fix permission denied

when exec as root and config.Cwd is not owned by root, exec will fail
because root doesn't have the caps.

So, Chdir should be done before setting the caps.

libcontainer/init_linux.go

@@ -151,14 +151,14 @@ func finalizeNamespace(config *initConfig) error {
 	if err := system.ClearKeepCaps(); err != nil {
 		return errors.Wrap(err, "clear keep caps")
 	}
-	if err := w.ApplyCaps(); err != nil {
-		return errors.Wrap(err, "apply caps")
-	}
 	if config.Cwd != "" {
 		if err := unix.Chdir(config.Cwd); err != nil {
 			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
 		}
 	}
+	if err := w.ApplyCaps(); err != nil {
+		return errors.Wrap(err, "apply caps")
+	}
 	return nil
 }