[Feature Request] Support matching by user name (not just user ID) and/or cgroup name

[quentinmit]

Summary:

systemd often uses dynamically-chosen UIDs for services (DynamicUser=yes). This means that rules matching with the uid operand will no longer match when a service/the system is next restarted and the process gets a newly-assigned uid. As a consequence, I have to allow a binary for all users on the system, instead of just allowing a daemon user to make connections with a binary.

At process discovery, OpenSnitch should use user.LookupId(uid) to look up the name currently assigned to a uid, and allow the result to be matched with an operand.

In addition, or perhaps in lieu, it would be helpful to match by a process's cgroup name. systemd will assign a unique cgroup to each service, so this would ensure that even if a process happens to somehow be launched as the correct user, it will still not be able to evade rules. This information is available in /proc/$pid/cgroup. For example:

$ cat /proc/$(systemctl show -P ExecMainPID sshd)/cgroup
0::/system.slice/sshd.service
$ cat /proc/self/cgroup 
0::/user.slice/user-1000.slice/[email protected]/app.slice/app-konsole-3d42e27e456a4ce9a1ad5982ed8f6a33.scope

This could be especially useful for desktop apps, because you could allow wget to be used from Konsole without also allowing it to be used by Spotify.