Mark `socat` with CAP_NET_BIND_SERVICE capability

[ntninja]

Allow socat to bind to privileged ports inside of the container when run as user process. Example command-line: docker run --rm --user "2004" --cap-add NET_BIND_SERVICE socat tcp6-listen:443,fork tcp4:mail:443

If --cap-add NET_BIND_SERVICE is not set then this change does nothing.

I guess documentation should be also updated to recommend this by default, since privilege dropping is always good.

[gaby]

This change shouldn't be baked into the image. It should be up to the user to add the right capabilities to their container.