilities] object for given pid when
-// it is nonzero, or for the current process if pid is 0.  This
+// it is nonzero, or for the current process if pid is 0. This
 // does not load the process's current capabilities; to do that you
-// must call Load explicitly.
+// must call [Capabilities.Load] explicitly.
 func NewPid2(pid int) (Capabilities, error) {
 	return newPid(pid)
 }
 
 // NewFile initializes a new Capabilities object for given file path.
 //
-// Deprecated: Replace with NewFile2.  For example, replace:
+// Deprecated: Replace with [NewFile2] followed by [Capabilities.Load].
+// For example, replace:
 //
-//    c, err := NewFile(path)
+//	c, err := NewFile(path)
-//    if err != nil {
+//	if err != nil {
-//      return err
+//		return err
-//    }
+//	}
 //
 // with:
 //
-//    c, err := NewFile2(path)
+//	c, err := NewFile2(path)
-//    if err != nil {
+//	if err != nil {
-//      return err
+//		return err
-//    }
+//	}
-//    err = c.Load()
+//	err = c.Load()
-//    if err != nil {
+//	if err != nil {
-//      return err
+//		return err
-//    }
+//	}
 func NewFile(path string) (Capabilities, error) {
 	c, err := newFile(path)
 	if err != nil {
@@ -125,9 +128,17 @@ func NewFile(path string) (Capabilities, error) {
 	return c, err
 }
 
-// NewFile2 creates a new initialized Capabilities object for given
+// NewFile2 creates a new initialized [Capabilities] object for given
-// file path.  This does not load the process's current capabilities;
+// file path. This does not load the process's current capabilities;
-// to do that you must call Load explicitly.
+// to do that you must call [Capabilities.Load] explicitly.
 func NewFile2(path string) (Capabilities, error) {
 	return newFile(path)
 }
+
+// LastCap returns highest valid capability of the running kernel,
+// or an error if it can not be obtained.
+//
+// See also: [ListSupported].
+func LastCap() (Cap, error) {
+	return lastCap()
+}

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/capability_linux.go

@@ -1,8 +1,9 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
+// Copyright 2023 The Capability Authors.
+// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
 // All rights reserved.
 //
-// Use of this source code is governed by a BSD-style license that can be
+// Use of this source code is governed by a BSD-style
-// found in the LICENSE file.
+// license that can be found in the LICENSE file.
 
 package capability
 
@@ -12,62 +13,53 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 )
 
-var errUnknownVers = errors.New("unknown capability version")
-
 const (
-	linuxCapVer1 = 0x19980330
+	linuxCapVer1 = 0x19980330 // No longer supported.
-	linuxCapVer2 = 0x20071026
+	linuxCapVer2 = 0x20071026 // No longer supported.
 	linuxCapVer3 = 0x20080522
 )
 
-var (
+var lastCap = sync.OnceValues(func() (Cap, error) {
-	capVers    uint32
-	capLastCap Cap
-)
-
-func init() {
-	var hdr capHeader
-	capget(&hdr, nil)
-	capVers = hdr.version
-
-	if initLastCap() == nil {
-		CAP_LAST_CAP = capLastCap
-		if capLastCap > 31 {
-			capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
-		} else {
-			capUpperMask = 0
-		}
-	}
-}
-
-func initLastCap() error {
-	if capLastCap != 0 {
-		return nil
-	}
-
 	f, err := os.Open("/proc/sys/kernel/cap_last_cap")
 	if err != nil {
-		return err
+		return 0, err
 	}
-	defer f.Close()
 
-	var b []byte = make([]byte, 11)
+	buf := make([]byte, 11)
-	_, err = f.Read(b)
+	l, err := f.Read(buf)
+	f.Close()
 	if err != nil {
-		return err
+		return 0, err
 	}
+	buf = buf[:l]
 
-	fmt.Sscanf(string(b), "%d", &capLastCap)
+	last, err := strconv.Atoi(strings.TrimSpace(string(buf)))
+	if err != nil {
+		return 0, err
+	}
+	return Cap(last), nil
+})
 
-	return nil
+func capUpperMask() uint32 {
+	last, err := lastCap()
+	if err != nil || last < 32 {
+		return 0
+	}
+	return (uint32(1) << (uint(last) - 31)) - 1
 }
 
 func mkStringCap(c Capabilities, which CapType) (ret string) {
-	for i, first := Cap(0), true; i <= CAP_LAST_CAP; i++ {
+	last, err := lastCap()
+	if err != nil {
+		return ""
+	}
+	for i, first := Cap(0), true; i <= last; i++ {
 		if !c.Get(which, i) {
 			continue
 		}
@@ -98,138 +90,33 @@ func mkString(c Capabilities, max CapType) (ret string) {
 	return
 }
 
-func newPid(pid int) (c Capabilities, err error) {
+var capVersion = sync.OnceValues(func() (uint32, error) {
-	switch capVers {
+	var hdr capHeader
-	case linuxCapVer1:
+	err := capget(&hdr, nil)
-		p := new(capsV1)
+	return hdr.version, err
-		p.hdr.version = capVers
+})
-		p.hdr.pid = int32(pid)
+
-		c = p
+func newPid(pid int) (c Capabilities, retErr error) {
-	case linuxCapVer2, linuxCapVer3:
+	ver, err := capVersion()
-		p := new(capsV3)
+	if err != nil {
-		p.hdr.version = capVers
+		retErr = fmt.Errorf("unable to get capability version from the kernel: %w", err)
-		p.hdr.pid = int32(pid)
-		c = p
-	default:
-		err = errUnknownVers
 		return
 	}
-	return
+	switch ver {
-}
+	case linuxCapVer1, linuxCapVer2:
-
+		retErr = errors.New("old/unsupported capability version (kernel older than 2.6.26?)")
-type capsV1 struct {
+	default:
-	hdr  capHeader
+		// Either linuxCapVer3, or an unknown/future version (such as v4).
-	data capData
+		// In the latter case, we fall back to v3 as the latest version known
-}
+		// to this package, as kernel should be backward-compatible to v3.
-
+		p := new(capsV3)
-func (c *capsV1) Get(which CapType, what Cap) bool {
+		p.hdr.version = linuxCapVer3
-	if what > 32 {
+		p.hdr.pid = int32(pid)
-		return false
+		c = p
-	}
-
-	switch which {
-	case EFFECTIVE:
-		return (1<<uint(what))&c.data.effective != 0
-	case PERMITTED:
-		return (1<<uint(what))&c.data.permitted != 0
-	case INHERITABLE:
-		return (1<<uint(what))&c.data.inheritable != 0
-	}
-
-	return false
-}
-
-func (c *capsV1) getData(which CapType) (ret uint32) {
-	switch which {
-	case EFFECTIVE:
-		ret = c.data.effective
-	case PERMITTED:
-		ret = c.data.permitted
-	case INHERITABLE:
-		ret = c.data.inheritable
 	}
 	return
 }
 
-func (c *capsV1) Empty(which CapType) bool {
-	return c.getData(which) == 0
-}
-
-func (c *capsV1) Full(which CapType) bool {
-	return (c.getData(which) & 0x7fffffff) == 0x7fffffff
-}
-
-func (c *capsV1) Set(which CapType, caps ...Cap) {
-	for _, what := range caps {
-		if what > 32 {
-			continue
-		}
-
-		if which&EFFECTIVE != 0 {
-			c.data.effective |= 1 << uint(what)
-		}
-		if which&PERMITTED != 0 {
-			c.data.permitted |= 1 << uint(what)
-		}
-		if which&INHERITABLE != 0 {
-			c.data.inheritable |= 1 << uint(what)
-		}
-	}
-}
-
-func (c *capsV1) Unset(which CapType, caps ...Cap) {
-	for _, what := range caps {
-		if what > 32 {
-			continue
-		}
-
-		if which&EFFECTIVE != 0 {
-			c.data.effective &= ^(1 << uint(what))
-		}
-		if which&PERMITTED != 0 {
-			c.data.permitted &= ^(1 << uint(what))
-		}
-		if which&INHERITABLE != 0 {
-			c.data.inheritable &= ^(1 << uint(what))
-		}
-	}
-}
-
-func (c *capsV1) Fill(kind CapType) {
-	if kind&CAPS == CAPS {
-		c.data.effective = 0x7fffffff
-		c.data.permitted = 0x7fffffff
-		c.data.inheritable = 0
-	}
-}
-
-func (c *capsV1) Clear(kind CapType) {
-	if kind&CAPS == CAPS {
-		c.data.effective = 0
-		c.data.permitted = 0
-		c.data.inheritable = 0
-	}
-}
-
-func (c *capsV1) StringCap(which CapType) (ret string) {
-	return mkStringCap(c, which)
-}
-
-func (c *capsV1) String() (ret string) {
-	return mkString(c, BOUNDING)
-}
-
-func (c *capsV1) Load() (err error) {
-	return capget(&c.hdr, &c.data)
-}
-
-func (c *capsV1) Apply(kind CapType) error {
-	if kind&CAPS == CAPS {
-		return capset(&c.hdr, &c.data)
-	}
-	return nil
-}
-
 type capsV3 struct {
 	hdr     capHeader
 	data    [2]capData
@@ -292,7 +179,8 @@ func (c *capsV3) Full(which CapType) bool {
 	if (data[0] & 0xffffffff) != 0xffffffff {
 		return false
 	}
-	return (data[1] & capUpperMask) == capUpperMask
+	mask := capUpperMask()
+	return (data[1] & mask) == mask
 }
 
 func (c *capsV3) Set(which CapType, caps ...Cap) {
@@ -401,15 +289,12 @@ func (c *capsV3) Load() (err error) {
 		return
 	}
 
-	var status_path string
+	path := "/proc/self/status"
-
+	if c.hdr.pid != 0 {
-	if c.hdr.pid == 0 {
+		path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
-		status_path = fmt.Sprintf("/proc/self/status")
-	} else {
-		status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
 	}
 
-	f, err := os.Open(status_path)
+	f, err := os.Open(path)
 	if err != nil {
 		return
 	}
@@ -423,11 +308,17 @@ func (c *capsV3) Load() (err error) {
 			break
 		}
 		if strings.HasPrefix(line, "CapB") {
-			fmt.Sscanf(line[4:], "nd:  %08x%08x", &c.bounds[1], &c.bounds[0])
+			_, err = fmt.Sscanf(line[4:], "nd:  %08x%08x", &c.bounds[1], &c.bounds[0])
+			if err != nil {
+				break
+			}
 			continue
 		}
 		if strings.HasPrefix(line, "CapA") {
-			fmt.Sscanf(line[4:], "mb:  %08x%08x", &c.ambient[1], &c.ambient[0])
+			_, err = fmt.Sscanf(line[4:], "mb:  %08x%08x", &c.ambient[1], &c.ambient[0])
+			if err != nil {
+				break
+			}
 			continue
 		}
 	}
@@ -437,6 +328,10 @@ func (c *capsV3) Load() (err error) {
 }
 
 func (c *capsV3) Apply(kind CapType) (err error) {
+	last, err := LastCap()
+	if err != nil {
+		return err
+	}
 	if kind&BOUNDS == BOUNDS {
 		var data [2]capData
 		err = capget(&c.hdr, &data[0])
@@ -444,14 +339,14 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 			return
 		}
 		if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
-			for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+			for i := Cap(0); i <= last; i++ {
 				if c.Get(BOUNDING, i) {
 					continue
 				}
 				err = prctl(syscall.PR_CAPBSET_DROP, uintptr(i), 0, 0, 0)
 				if err != nil {
 					// Ignore EINVAL since the capability may not be supported in this system.
-					if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL {
+					if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
 						err = nil
 						continue
 					}
@@ -469,16 +364,19 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 
 	if kind&AMBS == AMBS {
-		for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+		for i := Cap(0); i <= last; i++ {
 			action := pr_CAP_AMBIENT_LOWER
 			if c.Get(AMBIENT, i) {
 				action = pr_CAP_AMBIENT_RAISE
 			}
-			err := prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
+			err = prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
-			// Ignore EINVAL as not supported on kernels before 4.3
+			if err != nil {
-			if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL {
+				// Ignore EINVAL as not supported on kernels before 4.3
-				err = nil
+				if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
-				continue
+					err = nil
+					continue
+				}
+				return
 			}
 		}
 	}
@@ -547,7 +445,8 @@ func (c *capsFile) Full(which CapType) bool {
 	if (data[0] & 0xffffffff) != 0xffffffff {
 		return false
 	}
-	return (data[1] & capUpperMask) == capUpperMask
+	mask := capUpperMask()
+	return (data[1] & mask) == mask
 }
 
 func (c *capsFile) Set(which CapType, caps ...Cap) {

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/capability_noop.go

@@ -0,0 +1,26 @@
+// Copyright 2023 The Capability Authors.
+// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
+// All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !linux
+
+package capability
+
+import "errors"
+
+var errNotSup = errors.New("not supported")
+
+func newPid(_ int) (Capabilities, error) {
+	return nil, errNotSup
+}
+
+func newFile(_ string) (Capabilities, error) {
+	return nil, errNotSup
+}
+
+func lastCap() (Cap, error) {
+	return -1, errNotSup
+}

