Add support for setting capabilities on the app binary

[mejedi]

This patchset adds linux_capabilities under builds section in .ko.yaml. Ex:

builds:
- id: my-app
  dir: ./cmd
  main: ./myapp
  linux_capabilities: bpf perfmon net_admin

A bit of trivia on capabilities: unless running the app as root user, Docker's --cap-add alone is insufficient.
Requested capabilities are AND-combined with capabilities granted to the app binary (intentionally simplified, see man capabilities for the full discourse).

A running program has multiple sets of capabilities. The most important ones are effective (used by the kernel for permission checks) and permitted (a "stash" of capabilities an app can promote to effective). Likewise, file capabilities capture multiple sets of capabilities, permitted being the most important.

linux_capabilities: bpf perfmon net_admin

The config above sets permitted capabilities on the app binary to bpf, perfmon, and net_admin. When the app is launched, this set is AND-combined with capabilities requested via --cap-add and the result becomes the running app's permitted capabilities. The app should verify if it got all required capabilities and promote permitted capabilities to effective.

File capabilities have a bit that tells the kernel to automatically promote permitted to effective. The downside is that the program will fail to start with generic EPERM error if some capabilities weren't granted. In order to access this feature, and to make transition from Dockerfile easier, we also support the full setcap syntax in linux_capabilities, e.g.:

linux_capabilities: bpf,perfmon,net_admin=ep

Fixes #1246

[imjasonh]

This looks really good! Thanks for the exhaustive test cases, that makes reviewing this for correctness a lot easier.

Just a few code style things, nothing major.

[mejedi]

@imjasonh

Just a few code style things, nothing major.

Thank you for taking a look! I've implemented suggestions and fixed issues reported by linters.