Arch Linux images missing `security.capability` xattrs on `newuidmap`/`newgidmap`

[shocklateboy92]

The Arch Linux container images from images.linuxcontainers.org are missing security.capability extended attributes on newuidmap and newgidmap (from the shadow package).

On Arch, these binaries rely on file capabilities (cap_setuid=ep / cap_setgid=ep) rather than the setuid bit (which is what Ubuntu uses). Without them, rootless Podman/Docker inside the container fails:

$ podman run hello-world
ERRO[0000] running `/usr/bin/newuidmap 1514 0 1000 1 1 100000 65536`: newuidmap: Could not set caps
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1

Reinstalling the shadow package inside the container restores the capabilities and fixes the issue:

$ pacman -S --noconfirm shadow
$ getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/newgidmap cap_setgid=ep

This looks similar to #381, where distrobuilder's rsync fallback was missing --xattrs. That was fixed in lxc/distrobuilder#531, but it seems the Arch Linux images are still affected.

Tested with the current images:archlinux image (Archlinux current amd64 (20260126_04:18)).