It cannot be forced to enter, no. It could be executed in capability mode, though, except you would have to give up dynamic linking, for obvious reasons.
As for granting new capabilities - you can pass capabilities from the outside; otherwise the whole mechanism would make no sense :-) In Capsicum case, capabilities are file descriptors, and you pass them the usual way, over Unix sockets.
As for granting new capabilities - you can pass capabilities from the outside; otherwise the whole mechanism would make no sense :-) In Capsicum case, capabilities are file descriptors, and you pass them the usual way, over Unix sockets.