Default behaviour of `--cap-drop`

[cgzones]

The documentation of --cap-drop states:

By default no caps are left in the sandboxed process.

That seems not to be true:

id
uid=0(root) gid=0(root) groups=0(root)

getpcaps $$
14257: =ep

bwrap --bind / / sh -c 'getpcaps $$'
15598: =ep

bwrap --bind / / --cap-drop ALL sh -c 'getpcaps $$'
15577: =

[smcv]

This might be related to #122 and #123.

[rusty-snake]

Similiar: #287