Function classify_capabilities 

pub fn classify_capabilities(effective: u64, uid: u32) -> (bool, Vec<String>)

Classify whether a non-root process holds suspicious Linux capabilities.

Returns (is_suspicious, suspicious_cap_names). Root (uid == 0) is never flagged.