We should bind the udev socket from systemd, so we are sure
that the abstract namespace socket is always bound by a root
process and there is never a window during an update where
an untrusted process can steal our socket.
Also split the udev.service file, so that the daemon can be
updated/restarted without triggering any coldplug events.