diff --git a/sandbox/syscall.go b/sandbox/syscall.go
index a92fa17..7ddb513 100644
--- a/sandbox/syscall.go
+++ b/sandbox/syscall.go
@@ -1,17 +1,16 @@
 package sandbox
 
-import "syscall"
+import (
+	"syscall"
+	"unsafe"
+)
 
 const (
 	O_PATH = 0x200000
 
 	PR_SET_NO_NEW_PRIVS = 0x26
 
-	PR_CAP_AMBIENT           = 47
-	PR_CAP_AMBIENT_CLEAR_ALL = 4
-
 	CAP_SYS_ADMIN = 0x15
-	CAP_SETPCAP   = 8
 )
 
 const (
@@ -28,6 +27,37 @@ func SetDumpable(dumpable uintptr) error {
 	return nil
 }
 
+const (
+	_LINUX_CAPABILITY_VERSION_3 = 0x20080522
+
+	PR_CAP_AMBIENT           = 47
+	PR_CAP_AMBIENT_CLEAR_ALL = 4
+
+	CAP_SETPCAP = 8
+)
+
+type (
+	capHeader struct {
+		version uint32
+		pid     int32
+	}
+
+	capData struct {
+		effective   uint32
+		permitted   uint32
+		inheritable uint32
+	}
+)
+
+func capset(hdrp *capHeader, datap *[2]capData) error {
+	if _, _, errno := syscall.Syscall(syscall.SYS_CAPSET,
+		uintptr(unsafe.Pointer(hdrp)),
+		uintptr(unsafe.Pointer(&datap[0])), 0); errno != 0 {
+		return errno
+	}
+	return nil
+}
+
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.