socket: Pass capsicum rights down to socket option handlers

One needs the CAP_GETSOCKOPT and CAP_SETSOCKOPT rights to call
getsockopt(2) and setsockopt(2) on a socket descriptor, respectively.
The syscall layer checks this, but individual socket option handlers
have no access to the file descriptor and so can't check for additional
rights, should the want to do so. In particular, a forthcoming
implementation of SO_SPLICE logically requires at least CAP_RECV and
CAP_SEND rights.

Modify the syscall layer to look up Capsicum rights on the descriptor
and pass that along to socket option handlers; this way, the handlers
can check for additional rights if they need to.

Reviewed by: gallatin, glebius
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45673

(cherry picked from commit e2e771deeca7c10eaa46f380a9b64079468ec209)