Loader path security (#1012)

The ape loader now passes the program executable name directly as a
register. `x2` is used on aarch64, `%rdx` on x86_64. This is passed
as the third argument to `cosmo()` (M1) or `Launch` (non-M1) and is
assigned to the global `__program_executable_name`.

`GetProgramExecutableName` now returns this global's value, setting
it if it is initially null. `InitProgramExecutableName` first tries
exotic, secure methods: `KERN_PROC_PATHNAME` on FreeBSD/NetBSD, and
`/proc` on Linux. If those produce a reasonable response (i.e., not
`"/usr/bin/ape"`, which happens with the loader before this change),
that is used. Otherwise, if `issetugid()`, the empty string is used.
Otherwise, the old argv/envp parsing code is run.

The value returned from the loader is always the full absolute path
of the binary to be executed, having passed through `realpath`. For
the non-M1 loader, this necessitated writing `RealPath`, which uses
`readlinkat` of `"/proc/self/fd/[progfd]"` on Linux, `F_GETPATH` on
Xnu, and the `__realpath` syscall on OpenBSD. On FreeBSD/NetBSD, it
punts to `GetProgramExecutableName`, which is secure on those OSes.

With the loader, all platforms now have a secure program executable
name. With no loader or an old loader, everything still works as it
did, but setuid/setgid is not supported if the insecure pathfinding
code would have been needed.

Fixes #991.

libc/crt/crt.S

@@ -62,6 +62,8 @@ _start:
 //	set operating system when already detected
 1:	mov	%cl,__hostos(%rip)
 
+	mov	%rdx,__program_executable_name(%rip)
+
 //	get startup timestamp as early as possible
 //	its used by --strace flag and kprintf() %T
 	rdtsc
@@ -140,6 +142,8 @@ _start:
 //	should be set to zero on other platforms
 	mov	x1,x15
 
+//	third arg (x2) is the program path passed by ape-m1.c
+
 //	switch to c code
 	bl	cosmo
 	.unreachable