Thanks afl.

Now that we can read the resulting rules, they are no longer necessary.

slsm_serialize_subtree allocates, so we can't rely on RCU.

Also change $CAT to $HEAD in / tests, as test_cmp seems to use $CAT.

Reorders were necessary in a few cases to match the generated output.

Gets rid of a special case in slsm_serialize_subtree.

Before this commit all prefixes were considered matches.

Tests still missing.

"//init" will never occur as a valid path so it stays unique.

Fixes a potential BUG_ON in tree.c's slsm_query_perms().

cred uses RCU which requires appropriate locking which are handled by
current_security() and current_cred().

Previously the strings as received from the user were printed
out again, which is not as helpful.

An exact rule only matches if it applies at the end of the path
that is being accessed.

A confined process will never change its label and will thus
never gain new permissions.
Unlike the inherit flag, the confined process does not inherit
the permissions of the execing (unconfined) process.

passt_dup_task() initializes all fields, not just ->label.

Add test.

Rename SLSM_ALLOW_* to SLSM_MODE_*.
Sysfs interface flags have been altered as follows:
  'p' is now path (previously 'f')
  'f' is now flags (new, inherit is f=1)
  'm' is now mode (previously 'p')

Also fixes wrong return PTR_ERR() in create_passtfs().

Also fixes race conditions with concurrent writes.

Despite being simpler this also handles the inherit flag (and
potential future flags) properly.

As far as I can tell, this function was never actually called.
The __init suggests it was a remnant of copying from AppArmor,
where a similar function is used for cleanup if something goes
wrong in aa_create_aafs().