diff --git a/generate/generate.go b/generate/generate.go
index 900278f9f..64704bad1 100644
--- a/generate/generate.go
+++ b/generate/generate.go
@@ -1023,7 +1023,7 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > validate.LastCap() {
+			if g.HostSpecific && cap > capability.CAP_LAST_CAP {
 				continue
 			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
diff --git a/validate/validate.go b/validate/validate.go
index e2e820979..1d1563ad4 100644
--- a/validate/validate.go
+++ b/validate/validate.go
@@ -687,23 +687,28 @@ func (v *Validator) CheckAnnotations() (errs error) {
 	return
 }
 
-// CapValid checks whether a capability is valid
+// CapValid checks whether a capability is valid. This only really checks
+// anything with hostSpecific, otherwise we just ignore everything (because
+// capabilities are now free-form strings).
 func CapValid(c string, hostSpecific bool) error {
-	isValid := false
+	// Cannot speak to whether the capability makes sense.
+	if !hostSpecific {
+		return nil
+	}
 
+	isValid := false
 	if !strings.HasPrefix(c, "CAP_") {
 		return fmt.Errorf("capability %s must start with CAP_", c)
 	}
 	for _, cap := range capability.List() {
 		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
-			if hostSpecific && cap > LastCap() {
+			if cap > capability.CAP_LAST_CAP {
 				return fmt.Errorf("%s is not supported on the current host", c)
 			}
 			isValid = true
 			break
 		}
 	}
-
 	if !isValid {
 		return fmt.Errorf("invalid capability: %s", c)
 	}
diff --git a/validate/validate_linux.go b/validate/validate_linux.go
index 8d452c209..1e8411b0d 100644
--- a/validate/validate_linux.go
+++ b/validate/validate_linux.go
@@ -10,8 +10,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/syndtr/gocapability/capability"
-
 	multierror "github.com/hashicorp/go-multierror"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
@@ -19,17 +17,6 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// LastCap return last cap of system
-func LastCap() capability.Cap {
-	last := capability.CAP_LAST_CAP
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-
-	return last
-}
-
 func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {
 	case "b", "c", "u":
diff --git a/validate/validate_unsupported.go b/validate/validate_unsupported.go
index f150c326c..08ac3df83 100644
--- a/validate/validate_unsupported.go
+++ b/validate/validate_unsupported.go
@@ -2,15 +2,6 @@
 
 package validate
 
-import (
-	"github.com/syndtr/gocapability/capability"
-)
-
-// LastCap return last cap of system
-func LastCap() capability.Cap {
-	return capability.Cap(-1)
-}
-
 // CheckLinux is a noop on this platform
 func (v *Validator) CheckLinux() (errs error) {
 	return nil