fix: Drop additional capabilities in the reloader.

Bug: NA
Change-Id: Id0fe14c38b28e9ce3c459ba22031da63cd928b58
GitOrigin-RevId: 35e430df40018c721f1b335d667d7fe0721d5c79

Author: Privacy Sandbox Team

src/roma/byob/container/run_workers.cc

@@ -306,6 +306,11 @@ int ReloaderImpl(void* arg) {
        GetSourcesAndTargets(reloader_impl_arg.mounts)) {
     sources_and_targets_read_only.push_back({target, target});
   }
+  CHECK_OK(SetPrctlOptions({{PR_CAPBSET_DROP, CAP_SYS_BOOT},
+                            {PR_CAPBSET_DROP, CAP_SYS_MODULE},
+                            {PR_CAPBSET_DROP, CAP_SYS_RAWIO},
+                            {PR_CAPBSET_DROP, CAP_MKNOD},
+                            {PR_CAPBSET_DROP, CAP_NET_ADMIN}}));
   while (true) {
     // Start a new worker.
     const std::string execution_token = GenerateUuid();