apparmor pull-request for 4.16

+ Features
  - add base infrastructure for socket mediation. ABI bump and
    additional checks to ensure only v8 compliant policy uses
    socket af mediation.
  - improve and cleanup dfa verification
  - improve profile attachment logic
    - improve overlapping expression handling
    - add the xattr matching to the attachment logic
  - improve signal mediation handling with stacked labels
  - improve handling of no_new_privs in a label stack

+ Cleanups and changes
  - use dfa to parse string split
  - bounded version of label_parse
  - proper line wrap nulldfa.in
  - split context out into task and cred naming to better match usage
  - simplify code in aafs

+ Bug fixes
  - fix display of .ns_name for containers
  - fix resource audit messages when auditing peer
  - fix logging of the existence test for signals
-----BEGIN PGP SIGNATURE-----

iQIcBAABCgAGBQJafgCNAAoJEAUvNnAY1cPYNdEP/2pIxOQLtN3gt32GS35c4Q+E
Sr4XOuOyIopQsglp409yNwEEqNkMrWWVlsaEgVlvoUr4glA/HUS2VlQWAW+Cs4Y0
OpDC7TGPalPziE4VsU/7SC8rascIbOLJewmdV2j7paMsiIJGT0C/PzXE6Sqq69hd
z4UOra80BEWrrsxKzAHFNSLO3Q3dexdxxrpospOzo5cTj9wmDscepg1GWrAyjP5W
HF/6UfWqeY8XLgWqRpfBHvoSCUX2dDlRCdug4BM8t1m5SpfTBmZXRz+PI4QZ8fEf
95ALIqkR8e3G6Bt5hAKaNYD/mTB2qP/eps55n5UgjnTp5vlPOJxm4KIodVMRYneC
duo6TYAPVpCjyzdAbEaM2zKI72bjc+70Nz0rSBZqf+iQmirDnWurUElzqL/I014l
Chj6hCJXuHv5JG0IV8i32JY+aneJ6APKY38D2IDZ+XjDQz8Fy0kXkULxKhC1vmCU
pfDR/xLtk+iuikVzjZOoSIC0bKbJGNjrkIN+C6W9hlW1EdHvECS6f5XhXJavfSYQ
lkUW+92Rl5RB9q+MHvUl2Jkr4+xXNshSFkLq9REzGXzKI3sGUgEb3VBT4D9pcqUi
UcIu76+D4CS8PgdKTsyDqxasc8O2GnWSkNDDpHcgCuI6ov/hm4oOGygHbJkBG6+r
kiE2SIOWjB0+DtbQ+g+v
=hCDr
-----END PGP SIGNATURE-----
apparmor: add base infastructure for socket mediation

version 2 - Force an abi break. Network mediation will only be
            available in v8 abi complaint policy.

Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application, along with setting up some basic infrastructure for
network mediation to follow.

the user space rule hav the basic form of
  NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
                 [ TYPE | PROTOCOL ]

  DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' |
             'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' |
	     'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
	     'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' |
	     'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' |
	     'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' |
	     'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' |
	     'vsock' | 'mpls' | 'ib' | 'kcm' ) ','

  TYPE = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' |
           'packet' )

  PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

eg.
  network,
  network inet,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
12 files changed