[apparmor] [PATCH V2] Support network policy based on secmark labeling

[Matthew Garrett]

Ok here's a slightly different approach that allows for a wildcard
secid. In this universe:

1) Old parsers just generate a network statement as normal,
secmark_count is 0 and we assume that we should do nothing in response
to secmark labeling
2) New parsers that generate a bare network statement add a wildcard
label, and any further deny statements will be tested in addition to
that

I think the audit/deny handling in the policy stuff needs to be fixed
up, but does this logic look roughly plausible to people?