Previously the strings as received from the user were printed
out again, which is not as helpful.

An exact rule only matches if it applies at the end of the path
that is being accessed.

A confined process will never change its label and will thus
never gain new permissions.
Unlike the inherit flag, the confined process does not inherit
the permissions of the execing (unconfined) process.

passt_dup_task() initializes all fields, not just ->label.

Add test.

Rename SLSM_ALLOW_* to SLSM_MODE_*.
Sysfs interface flags have been altered as follows:
  'p' is now path (previously 'f')
  'f' is now flags (new, inherit is f=1)
  'm' is now mode (previously 'p')

Also fixes wrong return PTR_ERR() in create_passtfs().

Also fixes race conditions with concurrent writes.

Despite being simpler this also handles the inherit flag (and
potential future flags) properly.

As far as I can tell, this function was never actually called.
The __init suggests it was a remnant of copying from AppArmor,
where a similar function is used for cleanup if something goes
wrong in aa_create_aafs().

Only hardlinks where the mode for the link is at least as
restrictive as for the target are allowed.

The previous kref scheme was racy, fixes #2.

This doesn't prevent bypasses when linking protected files, but allows
the user to prevent a program from creating any hard links at all.

Those conditions should never happen and might compromise the security
of the system, therefore abort.

No longer use FMODE_READ/FMODE_WRITE and MAY_READ/MAY_WRITE/MAY_EXEC and
a custom value for the inherit flag which might conflict with other
values used by the kernel. Also change type to unsigned to allow more
extensions in the future.

This is a backwards incompatible change of the values of the "p=" field
in the slsm security file system!

Instead pass size_t as pointer to update it and return the (signed)
error values.

Fixes a memory leak where the last rule was not freed.

If a single write call fails, the current rules shouldn't be removed.
It's possible that the next call might succeed.