parser: fix 16 bit state limitation

The hfa stores next/check transitions in 16 bit fields to reduce memory
usage. However this means the state machine can on contain 2^16
states.

Allow the next/check tables to be 32 bit. This theoretically could allow
for 2^32 states however the base table uses the top 8 bits as flags
giving us only 2^24 bits to index into the next/check tables. With
most states having at least 1 transition this effectively caps the
number of states at 2^24.

To obtain 2^32 possible states a flags table needs to be added. Add
a skeleton around supporting a flags table, so we can note the remaining
work that needs to be done. This patch will only allow for 2^24 states.

Bug: https://gitlab.com/apparmor/apparmor/-/issues/419

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/libapparmor_re/aare_rules.cc

@@ -344,7 +344,7 @@ void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
 			*size = 0;
 			return NULL;
 		}
-		chfa->flex_table(stream);
+		chfa->flex_table(stream, opts);
 		delete (chfa);
 	}
 	catch(int error) {
@@ -417,7 +417,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
 		policy_chfa->weld_file_to_policy(*file_chfa, *new_start,
 						 extended_perms, prompt,
 						 perms_table, file_perms);
-		policy_chfa->flex_table(stream);
+		policy_chfa->flex_table(stream, opts);
 	}
 	catch(int error) {
 		delete (file_chfa);