From 8fca0686056d394766afb1ea6a5a6f5ff55f635d Mon Sep 17 00:00:00 2001
From: Flatcar Buildbot <buildbot@flatcar-linux.org>
Date: Mon, 13 Apr 2026 07:44:04 +0000
Subject: [PATCH] sys-libs/libcap-ng: Sync with Gentoo

It's from Gentoo commit 6be8b22b34aa20abbfa572d546c198f2769ff024.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
---
 .../sys-libs/libcap-ng/Manifest               |   1 +
 ...p-ng-0.9.3-audit-out-of-source-build.patch |  31 +++++
 .../sys-libs/libcap-ng/libcap-ng-0.9.3.ebuild | 116 ++++++++++++++++++
 .../sys-libs/libcap-ng/metadata.xml           |   9 ++
 4 files changed, 157 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/files/libcap-ng-0.9.3-audit-out-of-source-build.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/libcap-ng-0.9.3.ebuild

diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/Manifest
index f16d6aed05..9ca1185fb6 100644
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/Manifest
@@ -1 +1,2 @@
 DIST libcap-ng-0.8.5.tar.gz 460149 BLAKE2B ce0fc4ebceaa66d6f888f8b752e501bed7513d45231425054340016a6215ce52f0cd81b3a4a54c7c9ec0b623965002d66316c6c37844f0bd132b186ff7c6a41f SHA512 89fb86454847f354c012411ecdc7e17f07bb40d7e9719ca0b93ea81c436113685bbbb5c1b9cb1b7ac92d216c105c687285304135beb156aedd55ab1c61e4f269
+DIST libcap-ng-0.9.3.tar.gz 126257 BLAKE2B 8050f69c91a8c5214d718d3ad750cf50db25690b9b8d59f37db32d33d5a0fe864afe8064ca4261f27f49f65064926c816a627a9c1c7a28e268a1a459409c59d8 SHA512 cbe6e322a6349dcd2b23833c4f66a173d5d8d36ccded782e79fa8b83a1a700da293e0a79a31408814f19cf788fd56726beb587f51314a92c135e05eb2e5a47e2
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/files/libcap-ng-0.9.3-audit-out-of-source-build.patch b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/files/libcap-ng-0.9.3-audit-out-of-source-build.patch
new file mode 100644
index 0000000000..a5eb90d310
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/files/libcap-ng-0.9.3-audit-out-of-source-build.patch
@@ -0,0 +1,31 @@
+https://github.com/stevegrubb/libcap-ng/pull/73
+
+From 704a4d311ccc8e34446e25bcb6afbd1541879d2c Mon Sep 17 00:00:00 2001
+Message-ID: <704a4d311ccc8e34446e25bcb6afbd1541879d2c.1775906446.git.sam@gentoo.org>
+From: Sam James <sam@gentoo.org>
+Date: Sat, 11 Apr 2026 12:18:39 +0100
+Subject: [PATCH] cap-audit: fix out-of-source builds
+
+With an out-of-source build, bpftool puts the generated vmlinux.h in
+the build directory, not the source directory, so we need to tell
+Clang where to find it.
