oci-containers: consolidate capabilities interface

[Yethal]

capAdd and capDrop were consolidated into a single capabilities option.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[benley]

I was initially opposed to this approach but now that I see it implemented it actually looks pretty reasonable. Let's see what others might have to say about it.

[Yethal]

@benley @roberth Can we backport this to 24.11?

[roberth]

This matches what I had in mind in our discussion.
The behavior seems to be well covered by the tests, the documentation is clear, and it now supports overriding.
It also matches what Arion does (a docker compose wrapper), which is nice, and also means that it's a proven solution.

[roberth]

@benley @roberth Can we backport this to 24.11?

It's a grey area, but I'd support it for these reasons

• these two PRs are low risk
• backporting these changes makes future backports of fixes easier