bhyveload: limit rights on the dirfds we create

bhyveload: limit rights on the dirfds we create

In neither case do we need write access to the directories we're working
with; userboot doesn't support fo_write on the host device, and the
bootfd is only ever needed for loader loading.

This improves on 8bf0882e18 ("bhyveload: enter capability mode [...]")
so that arbitrary code in the loader can't open writable fds to either
of the directories we need to maintain access to.

Reviewed by:	imp
Differential Revision:	https://reviews.freebsd.org/D43315