cap-list: make sure never to accidentally return more than 63 caps

The rest of our codebase stores caps masks in a uint64_t, and also
assumes UINT64_MAX was a suitable value for "unset mask". Hence refuse
any caps outside of 0…62.

(right now the kernel knows 40 caps, hence 22 more to go before we have
to reconsider our life's choices.)

src/basic/cap-list.c

@@ -20,7 +20,7 @@ static const struct capability_name* lookup_capability(register const char *str,
 const char *capability_to_name(int id) {
         if (id < 0)
                 return NULL;
-        if ((size_t) id >= ELEMENTSOF(capability_names))
+        if (id >= capability_list_length())
                 return NULL;
 
         return capability_names[id];
@@ -65,11 +65,13 @@ int capability_from_name(const char *name) {
         return sc->id;
 }
 
-/* This is the number of capability names we are *compiled* with.
- * For the max capability number of the currently-running kernel,
- * use cap_last_cap(). */
+/* This is the number of capability names we are *compiled* with.  For the max capability number of the
+ * currently-running kernel, use cap_last_cap(). Note that this one returns the size of the array, i.e. one
+ * value larger than the last known capability. This is different from cap_last_cap() which returns the
+ * highest supported capability. Hence with everyone agreeing on the same capabilities list, this function
+ * will return one higher than cap_last_cap(). */
 int capability_list_length(void) {
-        return (int) ELEMENTSOF(capability_names);
+        return (int) MIN(ELEMENTSOF(capability_names), 63U);
 }
 
 int capability_set_to_string(uint64_t set, char **ret) {