Capsicum restricts capability-mode and capability-relative path lookups
to be "strictly relative": we do not permit absolute paths or ".." in
path resolution for these cases. This functionality could be useful in
non-Capsicum applications as well, and it has been proposed for inclusion
in Linux as a step along the way to Capsicum in Linux.

This commit would add the O_BENEATH flag for use in openat(2) to enable
"strict relative" lookups with unrestricted file descriptors (i.e., not
Capsicum capabilities) outside of capability mode. The only difference
from the Capsicum behaviour is that O_BENEATH would cause errno to be
EPERM rather than ECAPMODE or ENOTCAPABLE. If O_BENEATH is used together
with capability mode or a directory capability, EPERM is returned, since
the usermode application has explicitly requested the new behaviour.

Approved by: rwatson (mentor)