hw: seal capability leak (fix #1568)

Do not initially transfer UTCB dataspace and parent capability to a thread
that is no main thread.

repos/base-hw/include/base/native_types.h

@@ -100,7 +100,7 @@ class Genode::Native_utcb
 
 		enum { MAX_CAP_ARGS = Msgbuf_base::MAX_CAP_ARGS};
 
-		enum Offsets { PARENT, UTCB_DATASPACE, THREAD_MYSELF };
+		enum Offsets { THREAD_MYSELF, PARENT, UTCB_DATASPACE };
 
 	private:
 

repos/base-hw/src/core/kernel/thread.cc

@@ -762,9 +762,9 @@ Core_thread::Core_thread()
 	Genode::map_local((addr_t)utcb, (addr_t)Genode::utcb_main_thread(),
 	                  sizeof(Native_utcb) / Genode::get_page_size());
 
-	utcb->cap_add(cap_id_invalid());
-	utcb->cap_add(cap_id_invalid());
 	utcb->cap_add(core_capid());
+	utcb->cap_add(cap_id_invalid());
+	utcb->cap_add(cap_id_invalid());
 
 	/* start thread with stack pointer at the top of stack */
 	sp = (addr_t)&stack + DEFAULT_STACK_SIZE;

repos/base-hw/src/core/platform_thread.cc

@@ -198,9 +198,11 @@ int Platform_thread::start(void * const ip, void * const sp)
 
 	/* reset capability counter */
 	utcb->cap_cnt(0);
-	utcb->cap_add(_pd->parent().dst());
-	utcb->cap_add(_utcb.dst());
 	utcb->cap_add(_cap.dst());
+	if (_main_thread) {
+		utcb->cap_add(_pd->parent().dst());
+		utcb->cap_add(_utcb.dst());
+	}
 	Kernel::start_thread(kernel_object(), cpu, _pd->kernel_pd(),
 	                     _utcb_core_addr);
 	return 0;