Title

Make melange provide way to declare the Linux capabilities to be added to the build process.

Short Description of Issue/Improvement Need

We have different packages in Wolfi that need to be run with additional capabilities on top of the ones set by the runners. For instance, there are cases where a CAP_DAC_OVERRIDE is needed in the build process, but without being explicated. So when trying running that unprivileged it would fail.

Having a possibility to specify the capabilities added in the Melange pipeline manifest, would make that explicit and help on both:

• security: allowing to apply least privilege
• efficiency and reproducibility: we wouldn't need to run pipelines with different user and capabilty sets to reproduce the same result, and in the end, also saving time during debugging.

Even with QEMU runner, this would help on reproducibility side.

Impact of issue

There's no big impact now. We know the situation in advance and we circumvent it by using sudo.

Steps to Reproduce

I remember a package needed to override dac, unfortunately I don't remember which. postfix should be a valid example:

1. Set environment.accounts.run-as=0 in the postfix pipeline.
2. It will fail even when running as root without capabilities. Running the same with sudo melange it will build with success instead.

Suggested Fix

Introduce an API in the Melange pipeline manifest to set capabilities to be added to the build and test processes. Map them with the related runner.