parser: convert xmatch to use out of band transitions

xattrs can contain NULL characters in their values which means we can
not user regular NULL transitions to separate values. To fix this
use out of band transition instead.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/libapparmor_re/aare_rules.cc

@@ -140,13 +140,14 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
 
 /*
  * append_rule is like add_rule, but appends the rule to any existing rules
- * with a null transition. The appended rule matches with the same permissions
+ * with a separating transition. The appended rule matches with the same
+ * permissions
  * as the rule it's appended to.
  *
  * This is used by xattrs matching where, after matching the path, the DFA is
  * advanced by a null character for each xattr.
  */
-bool aare_rules::append_rule(const char *rule, dfaflags_t flags)
+bool aare_rules::append_rule(const char *rule, bool oob, dfaflags_t flags)
 {
 	Node *tree = NULL;
 	if (regex_parse(&tree, rule))
@@ -162,13 +163,13 @@ bool aare_rules::append_rule(const char *rule, dfaflags_t flags)
 
 	/*
 	 * For each matching state, we want to create an optional path
-	 * separated by a null character.
+	 * separated by a separating character.
 	 *
 	 * When matching xattrs, the DFA must end up in an accepting state for
 	 * the path, then each value of the xattrs. Using an optional node
 	 * lets each rule end up in an accepting state.
 	 */
-	tree = new OptionalNode(new CatNode(new CharNode(0), tree));
+	tree = new OptionalNode(new CatNode(oob ? new CharNode(transchar(-1, true)) : new CharNode(0), tree));
 	PermExprMap::iterator it;
 	for (it = expr_map.begin(); it != expr_map.end(); it++) {
 		expr_map[it->first] = new CatNode(it->second, tree);