[apparmor] changing policy compiles

[John Johansen]

I would like to propose we change how policy compiles are being done
and cached.

Currently the compiler (apparmor_parser) checks the feature set
supported by the kernel and the abi and uses this combined information
to compile the policy. The problem with this is that as features
support changes in the kernel this mandates that policy must be
recompiled even if the abi has not changed.

Instead I would like to see the compiler base its caching and compile
decision only around the compiler and kernel abis. This would mean the
full feature set supported by the compiler would be included in the
compile. The backend abi of the policydb allows for incremental
addition of new features as long as the abi of an existing feature
doesn't change. The feature set support by the the kernel could still
be used to provide warnings that certain parts of policy may not be
enforced by the current kernel.

The net effect of this change would be that the cache could be reused
between more kernels, meaning fewer policy recompiles. This also
implies that a precompiled policy could be used to support multiple
kernels, making it easier to support distribution of pre built cache
files.