parser: add special casing for detached move mounts

upsteam move_mount mediation now allows for a detached (disconnected)
mount to be move mounted into a namespace.

Add support for this by detecting 'detached' as a keyword for the
source/device and using it to create a null match. Because existing
mount encoding using a null separator between the mount terms null
match followed by the null seperator will separate detached mounts
within the existing encoding.

Eg.
  mount detached -> /destination,
  mount options=(ro) fstype=ext4 detached -> /destination,

This is functionally equivalent to using

  mount "" -> /destination,

However using "" does not provide any context that about what the rule is allowing or why so the 'detached' form is preferred.

This is not a perfect solution, but is what can be currently supported
by the kernel without more LSM hooks.

On kernels that don't support detached mount detection, rules using
the detached souce conditional will be ignored (never matched).

This encoding also allows the existing

  mount,
  mount options=(move),
  mount options=(move) -> /destination,

to continue to work with both detached and regular mounts on kernels
that support the move_mount() syscall.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/parser_main.c

@@ -956,6 +956,14 @@ void set_supported_features()
 	features_supports_mount = features_intersect(kernel_features,
 						     policy_features,
 						     "mount");
+	/*
+	 * note: detached mounts are just a null condition, so previous
+	 *       mount rule encoding supports it, if the kernel supports
+	 *       it. So support for detached depends on mount intersect and
+	 *       kernel detached.
+	 */
+	features_supports_detached_mount = aa_features_supports(kernel_features,
+							      "mount/move_mount/detached");
 	features_supports_dbus = features_intersect(kernel_features,
 						    policy_features, "dbus");
 	features_supports_signal = features_intersect(kernel_features,