parser: add the ability to specify a priority prefix to rules

This enables adding a priority to a rules in policy, finishing out the
priority work done to plumb priority support through the internals in
the previous patch.

Rules have a default priority of 0. The priority prefix can be added
before the other currently support rule prefixes, ie.

  [priority prefix][audit qualifier][rule mode][owner]

If present a numerical priority can be assigned to the rule, where the
greater the number the higher the priority. Eg.

    priority=1 audit file r /etc/passwd,

    priority=-1 deny file w /etc/**,

Rule priority allows the rule with the highest priority to completely
override lower priority rules where they overlap. Within a given
priority level rules will accumulate in standard apparmor fashion.

    Eg. given
        priority=1 w   /*c,
        priority=0 r   /a*,
        priority=-1 k  /*b*,

    /abc, /bc, /ac   .. will have permissions of w
    /ab, /abb, /aaa, .. will have permissions of r
    /b, /bcb, /bab,  .. will have permissions of k

User specified rule priorities are currently capped at the arbitrary
values of 1000, and -1000.

Notes:
* not all rule types support the priority prefix. Rukes like
  - network
  - capability
  - rlimits need to be reworked
  need to be reworked to properly preserve the policy rule structure.
* this patch does not support priority on rule blocks
* this patch does not support using a variable in the priority value.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/af_unix.h

@@ -48,6 +48,9 @@ public:
 	};
 
 	virtual bool valid_prefix(const prefixes &p, const char *&error) {
+		// priority is partially supported for unix rules
+		// rules that get downgraded to just network socket
+		// won't support them but the fine grained do.
 		if (p.owner) {
 			error = "owner prefix not allowed on unix rules";
 			return false;