Add SetCapabilities for setting capabilities to an exact set.

sandbox/linux/services/syscall_wrappers.h

Index: sandbox/linux/services/syscall_wrappers.h
diff --git a/sandbox/linux/services/syscall_wrappers.h b/sandbox/linux/services/syscall_wrappers.h
index 7f703e03b7bb6a2121d59ecdf4b5379d1086918c..28cc3a7de3f1e320f370e716a4ccb1f3f1fb4d82 100644
--- a/sandbox/linux/services/syscall_wrappers.h
+++ b/sandbox/linux/services/syscall_wrappers.h
@@ -5,12 +5,15 @@
 #ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
 #define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
 
+#include <stdint.h>
 #include <sys/types.h>
 
 #include "sandbox/sandbox_export.h"
 
 struct sock_fprog;
 struct rlimit64;
+struct cap_hdr;
+struct cap_data;
 
 namespace sandbox {
 
@@ -47,6 +50,12 @@ SANDBOX_EXPORT int sys_prlimit64(pid_t pid,
                                  const struct rlimit64* new_limit,
                                  struct rlimit64* old_limit);
 
+// Some libcs do not expose capget/capset wrappers. We want to use these
+// directly in order to avoid pulling in libcap2.
+SANDBOX_EXPORT int sys_capget(struct cap_hdr* hdrp, struct cap_data* datap);
+SANDBOX_EXPORT int sys_capset(struct cap_hdr* hdrp,
+                              const struct cap_data* datap);
+
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_