Add stub rules to indicate compilation support for given features.

Policy enforcement needs to be able to support older userspaces and
compilers that don't know about new features. The absence of a feature
in the policydb indicates that feature mediation is not present for
it.

We add stub rules, that provide a none 0 start state for features that
are supported at compile time. This can be used by the kernel to
indicate that it should enforce a given feature. This does not indicate
the feature is allowed, in an abscence of other rules for the feature
the feature will be denied.

Note: this will break the minimize tests when run with kernels that
      support mount or dbus rules. A patch to specify these features to
      the parser is needed to fix this.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

parser/parser_regex.c

@@ -673,6 +673,12 @@ int post_process_policydb_ents(Profile *prof)
 	return TRUE;
 }
 
+#define MAKE_STR(X) #X
+#define CLASS_STR(X) "\\d" MAKE_STR(X)
+
+static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
+static const char *mediates_dbus =  CLASS_STR(AA_CLASS_DBUS);
+
 int process_profile_policydb(Profile *prof)
 {
 	int error = -1;
@@ -684,6 +690,20 @@ int process_profile_policydb(Profile *prof)
 	if (!post_process_policydb_ents(prof))
 		goto out;
 
+	/* insert entries to show indicate what compiler/policy expects
+	 * to be supported
+	 */
+
+	if (kernel_supports_mount) {
+		if (!aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
+			goto out;
+		prof->policy.count++;
+	}
+	if (kernel_supports_dbus) {
+		if (!aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
+			goto out;
+		prof->policy.count++;
+	}
 	if (prof->policy.count > 0) {
 		prof->policy.dfa = aare_create_dfa(prof->policy.rules,
 						  &prof->policy.size,