TODO drop caps

`SYS_ADMIN` currently required to work around:
```
(EE) modeset(0): drmSetMaster failed: Permission denied
Fatal server error:
(EE) AddScreen/ScreenInit failed for driver 0
```
caused by
```
ioctl(10, DRM_IOCTL_SET_MASTER, 0) = -1 EACCES (Permission denied)
```

```sh
sudo docker build -t xorg-test .
sudo docker run --rm -it \
    --device /dev/tty0 --device /dev/tty2 --group-add $(stat --format=%g /dev/tty0) \
    --device /dev/dri --group-add $(stat --format=%g /dev/dri/card0) \
    --device /dev/input/event1 --group-add $(stat --format=%g /dev/input/event1) \
    --userns host --cap-add SYS_ADMIN --security-opt no-new-privileges \
     xorg-test
```