pipeline: drop CAP_{NET_ADMIN,SYS_PTRACE} caps

Drop CAP_{NET_ADMIN,SYS_PTRACE} from the default capabilities which
are only needed to run bwrap from inside a stage which is done by
the `ostree.commit` and `ostree.preptree` stages, so retain them
directly there.

assemblers/org.osbuild.ostree.commit

@@ -29,6 +29,9 @@ from osbuild import api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "required": ["ref"],

osbuild/pipeline.py

@@ -29,7 +29,6 @@ DEFAULT_CAPABILITIES = {
     "CAP_MAC_ADMIN",
     "CAP_MAC_OVERRIDE",
     "CAP_MKNOD",
-    "CAP_NET_ADMIN",  # bwrap
     "CAP_NET_BIND_SERVICE",
     "CAP_SETFCAP",
     "CAP_SETGID",
@@ -38,7 +37,6 @@ DEFAULT_CAPABILITIES = {
     "CAP_SYS_ADMIN",
     "CAP_SYS_CHROOT",
     "CAP_SYS_NICE",
-    "CAP_SYS_PTRACE",  # bwrap
     "CAP_SYS_RESOURCE"
 }
 

stages/org.osbuild.ostree.commit

@@ -24,6 +24,9 @@ from osbuild import api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA_2 = """
 "options": {
   "additionalProperties": false,

stages/org.osbuild.ostree.preptree

@@ -43,6 +43,9 @@ from osbuild import api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "properties": {

stages/org.osbuild.rpm-ostree

@@ -39,6 +39,9 @@ import osbuild.api
 from osbuild.util import ostree
 
 
+CAPABILITIES = ["CAP_NET_ADMIN", "CAP_SYS_PTRACE"]
+
+
 SCHEMA = """
 "additionalProperties": false,
 "properties": {