oci/caps: refactor, remove unused code, and improved error messages

[thaJeztah]

• oci/caps: rename some vars that conflicted with imports / built-ins
• oci/caps: minor optimization in init
• oci/caps: generate list of all capabilities on "init"
• oci/caps: use map for capabilities to simplify lookup
• oci/caps: improve error message for unsupported capabilities
  A capability can either be invalid, or not supported by the kernel on which we're running. This patch changes the error message produced to reflect if the capability is invalid/unknown, or a known capability, but not supported by the kernel version.
• oci/caps: remove unused GetCapability() and ValidateCapabilities()
• oci/caps: simplify, and remove types that were not needed
  The CapabilityMapping and Capabilities types appeared to be only used locally, and added unneeded complexity. This patch removes those types, and simplifies the logic to use a map that maps names to capability.Caps
• oci/caps: remove hack for RHEL6 kernels
  We no longer support these kernels, so we can remove the workaround

[thaJeztah]

@kolyshkin @AkihiroSuda ptal

[thaJeztah]

@cpuguy83 @tonistiigi ptal 🤗

[tianon]

The implementation of capability.List() appears to generate/return a new slice of the full list, so it seems a tiny bit wasteful to call twice -- should probably go into a variable for len() vs for?

Suggested change

	allCaps = make([]string, capability.CAP_LAST_CAP+1)
	capabilityList = make(map[string]*capability.Cap, len(capability.List()))
	for i, c := range capability.List() {
	allCaps = make([]string, capability.CAP_LAST_CAP+1)
	rawCaps := capability.List()
	capabilityList = make(map[string]*capability.Cap, len(rawCaps))
	for i, c := range rawCaps {

Does it also make sense to use len(rawCaps) for the size of allCaps, given that we do allCaps[i] = ... below, which will be based on the number of capabilities total, not on the maximum value? (or is that an implementation bug that should've been allCaps[c] instead? Looking at how it gets used/returned, it doesn't seem like a bug so it looks like we're allocating more space than we actually need here. 😅)

Suggested change

	allCaps = make([]string, capability.CAP_LAST_CAP+1)
	capabilityList = make(map[string]*capability.Cap, len(capability.List()))
	for i, c := range capability.List() {
	rawCaps := capability.List()
	allCaps = make([]string, len(rawCaps))
	capabilityList = make(map[string]*capability.Cap, len(rawCaps))
	for i, c := range rawCaps {

[thaJeztah]

Looking at how it gets used/returned, it doesn't seem like a bug so it looks like we're allocating more space than we actually need here

Hmmm good point, so I don't think it's a bug (but I do take advantage of the fact that all the caps are in sequential order as proxy for "length") as CAP_LAST_CAP should be <= len(capability.List();

moby/vendor/github.com/syndtr/gocapability/capability/capability_linux.go

Line 52 in 9c15e82

f, err := os.Open("/proc/sys/kernel/cap_last_cap")

Hmmm... although

• it's initially set to Cap(63), and will be if the code above check fails
• newer kernels may support more capabilities than what the library supports, so we should check something like math.Min(len(rawCaps), CAP_LAST_CAP+1)

[thaJeztah]

If we reach CAP_LAST_CAP we continue here, so allCaps will no longer get more capabilities after that

[thaJeztah]

@tianon updated; let me know if this is what you meant/pointed out

[kolyshkin]

LGTM