New functions/API for secure launching of external programs

[Explorer09]

This feature branch implements an interface for checking an external program's permission and launching a program with dropped privileges when it's applicable.

I wrote this as a sepeate module, tentatively named ProgramLauncher (and I welcome suggestions for better names). It has these features:

1. Drop set-UID (SUID) privileges before launching a external program (for a forked child process).
2. Check permission (mode) bits of a program, and the owner and group IDs of the program before launching. It's stricter than what the OS would permit launching. In particular the "other execute" (o+x) bit is now respected only of the program is owned by root. (The u+x and g+x behaviors remain the same, but the code now checks for UID and GID explicitly so that root user won't bypass it.)
3. Use fexecve(3) to launch program whenever it's available. This avoids a TOCTTOU. (Unfortunately macOS and OpenBSD don't have fexecve yet so I have to keep the vulnerable fallback code.)
4. When locating a program through the PATH environment variable, the "ProgramLauncher" API can cache the result - keeping the full program path and the inode in the filesystem. If someone quietly swaps the program while an htop instance is running, that htop instance will stop trusting or running the external program (until htop restarts).

Included in the branch are changes to lsof (OpenFileScreen), strace/truss (TraceScreen), systemctl (SystemdMeter) and rc-status (OpenRCMeter) to all launch using the new framework. These are examples of how the new module/APIs may be called.

Resolves #1844.

Note that this conflicts with #1893. I have no plans to change the fork() and fexecve() calls to use posix_spawn() because posix_spawn() can't achieve the security I want (I need posix_fspawn() instead, but no libc had implemented such interface for me).