Signed-off-by: Kir Kolyshkin <[email protected]>

A map which is created in func init is only used by capSlice, which is
only used by New, which is only used by runc init. Switch to lazy init
to slightly save on startup time.

Signed-off-by: Kir Kolyshkin <[email protected]>

Move capSlice to be an internal function of New. This way, we don't have
to pass most parameters.

This is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <[email protected]>

Fixing a long standing bug in github.com/syndtr/gocapability package
(ignoring errors when setting ambient caps, see [1]) revealed that
it's not possible to raise those ambient capabilities for which
inheritable capabilities are not raised. In other words, "the Ambient
vector cannot contain values not raised in the Inh vector" ([2]).

The example spec in libct/specconv had a few ambient capabilities set
but no inheritable ones. As a result, when capability package with fix
from [1] is used, we get an error trying to start a container ("unable
to apply caps: permission denied").

The only decent way to fix this is to ignore raised ambient capabilities
for which inheritable capabilities are not raised (essentially mimicking
the old behavior). Let's also add a warning about ignored capabilities,
with an intention to change it to an error later.

Fix the example spec accordingly (remove the ambient caps).

This is in preparation to switch to github.com/kolyshkin/capability.

[1]: kolyshkin/capability#3
[2]: https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap#IAB.SetVector
Signed-off-by: Kir Kolyshkin <[email protected]>

This removes the last unversioned package in runc's direct dependencies.

Signed-off-by: Kir Kolyshkin <[email protected]>