capability: reduce prctl syscall when setting ambient cap set

[lifubang]

Even though the ambient cap set is empty, it will always call PR_CAP_AMBIENT_LOWER for each support caps, in most machines, it will call 40 times.
We can use PR_CAP_AMBIENT_CLEAR_ALL to avoid this big for loop to reduce the prctl syscall times.

Please see:

sys/capability/capability_linux.go

Lines 366 to 373 in 46235e8

	if kind&AMBS == AMBS {
	for i := Cap(0); i <= last; i++ {
	action := pr_CAP_AMBIENT_LOWER
	if c.Get(AMBIENT, i) {
	action = pr_CAP_AMBIENT_RAISE
	}
	err = prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
	if err != nil {