From ddfcc51b913a70da48102f64e18b34579dc3611c Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Mon, 7 Jul 2025 13:47:05 +0900
Subject: [PATCH] container: move capset implementation

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 container/capability.go | 45 +++++++++++++++++++++++++++++++++++++++++
 container/syscall.go    | 42 --------------------------------------
 2 files changed, 45 insertions(+), 42 deletions(-)
 create mode 100644 container/capability.go

diff --git a/container/capability.go b/container/capability.go
new file mode 100644
index 0000000..7c36ce9
--- /dev/null
+++ b/container/capability.go
@@ -0,0 +1,45 @@
+package container
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+const (
+	_LINUX_CAPABILITY_VERSION_3 = 0x20080522
+
+	PR_CAP_AMBIENT           = 0x2f
+	PR_CAP_AMBIENT_RAISE     = 0x2
+	PR_CAP_AMBIENT_CLEAR_ALL = 0x4
+
+	CAP_SYS_ADMIN = 0x15
+	CAP_SETPCAP   = 0x8
+)
+
+type (
+	capHeader struct {
+		version uint32
+		pid     int32
+	}
+
+	capData struct {
+		effective   uint32
+		permitted   uint32
+		inheritable uint32
+	}
+)
+
+// See CAP_TO_INDEX in linux/capability.h:
+func capToIndex(cap uintptr) uintptr { return cap >> 5 }
+
+// See CAP_TO_MASK in linux/capability.h:
+func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
+
+func capset(hdrp *capHeader, datap *[2]capData) error {
+	if _, _, errno := syscall.Syscall(syscall.SYS_CAPSET,
+		uintptr(unsafe.Pointer(hdrp)),
+		uintptr(unsafe.Pointer(&datap[0])), 0); errno != 0 {
+		return errno
+	}
+	return nil
+}
diff --git a/container/syscall.go b/container/syscall.go
index c30aa8f..075da89 100644
--- a/container/syscall.go
+++ b/container/syscall.go
@@ -2,12 +2,6 @@ package container
 
 import (
 	"syscall"
-	"unsafe"
-)
-
-const (
-	CAP_SYS_ADMIN = 0x15
-	CAP_SETPCAP   = 0x8
 )
 
 const (
@@ -24,42 +18,6 @@ func SetDumpable(dumpable uintptr) error {
 	return nil
 }
 
-const (
-	_LINUX_CAPABILITY_VERSION_3 = 0x20080522
-
-	PR_CAP_AMBIENT           = 0x2f
-	PR_CAP_AMBIENT_RAISE     = 0x2
-	PR_CAP_AMBIENT_CLEAR_ALL = 0x4
-)
-
-type (
-	capHeader struct {
-		version uint32
-		pid     int32
-	}
-
-	capData struct {
-		effective   uint32
-		permitted   uint32
-		inheritable uint32
-	}
-)
-
-// See CAP_TO_INDEX in linux/capability.h:
-func capToIndex(cap uintptr) uintptr { return cap >> 5 }
-
-// See CAP_TO_MASK in linux/capability.h:
-func capToMask(cap uintptr) uint32 { return 1 << uint(cap&31) }
-
-func capset(hdrp *capHeader, datap *[2]capData) error {
-	if _, _, errno := syscall.Syscall(syscall.SYS_CAPSET,
-		uintptr(unsafe.Pointer(hdrp)),
-		uintptr(unsafe.Pointer(&datap[0])), 0); errno != 0 {
-		return errno
-	}
-	return nil
-}
-
 // IgnoringEINTR makes a function call and repeats it if it returns an
 // EINTR error. This appears to be required even though we install all
 // signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.