`bst-here` capabilities are too narrow

Currently bst-here runs docker only with CAP_SYS_ADMIN, although bwrap also explicitly requires CAP_SYS_CHROOT, CAP_NET_ADMIN, CAP_SETUID and CAP_SETGID for various purposes. Adding these permissions does not seem to be enough, however, presumably there are some permissions bwrap needs that it doesn't check for explicitly.

This causes errors when bwrap attempts to mount system directories. A test case that mimics what buildstream runs internally for example is:

/src> bwrap --ro-bind / / --unshare-user --unshare-pid --proc /proc /bin/bash
Can't mount proc on /newroot/proc: Operation not permitted

When running docker with --privileged this is not an issue, since all capabilities are granted. We should find the capabilities that are required beyond the above and change the script to provide them.