apparmor: add fine grained af_unix mediation

apparmor: add fine grained af_unix mediation

Extend af_unix mediation to support fine grained controls based on
the type (abstract, anonymous, fs), the address, and the labeling
on the socket.

This allows for using socket addresses to label and the socket and
control which subjects can communicate.

The unix rule format follows standard apparmor rules except that fs
based unix sockets can be mediated by existing file rules. None fs
unix sockets can be mediated by a unix socket rule. Where The address
of an abstract unix domain socket begins with the @ character, similar
to how they are reported (as paths) by netstat -x.  The address then
follows and may contain pattern matching and any characters including
the null character. In apparmor null characters must be specified by
using an escape sequence \000 or \x00. The pattern matching is the
same as is used by file path matching so * will not match / even
though it has no special meaning with in an abstract socket name. Eg.

     allow unix addr=@*,

Autobound unix domain sockets have a unix sun_path assigned to them by
the kernel, as such specifying a policy based address is not possible.
The autobinding of sockets can be controlled by specifying the special
auto keyword. Eg.

     allow unix addr=auto,

To indicate that the rule only applies to auto binding of unix domain
sockets.  It is important to note this only applies to the bind
permission as once the socket is bound to an address it is
indistinguishable from a socket that have an addr bound with a
specified name. When the auto keyword is used with other permissions
or as part of a peer addr it will be replaced with a pattern that can
match an autobound socket. Eg. For some kernels

    allow unix rw addr=auto,

It is important to note, this pattern may match abstract sockets that
were not autobound but have an addr that fits what is generated by the
kernel when autobinding a socket.

Anonymous unix domain sockets have no sun_path associated with the
socket address, however it can be specified with the special none
keyword to indicate the rule only applies to anonymous unix domain
sockets. Eg.

    allow unix addr=none,

If the address component of a rule is not specified then the rule
applies to autobind, abstract and anonymous sockets.

The label on the socket can be compared using the standard label=
rule conditional. Eg.

    allow unix addr=@foo peer=(label=bar),

see man apparmor.d for full syntax description.

Signed-off-by: John Johansen <john.johansen@canonical.com>