[apparmor] [Patch 0/3 Apparmor: Add support for attaching profiles via xattr presence and value

[John Johansen]

So this is my counter proposal

Patch 1/3 your V2 patch rebased

Patch 2/3 modifies the V2 patch so that the xattrs are matched using
the dfa. This provides more flexibility in what can be done with xattr
matching, and also makes it so the xattr match can be better
integrated with other match conditions when they land.

One thing to note is that it doesn't deal with the security.apparmor
xattr which will get special treatment later on. Conditions certainly
can use security.apparmor but it might be best to avoid it until the
patch dealing with it lands. The userspace patch dealing with this is
coming but I need a little more time with it. Basically I borrowed the
syntax for mount rule conditions, its not my favorite but it already
exists and is in use. The syntax can be revised if needed separate of
the kernel patch.  Basically it allows you to specify sets of xattr
conditions.

  profile foo xattrs=(security.apparmor=foo, security.ima=bar) {
    ..
  }

pattern matching can be used in the xattr values but not for the xattr
name. Multiple pattern sets can be defined, and xattrs can be set as
being required to be present or optional. I'll provide the full syntax
with the userspace patch so you can play with it

Patch 3/3 tries to address the overlapping expr bug, its not directly
related but I cherry-picked it on to the set as it might be worth
discussing if we want to partial overlap resolution of xattrs as we
are doing with the executable name or whether we want to at least for
now stick with just counting up the number of xattr matches.