We cannot remove CAP_SYS_ADMIN, which basically makes removing all other
capabilities useless. Anyhow, still wouldn't hurt checking whether stuff
like CAP_KILL can be dropped from logind.
* given that logind now lets PID 1 do all nasty work, we can
probably reduce the capability set it retains substantially.
+ (we need CAP_SYS_ADMIN for drmSetMaster(), so maybe not worth it)
* btrfs raid assembly: some .device jobs stay stuck in the queue