libct/cap: allow New(nil)

In runtime-spec, capabilities property is optional, but
libcontainer/capabilities panics when New(nil) is called.

Because of this, there's a kludge in finalizeNamespace to ensure
capabilities.New is not called with nil argument, and there's a
TestProcessEmptyCaps to ensure runc won't panic.

Let's fix this at the source, allowing libct/cap to work with nil
capabilities.

(The caller is fixed by the next commit.)

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

libcontainer/capabilities/capabilities.go

@@ -47,6 +47,9 @@ func KnownCapabilities() []string {
 // printing a warning instead.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
 	var c Caps
+	if capConfig == nil {
+		return &c, nil
+	}
 
 	_, err := capMap()
 	if err != nil {
@@ -103,13 +106,19 @@ type Caps struct {
 
 // ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
 func (c *Caps) ApplyBoundingSet() error {
+	if c.pid == nil {
+		return nil
+	}
 	c.pid.Clear(capability.BOUNDING)
 	c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...)
 	return c.pid.Apply(capability.BOUNDING)
 }
 
 // Apply sets all the capabilities for the current process in the config.
 func (c *Caps) ApplyCaps() error {
+	if c.pid == nil {
+		return nil
+	}
 	c.pid.Clear(capability.CAPS | capability.BOUNDS)
 	for _, g := range []capability.CapType{
 		capability.EFFECTIVE,