[apparmor] new rule qualifier "quiet" or "noaudit"

[John Johansen]

Current apparmor has the ability to selectively quiet audit denials at
the rule level but only when the "deny" rule qualifier is used. We
would like to make the ability to quiet auditing at the rule level
available without the associated semantics of deny, which means
extending the language with a new keyword. This is a feature that can
be added with only changes to the userspace, and could also be a
profile flag, by directly the compiler to set it on every rule when
the flag is present.

Currently /sys/module/apparmor/parameters/audit supports the following

"normal" - don't modify auditing from the profile. This option does
           not make sense at the rule or profile level

"quiet_denied" - quiet denials.  Similar to quiet by does to override
                 the audit keyword

"quiet" - quiet all logging.     Over rides audit

"noquiet - do not apply rule or profile quieting.  Turns off quiet
           keyword, I am not sure this makes sense at a rule level but
           certainly does at the profile level.

"all" - force every event to audit.  Is equivalent to the current
        profile audit flag


All of these can actually be implemented today, though when used as a
profile flag will actually have to be carried at the rule level, so no
ability to change the profile at run time by toggling a profile flag
(when that ability lands).



Please vote for

1) quiet.

  quiet w /foo/bar/**,

2) noaudit

  noaudit w /foo/bar/**,

3) other

  please leave your suggestion.


At the same time we should determine how it will be used as a profile
flag

A) the keyword by it self

  profile foo flags=(quiet) { ... }
  profile foo flags=(noaudit) { ... }

B) the keyword as a modifier to the audit flag

  profile foo flags=(audit=quiet) { ... }
  profile foo flags=(audit=noaudit) { ... }