When running unprivileged, virSetUIDGIDWithCaps will fail because it
tries to add the requested capabilities to the permitted and effective
sets.

Detect this case, and invoke the child with cleared permitted and
effective sets.  If it is a setuid program, it will get them.

Some care is needed also because you cannot drop capabilities from the
bounding set without CAP_SETPCAP.  Because of that, ignore errors from
setting the bounding set.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>