CAP_SYS_ADMIN: the new root

That might help but I'd be afraid that it opens another attack surface. A virtual capability may appear safe, but mapping it to a real capability could cause rather nonobvious holes to appear. Especially if multiple virtual capabilities get mapped into a single real one.