parser: don't set xbits when using permstable32_v1

The use of xbits can not pass verification so we need to leave them
off this makes the profile a leaf profile.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/parser_common.c

@@ -90,7 +90,7 @@ int kernel_supports_oob = 0;		/* out of band transitions */
 int kernel_supports_promptdev = 0;	/* prompt via audit perms */
 int kernel_supports_permstable32 = 0;	/* extended permissions */
 int kernel_supports_permstable32_v1 = 0;	/* extended permissions */
-int prompt_compat_mode = 0;
+int prompt_compat_mode = PROMPT_COMPAT_UNKNOWN;
 int conf_verbose = 0;
 int conf_quiet = 0;
 int names_only = 0;
@@ -176,12 +176,19 @@ bool prompt_compat_mode_supported(int mode)
 	if (mode == PROMPT_COMPAT_PERMSV2 &&
 	    (kernel_supports_permstable32 && !kernel_supports_permstable32_v1))
 		return true;
+	/*
 	else if (mode == PROMPT_COMPAT_DEV &&
 		 kernel_supports_promptdev)
 		return true;
+	*/
+	else if (mode == PROMPT_COMPAT_FLAG &&
+		 kernel_supports_permstable32)
+		return true;
+	/*
 	else if (mode == PROMPT_COMPAT_PERMSV1 &&
 		 (kernel_supports_permstable32_v1))
 		return true;
+	*/
 	else if (mode == PROMPT_COMPAT_IGNORE)
 		return true;
 
@@ -194,6 +201,8 @@ int default_prompt_compat_mode()
 		return PROMPT_COMPAT_PERMSV2;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_DEV))
 		return PROMPT_COMPAT_DEV;
+	if (prompt_compat_mode_supported(PROMPT_COMPAT_FLAG))
+		return PROMPT_COMPAT_FLAG;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_PERMSV1))
 		return PROMPT_COMPAT_PERMSV1;
 	if (prompt_compat_mode_supported(PROMPT_COMPAT_IGNORE))
@@ -207,6 +216,9 @@ void print_prompt_compat_mode(FILE *f)
 	case PROMPT_COMPAT_IGNORE:
 		fprintf(f, "ignore");
 		break;
+	case PROMPT_COMPAT_FLAG:
+		fprintf(f, "flag");
+		break;
 	case PROMPT_COMPAT_PERMSV2:
 		fprintf(f, "permsv2");
 		break;