[PATCH 07/34] capability: handle idmapped mounts