Allow plugins to communicate with docker without disabling the sandbox

[tomerd]

Linux oriented packaging and deployment plugins often need to work with Docker, especially since Swift does not support cross compilation mac -> Linux. As an example see swift-server/swift-aws-lambda-runtime#254

In order to communicate with Docker, plugins need to perform network communication with the docker daemon which is blocked by SwiftPM plugin sandbox. As such, plugins of this kind cannot be used unless the sandbox is disabled which defeats the purpose of having a sandbox.

One possible solution is to model certain types of network communication an grants / privileges that the plugin can express as requiring, and then have SwiftPM prompt the user for explicit approval. this is similar to how plugins deal with file system write access

[tomerd]

cc @fabianfett

[abertelrud]

This makes sense, and I think there might be an interesting distinction to be drawn (if we can) between localhost and other hosts. Possibly also domain sockets vs IP sockets, if that is a distinction we can make in the sandbox.