Drop ambient capabilities when running bwrap

Having ambient capabilties causes bwrap to error on start [1]
unless the bwrap executable also has the setuid bit set or is run as
root.

This can cause issues in openshift or podman unless ambient
capabilities are dropped [2].

[1] - bae85baf72/bubblewrap.c (L742)
[2] - https://github.com/containers/bubblewrap/issues/380

Change-Id: I15455fb400448d7672638f911d6cf045fa683a9b

bindep.txt

@@ -61,3 +61,6 @@ coreutils [platform:apk]
 openafs-krb5 [platform:debian]
 openafs-client [platform:debian]
 krb5-user [platform:debian]
+setpriv [platform:ubuntu-bionic]
+util-linux [platform:apt platform:rpm platform:apk !platform:ubuntu-bionic]
+

zuul/driver/bubblewrap/__init__.py

@@ -172,6 +172,9 @@ class BubblewrapDriver(Driver, WrapperInterface):
 
     def _bwrap_command(self):
         bwrap_command = [
+            'setpriv',
+            '--ambient-caps',
+            '-all',
             'bwrap',
             '--dir', '/tmp',
             '--tmpfs', '/tmp',