Fixing CAP_SETPCAP

Err... ObOnTopic: Building a system like I describe is much easier given the existence of
CAP_SYS_CHROOT.  (Though another option would be to eliminate the root dir entirely by
chrooting everything to a designated unreadable/unwriteable/empty directory, and just using
openat() etc all the time.  ...Too bad there's no execat().)