MAC/do: Introduce rules reference counting

This is going to be used in subsequent commits to keep rules alive even
if disconnected from their jail in the meantime. We'll indeed have to
release the prison lock between two uses (outright rejection, final
granting) where the rules must absolutely stay the same for security reasons.

Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47619