The "kernel.org/pub/linux/libs/security/libcap/cap" package was developed in 2019. AGM, at the time, was looking for an existing Go Linux Capability package, and didn't find anything that honored POSIX semantics and could be easily cross-compiled: specifically nothing libcap feature equivalent, in pure Go. That package debuted in libcap-2.28. But it, also, couldn't be easily cross-compiled because it relied on libpsx (CGo) linkage. This started a quest to "fix Go", and that happened when go1.16 was released in 2021.
The sole design goal for the ".../libcap/cap" package is to be a Go native implementation, fully equivalent to the C library libcap.
There are a number of Linux Capability Go packages out there, many in widespread use and evidently fit for their client needs, so to be fully transparent we maintain a table with handy links. We've (shamelessly) listed the libcap/cap one first, but the remainder are listed roughly in popularity order as counted by pkg.go.dev, and their "Imported By" count. (File a bug if you find an unlisted package that we've missed or it doesn't appear on the pkg.go.dev site, and we'll add it to the table.)
Key for table:
nocgo: package supports being built without CGo linkage requirement
File: package supports file capability manipulation
Process: package honors POSIX semantics by keeping whole process (all threads) in sync with their security state. For Go, this prevents unexpected execution quirks since Go executes go code interchangeably on different threads.
Thread: package can change privilege state on individual kernel threads.
Exec: package supports launching sub-programs with alternate capability states.
NS: package supports administration of file capabilities with non-default user namespaces.
P, I, E: recognize properties of Permitted, Inheritable and Effective capability Flags.
B: recognize properties of the Bounding vector.
A: recognize properties of the Ambient vector.
M: supports security modes.