init: reboot: Max ro.build.shutdown_timeout at 10s as the "clean" timeout

The property "ro.build.shutdown_timeout" isn't _really_ the shutdown
timeout. As can be seen in the `RebootMonitorThread()` method, we take
this number (typically 6 seconds or perhaps 3 seconds for a thermal
shutdown or perhaps 0 seconds for an "eng" build) and then add (by
default) 300 seconds to it to get the REAL timeout. After the ~306
second REAL timeout then we'll finally give up and force a
reboot/shutdown.

What "ro.build.shutdown_timeout" actually does is:
* We allow processes half this time to cleanly respond to a SIGTERM
  before forcefully sending them SIGKILL.
* We use any remaining time after killing processes to try to cleanly
  unmount partitions.

Rename the local variable to make it obvious that this property isn't
the full timeout. At the same time, cap it (somewhat arbitrarily) to
10 seconds to make it obvious that this isn't supposed to be a giant
number. Searching didn't find anyone overriding this but it seems
better to be safer. In the case that we cap this number, add a warning
to the logs.

Bug: 409835922
Test: Hack property to 15s and see it get capped in logs
Change-Id: Ifb9027befc2dd04132c39d79e0aac43bbe28ceac