Tidy handling of privileged operation fds

[smcv]

Similar to #665, but for the socket pair that communicates privileged operations between the temporary unprivileged child and the privileged parent when we are setuid root.

• Use PIPE_READ_END, PIPE_WRITE_END to clarify use of privileged op sockets

  Both sockets in this socket pair are technically bidirectional, but we're using them in a way that is close enough to unidirectional that using these symbolic constants is clearer than magic numbers. We send multi-byte requests into the write end, and read those requests from the read end (even though we also send a 1-byte reply to each request into the "read" end, and read it from the "write" end).

• utils: Add steal_fd()

  This is inspired by g_steal_fd() in GLib, and lets us make it explicit that ownership of a fd is being moved, similar to steal_pointer().

• Clarify ownership of privileged op sockets

  Setting the members of privsep_sockets[] to -1 when they have been closed or had their ownership transferred is clearer than leaving behind dangling references.

cc @refi64

[smcv]

Setting the members of privsep_sockets[] to -1

... is not (currently) something that cleanup_fdp() does, so this PR is wrong.