Restrict U2F raw HID device to owning user (/dev/hidraw*)

[danstiner]

Currently we use a udev to grant access to the currently logged in user, but this has poor behavior when multiple users are logged in at once. For example the following steps will leak a U2F device to the wrong user:

1. User A is logged in
   • this causes the user-daemon to request a virtual U2F device be created
   • User A, assuming they are the only interactive user logged in, will be first "seat" and so can access the device
2. The switch user feature in GNOME is used to log in User B without terminating the session of A
   • this causes the user-daemon to request another virtual U2F device be created
   • User B is now the first "seat" and so can access both their device and the U2F device from User A

This behavior happens with hardware keys also when using u2f-hidraw-policy, but still it would be nice to address it at some point. See #2 for more detail on how this works.

My current best idea is to pass along uid/gid info in the HID device identifiers or descriptor and have a udev helper program that parses that back out and uses it to set acl permissions appropriately.