[v23 regression] `COPY --link` breaks file caps (Apparently fixed in the master branch)

[AkihiroSuda]

Description

COPY --link --from=0 / /usr/bin/ breaks the file capability of /usr/bin/newuidmap.

A regression in v23.

Apparently fixed in the master branch.
(Just tested ad9d70b)

Reproduce

# syntax = docker/dockerfile:1.5.2

# This Dockerfile mimics the Dockerfile for moby/buildkit:v0.11.4-rootless
# https://github.com/moby/buildkit/blob/v0.11.4/Dockerfile#L263-L281

FROM scratch
ADD Dockerfile /dummy

FROM alpine:3.17
RUN apk add shadow-uidmap libcap-utils
COPY --link --from=0 / /usr/bin/
CMD ["getcap", "/usr/bin/newuidmap"]

# Test: `export DOCKER_BUILDKIT=1; docker build -t foo . && docker run --rm foo`
# Good result: "/usr/bin/newuidmap cap_setuid=ep" (v20.10.23, master@ad9d70b0e6833b746eecccc08a17459ba8bb31c4)
# Bad result:  "" (v23.0.1)

Expected behavior

v23 should show /usr/bin/newuidmap cap_setuid=ep

docker version

Client: Docker Engine - Community
 Version:           23.0.1
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        a5ee5b1
 Built:             Thu Feb  9 19:47:01 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.1
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       bc3805a
  Built:            Thu Feb  9 19:47:01 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.18
  GitCommit:        2456e983eb9e37e47538f59ea18f2043c9a73640
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.16.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 23.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2456e983eb9e37e47538f59ea18f2043c9a73640
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-60-generic
 Operating System: Ubuntu 22.04.1 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 3.826GiB
 Name: lima-docker-rootful
 ID: 2e80009b-39d0-4ee8-b863-6b451b41ee1e
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

[AkihiroSuda]

The master branch seems fixed in 324290a which pulls in moby/buildkit@97b37f9 which is a cherry-pick of moby/buildkit@0a36f1a (moby/buildkit#3671) into BuildKit v0.11.4