lua-lsm: add userns support for capable hook

[chenzongyao200127]

Lua-LSM currently exposes capable() as a credential and capability check, but does not pass the hook's user namespace to Lua. That makes policy unable to distinguish a capability check in the initial user namespace from the same capability check in a nested namespace.

Expose user namespace objects to Lua, pass the capable hook namespace and option flags to Lua policy, and allow the existing capable helpers to check capabilities against an explicit namespace.

Example Lua policy:

local capability = require("capability")

return {
    name = "capable-userns-policy",
    author = "Zongyao Chen",
    license = "GPL",

    capable = function(cred, ns, cap, opts)
        if cap == capability.CAP_SYS_ADMIN and not ns:is_initial() then
            return false, errno.EPERM
        end
        return true
    end,

    ptrace_access_check = function(child, mode)
        local child_ns = child:userns()
        if not capability.capable(child_ns, "sys_ptrace") then
            return false, errno.EPERM
        end
        return true
    end,
}

Validation:

• ./scripts/checkpatch.pl --git origin/lua-lsm..lua-lsm-capable-userns
• git diff --check origin/lua-lsm..lua-lsm-capable-userns

Signed-off-by: Zongyao Chen ZongYao.Chen@linux.alibaba.com