Don't call cap_get_proc(3) unconditionally.

cap_get_proc(3) uses the capget(2) system call. Don't call
cap_get_proc(3) if |flags.use_caps| is not set, to avoid
having the program call a capability-related syscall even
when capabilities are not being used.

Bug: 27366428

Change-Id: Ifb797bc5f1a43adf4f9fa2fff3ef7d6f4bd9c958
diff --git a/libminijail.c b/libminijail.c
index a38eb64..1d90aef 100644
--- a/libminijail.c
+++ b/libminijail.c
@@ -1248,14 +1248,13 @@
 
 void drop_caps(const struct minijail *j, unsigned int last_valid_cap)
 {
+	if (!j->flags.use_caps)
+		return;
+
 	cap_t caps = cap_get_proc();
 	cap_value_t flag[1];
 	const uint64_t one = 1;
 	unsigned int i;
-
-	if (!j->flags.use_caps)
-		return;
-
 	if (!caps)
 		die("can't get process caps");
 	if (cap_clear_flag(caps, CAP_INHERITABLE))