parser: determine xmatch priority based on smallest DFA match
The length of a xmatch is used to prioritize multiple profiles that match the same path, with the intent that the more specific match wins. Currently, the length of a xmatch is computed by the position of the first regex character.
While trying to work around issues with no_new_privs by combining profiles, we noticed that the xmatch length computation doesn't work as expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though "bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible match and use that for xmatch priority instead of the position of the first regex character.