[very wip] Add unprivileged wayland socket

Follow-up from
- #1003

This PR creates a second wayland listening socket
($XDG_RUNTIME_DIR/wayland-unpriv) when there is at
least one protocol blocked in rc.xml.

The blocked protocols are only blocked for the new
socket, the usual wayland socket allows all protocols.

The idea is to use the unprivileged socket for
bind-mounts in sandboxes and similar. Trusted
applications are running against the usual wayland
socket and thus are able to use privileged protocols
(e.g. layershell, screen recording, foreign-toplevel)
whereas clients within a sandbox are prevented to use
those protocols.

Related:
- #1002

This PR is very much work in progress.
- [ ] Solve TODO / FIXUP comments:
  - [ ] Add close-on-exec fallbacks for the wayland socket
  - [ ] Add lockfile for the wayland socket
  - [ ] Add close-on-exec for client connections
- [ ] docs

include/server-unpriv.h

@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+#ifndef LABWC_SERVER_UNPRIV_H
+#define LABWC_SERVER_UNPRIV_H
+
+struct server;
+struct wl_client;
+
+void unpriv_socket_start(struct server *server);
+bool is_unpriv_client(const struct wl_client *wl_client);
+
+#endif /* LABWC_UNPRIV_H */