+---
+ utils/cap-audit/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/cap-audit/Makefile.am b/utils/cap-audit/Makefile.am
+index dd2e403..3c04493 100644
+--- a/utils/cap-audit/Makefile.am
++++ b/utils/cap-audit/Makefile.am
+@@ -20,7 +20,7 @@
+ SUBDIRS = test
+ DIST_SUBDIRS = test
+ 
+-AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/src ${LIBBPF_CFLAGS} ${LIBAUDIT_CFLAGS}
++AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/src -I$(top_builddir)/utils/cap-audit ${LIBBPF_CFLAGS} ${LIBAUDIT_CFLAGS}
+ AM_CFLAGS = -W -Wall -Wshadow ${WFLAGS} -Wundef -D_GNU_SOURCE
+ 
+ if BUILD_CAP_AUDIT
+-- 
+2.53.0
+
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/libcap-ng-0.9.3.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/libcap-ng-0.9.3.ebuild
new file mode 100644
index 0000000000..aa23c3f94e
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/libcap-ng-0.9.3.ebuild
@@ -0,0 +1,116 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Keep an eye on Fedora's packaging (https://src.fedoraproject.org/rpms/libcap-ng/tree/rawhide) for patches
+# Same maintainer in Fedora as upstream
+PYTHON_COMPAT=( python3_{11..14} )
+inherit autotools flag-o-matic out-of-source-utils python-r1
+
+DESCRIPTION="POSIX 1003.1e capabilities"
+HOMEPAGE="https://people.redhat.com/sgrubb/libcap-ng/"
+SRC_URI="https://github.com/stevegrubb/libcap-ng/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="bpf deprecated python static-libs"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+RDEPEND="
+	bpf? (
+		dev-libs/libbpf:=
+		sys-process/audit
+	)
+	python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+	${RDEPEND}
+	sys-kernel/linux-headers
+	bpf? ( dev-util/bpftool )
+"
+BDEPEND="
+	bpf? (
+		llvm-core/clang[llvm_targets_BPF(-)]
+		virtual/pkgconfig
+	)
+	python? ( >=dev-lang/swig-2 )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.9.3-audit-out-of-source-build.patch
+)
+
+src_prepare() {
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	use sparc && replace-flags -O? -O0
+
+	local ECONF_SOURCE="${S}"
+
+	local myconf=(
+		$(use_enable bpf cap-audit)
+		$(use_enable deprecated)
+		$(use_enable static-libs static)
+		--with-capability_header="${ESYSROOT}"/usr/include/linux/capability.h
+	)
+
+	local pythonconf=(
+		--without-python3
+	)
+
+	# Set up python bindings build(s)
+	if use python ; then
+		setup_python_flags_configure() {
+			pythonconf=(
+				--with-python3
+			)
+
+			run_in_build_dir econf "${pythonconf[@]}" "${myconf[@]}"
+		}
+
+		python_foreach_impl setup_python_flags_configure
+	else
+		local BUILD_DIR="${WORKDIR}"/build
+		run_in_build_dir econf "${pythonconf[@]}" "${myconf[@]}"
+	fi
+}
+
+src_compile() {
+	if use python ; then
+		python_foreach_impl run_in_build_dir emake
+	else
+		local BUILD_DIR="${WORKDIR}"/build
+		emake -C "${BUILD_DIR}"
+	fi
+}
+
+src_test() {
+	if [[ "${EUID}" -eq 0 ]] ; then
+		ewarn "Skipping tests due to root permissions."
+		return
+	fi
+
+	if use python ; then
+		python_foreach_impl run_in_build_dir emake check
+	else
+		local BUILD_DIR="${WORKDIR}"/build
+		emake -C "${BUILD_DIR}" check
+	fi
+}
+
+src_install() {
+	if use python ; then
+		python_foreach_impl run_in_build_dir emake DESTDIR="${D}" install
+	else
+		local BUILD_DIR="${WORKDIR}"/build
+		emake -C "${BUILD_DIR}" DESTDIR="${D}" install
+	fi
+
+	find "${ED}" -name '*.la' -delete || die
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/metadata.xml
index d321b5cf88..872220c101 100644
--- a/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-libs/libcap-ng/metadata.xml
@@ -11,6 +11,15 @@
 	utilities that can analyse all currently running applications and print
 	out any capabilities and whether or not it has an open ended bounding set.
 	</longdescription>
+	<use>
+		<flag name="bpf">
+		Install cap-audit utility which uses the extended Berkeley
+		Packet Filter (eBPF).
+		</flag>
+		<flag name="deprecated">
+		Install deprecated captest utility.
+		</flag>
+	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:libcap-ng_project:libcap-ng</remote-id>
 		<remote-id type="github">stevegrubb/libcap-ng</remote-id>