libapparmor: Set errno to EEXIST when only invalid caches are available

The errno values libapparmor's aa_policy_cache_new() uses to indicate
when the cache directory does not exist and when an existing, invalid
cache already exists needed to be separated out. They were both ENOENT
but now the latter situation uses EEXIST.

libapparmor also needed to be updated to not print an error message to
the syslog from aa_policy_cache_new() when the max_caches parameter is
0, indicating that a new cache should not be created, and the cache
directory does not exist. This is an error situation but a debug message
is more appropriate.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/src/policy_cache.c

@@ -78,7 +78,7 @@ static int init_cache_features(aa_policy_cache *policy_cache,
 	} else if (!aa_features_is_equal(policy_cache->features,
 					 kernel_features)) {
 		if (!create) {
-			errno = ENOENT;
+			errno = EEXIST;
 			return -1;
 		}
 
@@ -166,8 +166,10 @@ open:
 			if (mkdirat(dirfd, path, 0700) == 0)
 				goto open;
 			PERROR("Can't create cache directory '%s': %m\n", path);
-		} else {
+		} else if (create) {
 			PERROR("Can't update cache directory '%s': %m\n", path);
+		} else {
+			PDEBUG("Cache directory '%s' does not exist\n", path);
 		}
 
 		save = errno;

parser/parser_main.c

@@ -921,7 +921,7 @@ int main(int argc, char *argv[])
 		retval = aa_policy_cache_new(&policy_cache, features,
 					     AT_FDCWD, cacheloc, max_caches);
 		if (retval) {
-			if (errno != ENOENT) {
+			if (errno != ENOENT && errno != EEXIST) {
 				PERROR(_("Failed setting up policy cache (%s): %s\n"),
 				       cacheloc, strerror(errno));
 				return 1;