Also (re)used to make fork privileges available when we start a
subprocess: As we are going to apply the JAIL_SUBPROC privileges to the
forked process, having slightly eleveated privileges only agross the
fork() should not cause any harm.

	-

This concludes the current series of Solaris jail patches, hopefully.
With this commit, varnishd started with pfexec ("root privileges") keeps
the following privileges only (ppriv -v output) on Solaris:

* master::

  flags = PRIV_AWARE
        E: file_read,file_write,net_access
        I: none
        P: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid
        L: file_read,file_write,net_access,net_privaddr,proc_exec,proc_fork,proc_info,proc_owner,proc_setid

  notes:

  E: file_read is required for basic config files like /etc/netconfig
     net_access is required for CLI communication

     file_write could potentially be removed if any file write
     operations (e.g. writing vcl files) were wrapped with
     JAIL_MASTER_FILE, but I do not consider this a relevant gain for
     now.

     For other master jail states, E will be momentarily expanded.

  I: will be momentarily expanded for system()

  P: Contains the union of all privileges used anywhere in varnish

  L: Could potentially be reduced further, but P already limits

* worker::

  flags = PRIV_AWARE
        E: file_read,file_write,net_access
        I: none
        P: file_read,file_write,net_access,proc_info
        L: file_read,file_write,net_access,proc_info,proc_setid

  proc_setid is only used when the worker starts and then dropped

  proc_info is only used by vmod_unix

we now dynamically manage the INHERITABLE set also, which has the
advantage of reducing the privileges available to anything we exec()
(likely via system()) from master which is not managed through
JAIL_SUBPROC.

See next commit.

Avoid setppriv() tolerating EPERM by masking privileges with the
available upper bound.

Reverts:
	8eb42d2c
	f43679b6
	6f1563cf

- simplify definition of privileges in a table file
- only initialize priv sets once
- implement the master jails

We are also going to need JAIL_SUBPROC to determine the boundary between
the MASTER and SUBPROC enum values.

depending on the compiler's mood

this is to allow a follow-up simplification in the solaris to use a
single array for privileges.

Add  _amd64|_arm64 before the extension

For some reason this is failing on some platforms reporting on VTEST.

Mkdtemp(3) creates the directory with mode 0700, and since it
already exists, we do not change the mode subsequently, which
causes jailed with uid=vcache to keel over.

Previously it only did so if no -n argument was given.

Fixes #3307

Add VJ_unlink() and VJ_rmdir() to do so.

Fixes: #3327

and, in particular, matching client.ip against a vcl

Ref #3334

There is a problem with fakeroot-sysv on Ubuntu 20.04 aarch64:

Install Build-Depends packages...

+ mk-build-deps --install debian/control

+ yes

semop(1): encountered an error: Function not implemented

Error in the build process: exit status 1

That is, in the context of varnish.m4, because this changes existing
behavior in a way that breaks backward compatibility.

Partial revert of 134d0633.

This is to support generated vcc files with out-of-tree vmod builds.

our python sources use spaces