Add a rust user-space Capability struct.

This is a thin wrapper around a capability ptr that releases the
capability when it is done and prevents copying/cloning it.

To get a copy a caller must explicitly use duplicate.

rust/lib/mammoth/src/thread.rs

@@ -1,6 +1,6 @@
+use crate::cap::Capability;
 use crate::syscall;
 use crate::zion;
-use crate::zion::z_cap_t;
 
 use alloc::boxed::Box;
 use core::ffi::c_void;
@@ -17,7 +17,7 @@ extern "C" fn internal_entry_point(thread_ptr: *const Thread, arg1: *const c_voi
 }
 // TODO: Add a Drop implementation that kills this thread and drops its capability.
 pub struct Thread {
-    cap: z_cap_t,
+    cap: Capability,
     // This field only exists to ensure that the entry reference will outlive the thread object
     // itself.
     entry: ThreadEntry,
@@ -25,11 +25,11 @@ pub struct Thread {
 
 impl Thread {
     pub fn spawn(entry: ThreadEntry, arg1: *const c_void) -> Result<Box<Self>, zion::ZError> {
-        let proc_cap = unsafe { crate::init::SELF_PROC_CAP };
-        let cap = syscall::thread_create(proc_cap)?;
+        let proc_cap = Capability::take_copy(unsafe { crate::init::SELF_PROC_CAP })?;
+        let cap = syscall::thread_create(&proc_cap)?;
         let thread = Box::new(Self { cap, entry });
         syscall::thread_start(
-            cap,
+            &thread.cap,
             internal_entry_point as u64,
             thread.as_ref() as *const Thread as u64,
             arg1 as u64,
@@ -39,6 +39,6 @@ impl Thread {
     }
 
     pub fn join(&self) -> Result<(), zion::ZError> {
-        syscall::thread_wait(self.cap)
+        syscall::thread_wait(&self.cap)
     }
 }