Merge parser: fix mapping of AA_CONT_MATCH for policydb compat entries

The mapping of AA_CONT_MATCH was being dropped resulting in the
tcp tests failing because they would only match up to the first conditional
match check in the layout.

Bug: https://gitlab.com/apparmor/apparmor/-/issues/462
Fixes: e29f5ce5f ("parser: if extended perms are supported by the kernel build a permstable")
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1409
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

parser/libapparmor_re/policy_compat.cc

@@ -182,6 +182,8 @@ struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2,
 	perms.prompt = dfa_user_allow(accept3);
 	perms.audit = dfa_user_audit(accept1, accept2);
 	perms.quiet = dfa_user_quiet(accept1, accept2);
+	if (accept1 & AA_COMPAT_CONT_MATCH)
+		perms.allow |= AA_CONT_MATCH;
 
 	/*
 	 * This mapping is convulated due to history.

parser/network.cc

@@ -721,7 +721,7 @@ bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &st
 
 	cond_perms = map_perms(perms);
 	if (!is_cmd && (label || is_peer))
-		cond_perms = (AA_CONT_MATCH << 1);
+		cond_perms = AA_COMPAT_CONT_MATCH;
 
 	for (auto &oss : streams) {
 		oss << "\\x00"; /* null transition */

parser/perms.h

@@ -65,6 +65,9 @@
 #define AA_MAY_DELEGATE
 #define AA_CONT_MATCH		0x08000000
 
+// TODO: move into a reworked immunix.h that is dependent on perms.h
+#define AA_COMPAT_CONT_MATCH	(AA_CONT_MATCH << 1)
+
 #define AA_MAY_STACK		0x10000000
 #define AA_MAY_ONEXEC		0x20000000 /* either stack or change_profile */
 #define AA_MAY_CHANGE_PROFILE	0x40000000