[apparmor] RFC: Policy versioning

[John Johansen]

> 
> 3. Policy hashing for better cache conistency
> 
>   We need to adopt policy hashing to provide better cache consistency.
>   This is not only so we can fix problems with using file time stamps
>   but also as away to detect inconsistencies with the compiled feature
>   set.
> 
>   With the feature abi becoming an integral part of policy compiles it
>   is critical we detect any changes to the features abi. Previously
>   the cache was cleared when the kernel features abi was changed but
>   that is no longer the case, with multiple caches being retained.
>   However within each of those caches profile abis can change and we
>   need to ensure that the change is picked up.
> 
>   
As noted in my reply to Christian I missed explaining well one of the
main reasons for policy hashing. So I wanted to make sure it was easy
for other to find by directly replying to the initial RFC.

Conditional policy has to be have something more than time stamps to
detect changes.

Conditional includes could be managed with just hashing of the
policy timestamps, but conditional blocks within policy need
actual hashing of policy, or at least the conditionals that can
trigger the policy conditionals.