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/enum.go

@@ -1,11 +1,14 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
+// Copyright 2024 The Capability Authors.
+// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
 // All rights reserved.
 //
-// Use of this source code is governed by a BSD-style license that can be
+// Use of this source code is governed by a BSD-style
-// found in the LICENSE file.
+// license that can be found in the LICENSE file.
 
 package capability
 
+import "slices"
+
 type CapType uint
 
 func (c CapType) String() string {
@@ -301,9 +304,27 @@ const (
 	CAP_CHECKPOINT_RESTORE = Cap(40)
 )
 
-var (
+// List returns the list of all capabilities known to the package.
-	// Highest valid capability of the running kernel.
+//
-	CAP_LAST_CAP = Cap(63)
+// Deprecated: use [ListKnown] or [ListSupported] instead.
+func List() []Cap {
+	return ListKnown()
+}
 
-	capUpperMask = ^uint32(0)
+// ListKnown returns the list of all capabilities known to the package.
-)
+func ListKnown() []Cap {
+	return list()
+}
+
+// ListSupported retuns the list of all capabilities known to the package,
+// except those that are not supported by the currently running Linux kernel.
+func ListSupported() ([]Cap, error) {
+	last, err := LastCap()
+	if err != nil {
+		return nil, err
+	}
+	return slices.DeleteFunc(list(), func(c Cap) bool {
+		// Remove caps not supported by the kernel.
+		return c > last
+	}), nil
+}

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/enum_gen.go

@@ -1,4 +1,4 @@
-// generated file; DO NOT EDIT - use go generate in directory with source
+// Code generated by go generate; DO NOT EDIT.
 
 package capability
 
@@ -90,8 +90,7 @@ func (c Cap) String() string {
 	return "unknown"
 }
 
-// List returns list of all supported capabilities
+func list() []Cap {
-func List() []Cap {
 	return []Cap{
 		CAP_CHOWN,
 		CAP_DAC_OVERRIDE,

src/cmd/linuxkit/vendor/github.com/moby/sys/capability/syscall_linux.go

@@ -1,8 +1,9 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
+// Copyright 2024 The Capability Authors.
+// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
 // All rights reserved.
 //
-// Use of this source code is governed by a BSD-style license that can be
+// Use of this source code is governed by a BSD-style
-// found in the LICENSE file.
+// license that can be found in the LICENSE file.
 
 package capability
 
@@ -79,9 +80,7 @@ type vfscapData struct {
 	version   int8
 }
 
-var (
+var _vfsXattrName *byte
-	_vfsXattrName *byte
-)
 
 func init() {
 	_vfsXattrName, _ = syscall.BytePtrFromString(vfsXattrName)

src/cmd/linuxkit/vendor/github.com/syndtr/gocapability/capability/capability_noop.go

@@ -1,19 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// +build !linux
-
-package capability
-
-import "errors"
-
-func newPid(pid int) (Capabilities, error) {
-	return nil, errors.New("not supported")
-}
-
-func newFile(path string) (Capabilities, error) {
-	return nil, errors.New("not supported")
-}

src/cmd/linuxkit/vendor/modules.txt

@@ -511,6 +511,9 @@ github.com/moby/locker
 ## explicit; go 1.19
 github.com/moby/patternmatcher
 github.com/moby/patternmatcher/ignorefile
+# github.com/moby/sys/capability v0.3.0
+## explicit; go 1.21
+github.com/moby/sys/capability
 # github.com/moby/sys/signal v0.7.0
 ## explicit; go 1.16
 github.com/moby/sys/signal
@@ -622,9 +625,6 @@ github.com/stretchr/testify/require
 # github.com/surma/gocpio v1.0.2-0.20160926205914-fcb68777e7dc
 ## explicit
 github.com/surma/gocpio
-# github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
-## explicit
-github.com/syndtr/gocapability/capability
 # github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c
 ## explicit; go 1.20
 github.com/tonistiigi/fsutil