MFC r353039: add ability to set watchdog timeout for a shutdown

This change allows to specify a watchdog(9) timeout for a system
shutdown. The timeout is activated when the watchdogd daemon is
stopped. The idea is to a prevent any indefinite hang during late
stages of the shutdown. The feature is implemented in rc.d/watchdogd,
it builds upon watchdogd -x option.

Note that the shutdown timeout is not actiavted when the watchdogd
service is individually stopped by an operator. It is also not
activated for the 'shutdown' to the single-user mode. In those cases it
is assumed that the operator knows what they are doing and they have
means to recover the system should it hang.

Significant subchanges and implementation details:

• the argument to rc.shutdown, completely unused before, is assigned to rc_shutdown variable that can be inspected by rc scripts
• init(8) passes "single" or "reboot" as the argument, this is not changed
• the argument is not mandatory and if it is not set then rc_shutdown is set to "unspecified"
• however, the default jail management scripts and jail configuration examples have been updated to pass "jail" to rc.shutdown, just in case
• the new timeout can be set via watchdogd_shutdown_timeout rc option
• for consistency, the regular timeout can now be set via watchdogd_timeout rc option
• watchdogd_shutdown_timeout and watchdogd_timeout override timeout specifications in watchdogd_flags
• existing configurations, where the new rc options are not set, should keep working as before