improve docker security

motivation: more secured ci setup

changes:
* enable :z selinux flag on bind mounts so we can enable selinux on ci
* drop potentially exploitable capabilities from docker-compose

docker/docker-compose.yaml

@@ -16,8 +16,11 @@ services:
     depends_on: [runtime-setup]
     volumes:
       - ~/.ssh:/root/.ssh
-      - ..:/code
+      - ..:/code:z
     working_dir: /code
+    cap_drop:
+      - CAP_NET_RAW
+      - CAP_NET_BIND_SERVICE
 
   sanity:
     <<: *common