libcontainer: Use gocapability's NewPid2

libcontainer/capabilities_linux.go

@@ -71,7 +71,7 @@ func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilitie
 		}
 		ambient = append(ambient, v)
 	}
-	pid, err := capability.NewPid(0)
+	pid, err := capability.NewPid2(0)
 	if err != nil {
 		return nil, err
 	}

libcontainer/container_linux.go

@@ -1804,10 +1804,14 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 			// The following only applies if we are root.
 			if !c.config.Rootless {
 				// check if we have CAP_SETGID to setgroup properly
-				pid, err := capability.NewPid(0)
+				pid, err := capability.NewPid2(0)
 				if err != nil {
 					return nil, err
 				}
+				err = pid.Load()
+				if err != nil && !os.IsNotExist(err) {
+					return nil, err
+				}
 				if !pid.Get(capability.EFFECTIVE, capability.CAP_SETGID) {
 					r.AddData(&Boolmsg{
 						Type:  SetgroupAttr,

vendor.conf

@@ -7,7 +7,7 @@ github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
 github.com/opencontainers/selinux v1.0.0-rc1
 github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
 github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
-github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
+github.com/syndtr/gocapability 33e07d32887e1e06b7c025f27ce52f62c7990bc0
 github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270
 # systemd integration.
 github.com/coreos/go-systemd v14