cloudabi-reexec needs to support dropping fd rights

[m-ou-se]

cloudabi-run (running in the Posix world) can't set all Capsicum rights properly on the file descriptors it opens. It'll have to ask cloudabi-reexec (running in the CloudABI world) to disable some rights on the file descriptors it gets, if that was originally specified in the Yaml file.

Right now, cloudabi-exec takes an argdata sequence of two items: The file descriptor of the executable to run, and the argdata to provide to that program.

We could simply add an (optional) third item to that sequence, which describes what rights the file descriptors should have. This could be a map, mapping file descriptors to a 2-tuple (sequence) containing (fs_rights_base, fs_rights_inheriting), both as integers.

[EdSchouten]

Yes, that sounds like a very good thing to have.

Maybe, while we're at it, we should consider replacing the sequence by a full map with string keys. Fair chance we want to add even more features over time.