parser: fix 16 bit state limitation

The hfa stores next/check transitions in 16 bit fields to reduce memory
usage. However this means the state machine can on contain 2^16
states.

Allow the next/check tables to be 32 bit. This theoretically could allow
for 2^32 states however the base table uses the top 8 bits as flags
giving us only 2^24 bits to index into the next/check tables. With
most states having at least 1 transition this effectively caps the
number of states at 2^24.

To obtain 2^32 possible states a flags table needs to be added. Add
a skeleton around supporting a flags table, so we can note the remaining
work that needs to be done. This patch will only allow for 2^24 states.

Bug: https://gitlab.com/apparmor/apparmor/-/issues/419

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/parser_main.c

@@ -1564,6 +1564,10 @@ static bool get_kernel_features(struct aa_features **features)
 						       "policy/set_load");
 	kernel_supports_diff_encode = aa_features_supports(*features,
 							   "policy/diff_encode");
+	kernel_supports_state32 = aa_features_supports(*features,
+						       "policy/state32");
+	kernel_supports_flags_table = aa_features_supports(*features,
+						     "policy/flags_table");
 	kernel_supports_oob = aa_features_supports(*features,
 						   "policy/outofband");
 
@@ -1590,6 +1594,14 @@ static bool get_kernel_features(struct aa_features **features)
 		/* clear diff_encode because it is not supported */
 		parseopts.control &= ~CONTROL_DFA_DIFF_ENCODE;
 
+	if (!kernel_supports_state32)
+		parseopts.control &= ~CONTROL_DFA_STATE32;
+	if (!kernel_supports_flags_table || !kernel_supports_state32)
+		/* if only encoding 16 bit states, don't waste space on
+		 * a flags table
+		 */
+		parseopts.control &= ~CONTROL_DFA_FLAGS_TABLE;
+
 	return true;
 }