support matching xattr keys but not values
This requires apparmor-kernel!4
Support profiles that choose to match the presence of an extended attribute without validating its value. This lets AppArmor target xattrs with binary data, such as security.ima and security.evm values. For example, it's now possible to write a profile such as:
profile signed_binaries /** xattrs=(security.ima) {
// ...
}
Both presence and value matches can be used in the same profile. To match a signed xattr, target both the xattr and the security.ima value:
profile python_script /** xattrs=(
security.evm
security.apparmor="python"
) {
// ...
}
Signed-off-by: Eric Chiang ericchiang@google.com