Capability mode support using null namespace

This implements capability mode similar to cap_enter on FreeBSD, by introducing a null scheme namespace.

Entering this namespace removes any ability to open, unlink, chown, chmod, or exec, meaning that security properties of a process are easier to determine.