veriexec(8): Fix typo

Event: Advanced UNIX Programming Course (Fall’23) at NTHU.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1018

Add mac_grantbylabel

This module allows controlled privilege escallation via mac labels
securely associated with a process via mac_veriexec.

There are over 700 PRIV_* but we can compress many of them into
a single GBL_* thus constraining the size of gbl labels.

The goal is to allow a daemon to run as an unprivileged process while
still being able a set of privileged operations needed.

We add APIs to libveriexec so that userland processes can check labels
and an exec_script API that allows a suitably labeled process to run
something like a python interpreter directly if necessary;
overcomming the 'indirect' flag applied to the interpreter.

Add -l option to sbin/veriexec to report labels.

Reviewed by: stevek
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D41431

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

Add -S option to veriexec

During software installation, use veriexec -S to strictly
enforce certificate validity checks (notBefore, notAfter).

Otherwise ignore certificate validity period.
It is generally unacceptible for the Internet to stop working
just because someone did not upgrade their infrastructure for a decade.

Sponsored by: Juniper Networks, Inc.

Reviewed by: sebastien.bini_stormshield.eu
Differential Revision: https://reviews.freebsd.org/D35758

veriexec(8): explain that only a unique prefix is required

When setting or querying state it is sufficient to
provide only enough of the state name to be unambiguous.

veriexec(8): Bugfix for an issue reported by mandoc

- consider using OS macro: Nx

MFC after: 1 week

Add verifying manifest loader for mac_veriexec

This tool will verify a signed manifest and load contents into
mac_veriexec for storage

Sponsored by: Juniper Networks
Differential Revision: D16575