Add Landlock V2 support.

[gnoack]

This adds support for the upcoming Landlock ABI V2.

In addition to the existing file system access rights, it is now possible to move or link files across different directories with the new 'refer' access right. (For details, see Landlock documentation.)

Changes in the library:

• Introduce landlock.V2 config as a way to explicitly ask for this ABI level for users.
• Introduce syscall.AccessFSRefer constant for the new "refer" right.
• Add PathOpt.WithRefer() method so that users can ask for "refer" right.
• The semantics of RWDirs() stay unmodified.

The 'refer' access right for a path may only be specified handledAccessFS also contains it (i.e. by using the landlock.V2 config).

Upgrade path:

Callers using the landlock.V1.BestEffort().RestrictPaths(...) form can switch to use landlock.V2.BestEffort().RestrictPaths(...) with the same parameters instead. This change is compatible with before.

If you additionally desire to link or move files between directories, make sure that both directories have the "refer" access right, by calling .WithRefer() on their landlock.PathOpt objects. For example:

err := landlock.V2.RestrictPaths(
    landlock.RWDirs("/src", "/dest").WithRefer(),
)

NOTE: Requiring the "refer" access right is incompatible with kernels before 5.19. If you want to use Landlock with earlier kernels, do not ask for that permission.

In particular, this means that using "best effort mode" in combination with the refer right will downgrade to "doing nothing" on kernels below 5.19, as linking and moving files would otherwise not work:

// Downgrades to no Landlock enforcement on Linux kernels before 5.19.
err := landlock.V2.BestEffort().RestrictPaths(
    landlock.RWDirs("/src", "/dest").WithRefer(),
)

Resolves #20.

[gnoack]

Kernel v5.19 is out, and I'll merge this in now. If you have late review comments, please feel free to ping me.

[l0kod]

LGTM. Nice work!