Reorder and renumber capability rights.

This patch does three things:
 - puts capability rights in a more pleasing declaration order
 - changes mask values to match the new declaration order
 - declare new rights which will be used soon (e.g. CAP_LOOKUP, CAP_MKDIR)

Approved by: re (kib), mentor (rwatson)
Sponsored by: Google Inc

sys/sys/capability.h

@@ -76,30 +76,38 @@
 #define	CAP_FSTAT		0x0000000000010000ULL
 #define	CAP_FSTATFS		0x0000000000020000ULL
 #define	CAP_FUTIMES		0x0000000000040000ULL
+#define	CAP_CREATE		0x0000000000080000ULL
+#define	CAP_DELETE		0x0000000000100000ULL
+#define	CAP_MKDIR		0x0000000000200000ULL
+#define	CAP_RMDIR		0x0000000000400000ULL
+#define	CAP_MKFIFO		0x0000000000800000ULL
+
+/* Lookups - used to constrain *at() calls. */
+#define	CAP_LOOKUP		0x0000000001000000ULL
 
 /* Extended attributes. */
-#define	CAP_EXTATTR_DELETE	0x0000000000080000ULL
-#define	CAP_EXTATTR_GET		0x0000000000100000ULL
-#define	CAP_EXTATTR_LIST	0x0000000000200000ULL
-#define	CAP_EXTATTR_SET		0x0000000000400000ULL
+#define	CAP_EXTATTR_DELETE	0x0000000002000000ULL
+#define	CAP_EXTATTR_GET		0x0000000004000000ULL
+#define	CAP_EXTATTR_LIST	0x0000000008000000ULL
+#define	CAP_EXTATTR_SET		0x0000000010000000ULL
 
 /* Access Control Lists. */
-#define	CAP_ACL_CHECK		0x0000000000800000ULL
-#define	CAP_ACL_DELETE		0x0000000001000000ULL
-#define	CAP_ACL_GET		0x0000000002000000ULL
-#define	CAP_ACL_SET		0x0000000004000000ULL
+#define	CAP_ACL_CHECK		0x0000000020000000ULL
+#define	CAP_ACL_DELETE		0x0000000040000000ULL
+#define	CAP_ACL_GET		0x0000000080000000ULL
+#define	CAP_ACL_SET		0x0000000100000000ULL
 
 /* Socket operations. */
-#define	CAP_ACCEPT		0x0000000008000000ULL
-#define	CAP_BIND		0x0000000010000000ULL
-#define	CAP_CONNECT		0x0000000020000000ULL
-#define	CAP_GETPEERNAME		0x0000000040000000ULL
-#define	CAP_GETSOCKNAME		0x0000000080000000ULL
-#define	CAP_GETSOCKOPT		0x0000000100000000ULL
-#define	CAP_LISTEN		0x0000000200000000ULL
-#define	CAP_PEELOFF		0x0000000400000000ULL
-#define	CAP_SETSOCKOPT		0x0000000800000000ULL
-#define	CAP_SHUTDOWN		0x0000001000000000ULL
+#define	CAP_ACCEPT		0x0000000200000000ULL
+#define	CAP_BIND		0x0000000400000000ULL
+#define	CAP_CONNECT		0x0000000800000000ULL
+#define	CAP_GETPEERNAME		0x0000001000000000ULL
+#define	CAP_GETSOCKNAME		0x0000002000000000ULL
+#define	CAP_GETSOCKOPT		0x0000004000000000ULL
+#define	CAP_LISTEN		0x0000008000000000ULL
+#define	CAP_PEELOFF		0x0000010000000000ULL
+#define	CAP_SETSOCKOPT		0x0000020000000000ULL
+#define	CAP_SHUTDOWN		0x0000040000000000ULL
 
 #define	CAP_SOCK_ALL \
 	(CAP_ACCEPT | CAP_BIND | CAP_CONNECT \
@@ -107,24 +115,24 @@
 	 | CAP_LISTEN | CAP_PEELOFF | CAP_SETSOCKOPT | CAP_SHUTDOWN)
 
 /* Mandatory Access Control. */
-#define	CAP_MAC_GET		0x0000002000000000ULL
-#define	CAP_MAC_SET		0x0000004000000000ULL
+#define	CAP_MAC_GET		0x0000080000000000ULL
+#define	CAP_MAC_SET		0x0000100000000000ULL
 
 /* Methods on semaphores. */
-#define	CAP_SEM_GETVALUE	0x0000008000000000ULL
-#define	CAP_SEM_POST		0x0000010000000000ULL
-#define	CAP_SEM_WAIT		0x0000020000000000ULL
+#define	CAP_SEM_GETVALUE	0x0000200000000000ULL
+#define	CAP_SEM_POST		0x0000400000000000ULL
+#define	CAP_SEM_WAIT		0x0000800000000000ULL
 
 /* kqueue events. */
-#define	CAP_POLL_KEVENT		0x0000040000000000ULL
-#define	CAP_POST_KEVENT		0x0000080000000000ULL
+#define	CAP_POLL_KEVENT		0x0001000000000000ULL
+#define	CAP_POST_KEVENT		0x0002000000000000ULL
 
 /* Strange and powerful rights that should not be given lightly. */
-#define	CAP_IOCTL		0x0000100000000000ULL
-#define	CAP_TTYHOOK		0x0000200000000000ULL
+#define	CAP_IOCTL		0x0004000000000000ULL
+#define	CAP_TTYHOOK		0x0008000000000000ULL
 
 /* The mask of all valid method rights. */
-#define	CAP_MASK_VALID		0x00003fffffffffffULL
+#define	CAP_MASK_VALID		0x000fffffffffffffULL
 
 #ifdef _KERNEL