[apparmor] [PATCH] fix the fix for network flag when generating policy

[John Johansen]

The previous patch to fix policy compilation around the network flag had a
serious flaw. The test for the network flag was being applied against both
the kernel flags and the cache flags. This means that if either the kernel
or the cache did not have the flag set then network mediation would be
turned off.

Thus if a kernel was booted without the flag, and a cache was generated
based on that kernel and then the system was rebooted into a kernel with
the network flag present, the parser on generating the new policy would
detect the old cache did not support network and turn it off for the
new policy as well.

This can be fixed by either removing the old cache first or regenerating
the cache twice. As the first generation will write that networking is
supported in the cache (even though the policy will have it disabled), and
the second generation will generate the correct policy.

The following patch moves the test so that it is only applied to the kernel
flags set.

---

=== modified file 'parser/parser_main.c'
--- parser/parser_main.c	2012-07-01 08:35:05 +0000
+++ parser/parser_main.c	2012-07-02 07:49:14 +0000
@@ -873,11 +873,6 @@
 //fprintf(stderr, "flags string: %s\n", flags_string);
 //fprintf(stderr, "changehat %d\n", flag_changehat_version);
 	}
-	if (strstr(flags_string, "network"))
-		kernel_supports_network = 1;
-	else
-		kernel_supports_network = 0;
-
 	return;
 
 fail:
@@ -1187,7 +1182,12 @@
 		write_cache = 0;
 		skip_read_cache = 1;
 		return;
-	}
+	} else if (strstr(flags_string, "network"))
+		kernel_supports_network = 1;
+	else
+		kernel_supports_network = 0;
+
+
 
 	/*
          * Deal with cache directory versioning: