bhyveload: limit rights on the dirfds we create

In neither case do we need write access to the directories we're working
with; userboot doesn't support fo_write on the host device, and the
bootfd is only ever needed for loader loading.

This improves on 8bf0882e18 ("bhyveload: enter capability mode [...]")
so that arbitrary code in the loader can't open writable fds to either
of the directories we need to maintain access to.

Reviewed by: imp

(cherry picked from commit c067be72e835e469518ec985b6cc4e475c378944)
(cherry picked from commit f9b17005bf8f1a30e2a74a3e66c92e34aa87f9bf)