Add support for dropping capabilities from the bounding set.

Android daemons such as adbd need to drop capabilities from their
bounding sets (to prevent processes they launch from gaining privileges
through file capabilities), but not from their runtime
(permitted|inheritable|effective) sets. Add support for this and rename
some capability-related code to make things clearer.

While in there, fix a comment in the Android makefile.

Bug: 27274137
Change-Id: I7cab7e3302bb34cd7859b9621906391104bf6b4e
3 files changed