opencontainers
diff --git a/‎cmd/runtimetest/main.go‎
Lines changed: 5 additions & 10 deletions b/‎cmd/runtimetest/main.go‎
Lines changed: 5 additions & 10 deletions
diff --git a/‎generate/generate.go‎
Lines changed: 6 additions & 5 deletions b/‎generate/generate.go‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎validate/capabilities/lastcap.go‎
Lines changed: 16 additions & 0 deletions b/‎validate/capabilities/lastcap.go‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎validate/capabilities/validate.go‎
Lines changed: 28 additions & 14 deletions b/‎validate/capabilities/validate.go‎
Lines changed: 28 additions & 14 deletions
diff --git a/‎validate/capabilities/validate_linux.go‎
Lines changed: 0 additions & 16 deletions b/‎validate/capabilities/validate_linux.go‎
Lines changed: 0 additions & 16 deletions
diff --git a/‎validate/capabilities/validate_unsupported.go‎
Lines changed: 0 additions & 13 deletions b/‎validate/capabilities/validate_unsupported.go‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎validate/validate.go‎
Lines changed: 5 additions & 0 deletions b/‎validate/validate.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎validate/validate_linux.go‎
Lines changed: 0 additions & 6 deletions b/‎validate/validate_linux.go‎
Lines changed: 0 additions & 6 deletions
@@ -15,9 +15,9 @@ import (
 	"syscall"
 
 	"github.com/mndrix/tap-go"
+	"github.com/moby/sys/capability"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 	"github.com/urfave/cli"
 
 	"github.com/opencontainers/runtime-tools/cmd/runtimetest/mount"
@@ -265,10 +265,9 @@ func (c *complianceTester) validateCapabilities(spec *rspec.Spec) error {
 		return nil
 	}
 
-	last := capability.CAP_LAST_CAP
-	// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
+	supportedCaps, err := capability.ListSupported()
+	if err != nil {
+		return err
 	}
 
 	processCaps, err := capability.NewPid2(0)
@@ -309,11 +308,7 @@ func (c *complianceTester) validateCapabilities(spec *rspec.Spec) error {
 			expectedCaps[ec] = true
 		}
 
-		for _, cap := range capability.List() {
-			if cap > last {
-				continue
-			}
-
+		for _, cap := range supportedCaps {
 			capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
 			expectedSet := expectedCaps[capKey]
 			actuallySet := processCaps.Get(capType.capType, cap)
 
@@ -8,10 +8,10 @@ import (
 	"os"
 	"strings"
 
+	"github.com/moby/sys/capability"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
 	capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
-	"github.com/syndtr/gocapability/capability"
 )
 
 var (
@@ -1135,10 +1135,11 @@ func (g *Generator) ClearMounts() {
 func (g *Generator) SetupPrivileged(privileged bool) {
 	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
-		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > capsCheck.LastCap() {
-				continue
-			}
+		capList := capability.ListKnown()
+		if g.HostSpecific {
+			capList, _ = capability.ListSupported()
+		}
+		for _, cap := range capList {
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
 		}
 		g.initConfigLinux()
 
@@ -1,18 +1,18 @@
 module github.com/opencontainers/runtime-tools
 
-go 1.19
+go 1.21
 
 require (
 	github.com/blang/semver/v4 v4.0.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b
+	github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478
 	github.com/mrunalp/fileutils v0.5.0
 	github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb
 	github.com/opencontainers/selinux v1.9.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.3.0
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	github.com/urfave/cli v1.19.1
 	github.com/xeipuuv/gojsonschema v1.2.0
 	golang.org/x/sys v0.1.0
 
@@ -11,6 +11,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b h1:Ga1nclDSe8gOw37MVLMhfu2QKWtD6gvtQ298zsKVh8g=
 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
+github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478 h1:L1of2hA2QHy7I07JaRddpvaDL6D72xYzRLkJp8OibzA=
+github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb h1:1xSVPOd7/UA+39/hXEGnBJ13p6JFB0E1EvQFlrRDOXI=
@@ -25,8 +27,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/urfave/cli v1.19.1 h1:0mKm4ZoB74PxYmZVua162y1dGt1qc10MyymYRBf3lb8=
 github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 
@@ -0,0 +1,16 @@
+package capabilities
+
+import (
+	"github.com/moby/sys/capability"
+)
+
+// LastCap return last cap of system
+//
+// Deprecated: use github.com/moby/sys/capability.LastCap instead.
+func LastCap() capability.Cap {
+	last, err := capability.LastCap()
+	if err != nil {
+		return -1
+	}
+	return last
+}
@@ -3,29 +3,43 @@ package capabilities
 import (
 	"fmt"
 	"strings"
+	"sync"
 
-	"github.com/syndtr/gocapability/capability"
+	"github.com/moby/sys/capability"
 )
 
-// CapValid checks whether a capability is valid
+// CapValid checks whether a capability is valid. If hostSpecific is set,
+// it also checks that the capability is supported on the current host.
 func CapValid(c string, hostSpecific bool) error {
-	isValid := false
-
 	if !strings.HasPrefix(c, "CAP_") {
 		return fmt.Errorf("capability %s must start with CAP_", c)
 	}
-	for _, cap := range capability.List() {
-		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
-			if hostSpecific && cap > LastCap() {
-				return fmt.Errorf("%s is not supported on the current host", c)
-			}
-			isValid = true
-			break
-		}
-	}
 
-	if !isValid {
+	if _, ok := knownCaps()[c]; !ok {
 		return fmt.Errorf("invalid capability: %s", c)
 	}
+	if !hostSpecific {
+		return nil
+	}
+	if _, ok := supportedCaps()[c]; !ok {
+		return fmt.Errorf("%s is not supported on the current host", c)
+	}
 	return nil
 }
+
+func capSet(list []capability.Cap) map[string]struct{} {
+	m := make(map[string]struct{}, len(list))
+	for _, c := range list {
+		m["CAP_"+strings.ToUpper(c.String())] = struct{}{}
+	}
+	return m
+}
+
+var knownCaps = sync.OnceValue(func() map[string]struct{} {
+	return capSet(capability.ListKnown())
+})
+
+var supportedCaps = sync.OnceValue(func() map[string]struct{} {
+	list, _ := capability.ListSupported()
+	return capSet(list)
+})
@@ -692,6 +692,11 @@ func CapValid(c string, hostSpecific bool) error {
 	return capsCheck.CapValid(c, hostSpecific)
 }
 
+// LastCap return last cap of system
+//
+// Deprecated: use github.com/moby/sys/capability.LastCap directly.
+var LastCap = capsCheck.LastCap
+
 func envValid(env string) bool {
 	items := strings.Split(env, "=")
 	if len(items) < 2 {
 
@@ -15,16 +15,10 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
-	capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
-// LastCap return last cap of system
-//
-// Deprecated: use github.com/opencontainers/runtime-tools/validate/capabilities.LastCap directly.
-var LastCap = capsCheck.LastCap
-
 func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {
 	case "b", "c", "u":