module-access: add access.socket option + legacy mode, remove other options

Add access.socket option, which sets PW_KEY_ACCESS based only on which
socket the client connected from.

Remove the executable-based permissions and all old options.  Add
access.legacy=true option that enables the old default behavior.  The
legacy mode cannot be used together with the socket-based access.

Emit warnings if any of the removed old options have been set.

Set pipewire.sec.flatpak=true for Flatpak applications.

The socket-based access ignores PW_KEY_CLIENT_ACCESS and the Flatpak
status when setting PW_KEY_ACCESS.  Dealing with them becomes
responsibility of the session manager (or equivalent) which processes
the permission rules.

Make the default access.socket value compatible with the
module-protocol-native default two-socket configuration.

However, if neither access.socket or access.legacy is specified, we will
for now use the legacy mode for backward compatibility.

src/daemon/pipewire.conf.in

@@ -146,21 +146,12 @@ context.modules = [
     # new clients.
     { name = libpipewire-module-access
         args = {
-            # access.allowed to list an array of paths of allowed
-            # apps.
-            #access.allowed = [
-            #    @session_manager_path@
-            #]
+            # Socket-specific access permissions
+            #access.socket = { pipewire-0 = "default", pipewire-0-manager = "unrestricted" }
 
-            # An array of rejected paths.
-            #access.rejected = [ ]
-
-            # An array of paths with restricted access.
-            #access.restricted = [ ]
-
-            # Anything not in the above lists gets assigned the
-            # access.force permission.
-            #access.force = flatpak
+            # Deprecated legacy mode (not socket-based),
+            # for now enabled by default if access.socket is not specified
+            #access.legacy = true
         }
         condition = [ { module.access = true } ]
     }