New ProgramLauncher module (APIs for launching external programs)

This module introduces function interfaces for checking permissions of
external programs and launching them with dropped privileges whenever
it is appliable. These functions are intended to replace the naive
execlp(3) and execvp(3) calls as the latter can launch potentially
malicious programs without checking, when given root privileges.

This module contains these APIs:

* ProgramLauncher_setPath()
* ProgramLauncher_execve()

Features:

* It can drop set-UID (SUID) privileges before launching a program.
* It checks the owner ID, group ID, and the permission (mode) bits of
  the program. The policy of executing is stricter than what the OS
  would permit execution. In particular it respects the "other execute"
  (o+x) bit only if the program is owned by the root user.
* It uses fexecve(3) rather than execve(2) whenever it is supported by
  the OS. fexecve() is safe against data race. (Unfortunately macOS and
  OpenBSD don't yet support fexecve() at the time of writing.)
* It can search the program through PATH variable and cache the result.
  It caches the inode as well as the full program path. If the program
  executable is quietly swapped during htop runtime, htop will refuse
  to launch the program until the htop instance ends.

Signed-off-by: Kang-Che Sung <explorer09@gmil.com>

Author: Explorer09

Makefile.am

@@ -74,6 +74,7 @@ myhtopsources = \
 	Process.c \
 	ProcessLocksScreen.c \
 	ProcessTable.c \
+	ProgramLauncher.c \
 	Row.c \
 	RichString.c \
 	Scheduling.c \
@@ -144,6 +145,7 @@ myhtopheaders = \
 	Process.h \
 	ProcessLocksScreen.h \
 	ProcessTable.h \
+	ProgramLauncher.h \
 	ProvideCurses.h \
 	ProvideTerm.h \
 	RichString.h \