OK, here's a new version as a work in progress.  A lot of the new
stuff is uncommented (particularly the support code for the
tests), but there are proper docs this time and a fairly complete
test suite (but see below).

There are a couple of changes to the interface (hopefully the
last).  The recvmsg() methods no longer receive ancillary data by
default, since calling them on an AF_UNIX socket with the old
default buffer could allow a malicious sender to send unwanted
file descriptors up to receiver's resource limit, and in a
multi-threaded program, another thread could then be prevented
from opening new file descriptors before the receiving thread had
a chance to close the unwanted ones.

Since the ancillary buffer size argument is now more likely to
need a value, I've moved it to second place; the basic argument
order is now the same as in Kalman Gergely's patch.  CMSG_LEN()
and CMSG_SPACE() are now provided.

I've also used socket.error instead of ValueError when rejecting
some buffer object/array for being too big to handle, since the
system call itself might cause socket.error to be raised for a
smaller (oversized) object, failing with EMSGSIZE or whatever.

The code is now much more paranoid about checking the results of
the CMSG_*() macros, and will raise RuntimeError if it finds its
assumptions are not met.

I'd still like to add tests for receiving some of the RFC 3542
ancillary data items, especially since the SCM_RIGHTS tests can't
always (ever?) test recvmsg() with multiple items (if you send
two FD arrays, the OS can coalesce them into a single array
before delivering them).