[PATCH 1/9] libsepol: ebitmap: mark nodes of const ebitmaps const

[PATCH 1/9] libsepol: ebitmap: mark nodes of const ebitmaps const

[Christian Göttsche]

Mark pointers to nodes of const ebitmaps also const. C does not enforce
a transitive const-ness, but it clarifies the intent and improves
maintainability.

Follow-up of 390ec54d278a

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/ebitmap.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c
index 4e9acdf8..1de3816a 100644
--- a/libsepol/src/ebitmap.c
+++ b/libsepol/src/ebitmap.c
@@ -17,7 +17,8 @@
 
 int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
 {
-	ebitmap_node_t *n1, *n2, *new, *prev;
+	const ebitmap_node_t *n1, *n2;
+	ebitmap_node_t *new, *prev;
 
 	ebitmap_init(dst);
 
@@ -154,7 +155,7 @@ int ebitmap_hamming_distance(const ebitmap_t * e1, const ebitmap_t * e2)
 
 int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
 {
-	ebitmap_node_t *n1, *n2;
+	const ebitmap_node_t *n1, *n2;
 
 	if (e1->highbit != e2->highbit)
 		return 0;
@@ -175,7 +176,8 @@ int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
 
 int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
 {
-	ebitmap_node_t *n, *new, *prev;
+	const ebitmap_node_t *n;
+	ebitmap_node_t *new, *prev;
 
 	ebitmap_init(dst);
 	n = src->node;
@@ -204,7 +206,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
 
 int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
 {
-	ebitmap_node_t *n1, *n2;
+	const ebitmap_node_t *n1, *n2;
 
 	if (e1->highbit < e2->highbit)
 		return 0;
@@ -231,8 +233,8 @@ int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
 
 int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
 {
-	ebitmap_node_t *n1 = e1->node;
-	ebitmap_node_t *n2 = e2->node;
+	const ebitmap_node_t *n1 = e1->node;
+	const ebitmap_node_t *n2 = e2->node;
 
 	while (n1 && n2) {
 		if (n1->startbit < n2->startbit) {
@@ -253,7 +255,7 @@ int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
 
 int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
 {
-	ebitmap_node_t *n;
+	const ebitmap_node_t *n;
 
 	if (e->highbit < bit)
 		return 0;
-- 
2.33.0

[PATCH 2/9] libsepol: use correct cast

[Christian Göttsche]

The function hashtab_insert takes the type hashtab_datum_t (alias void*)
as third argument. Do not cast to hashtab_datum_t* alias void**. The
casts could be dropped, as explicit casting to void* is unnecessary, but
to fit the overall style of this file keep the casts.

    expand.c:246:41: error: cast from 'perm_datum_t *' (aka 'struct perm_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Werror,-Wcast-align]
            ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
                                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/expand.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index aac5b35f..a6a466f7 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -243,7 +243,7 @@ static int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	new_perm->s.value = perm->s.value;
 	s->nprim++;
 
-	ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
+	ret = hashtab_insert(s->table, new_id, (hashtab_datum_t) new_perm);
 	if (ret) {
 		free(new_id);
 		free(new_perm);
@@ -294,7 +294,7 @@ static int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 
 	ret =
 	    hashtab_insert(state->out->p_commons.table, new_id,
-			   (hashtab_datum_t *) new_common);
+			   (hashtab_datum_t) new_common);
 	if (ret) {
 		ERR(state->handle, "hashtab overflow");
 		free(new_common);
@@ -492,7 +492,7 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 
 	ret =
 	    hashtab_insert(state->out->p_classes.table, new_id,
-			   (hashtab_datum_t *) new_class);
+			   (hashtab_datum_t) new_class);
 	if (ret) {
 		ERR(state->handle, "hashtab overflow");
 		free(new_class);
-- 
2.33.0

[PATCH 3/9] libsepol: resolve GCC warning about null-dereference

[Christian Göttsche]

GCC reports a NULL dereference of the return value of stack_peek(). This
function explicitly returns NULL in case of 'stack->pos == -1'.

Error out on NULL returned.

    module_to_cil.c: In function ‘block_to_cil’:
    module_to_cil.c:3357:55: error: potential null pointer dereference [-Werror=null-dereference]
     3357 |         struct list *alias_list = typealias_lists[decl->decl_id];
          |                                                   ~~~~^~~~~~~~~

There are more occurrences of unconditionally dereferencing the return
value of stack_peek(), but the callers should ensure a valid stack, so
just silence this single warning.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/module_to_cil.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 3c8ba10a..16e4004e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -3354,9 +3354,14 @@ static int typealiases_to_cil(int indent, struct policydb *pdb, struct avrule_bl
 	char *type_name;
 	struct list_node *curr;
 	struct avrule_decl *decl = stack_peek(decl_stack);
-	struct list *alias_list = typealias_lists[decl->decl_id];
+	struct list *alias_list;
 	int rc = -1;
 
+	if (decl == NULL) {
+		return -1;
+	}
+
+	alias_list = typealias_lists[decl->decl_id];
 	if (alias_list == NULL) {
 		return 0;
 	}
-- 
2.33.0

[PATCH 4/9] libsepol/cil: silence clang void-pointer-to-enum-cast warning

[Christian Göttsche]

Add an intermediate cast to uintptr_t to silence the clang specific
warning about casting a void pointer to an enum.

    ../cil/src/cil_verify.c:1749:28: error: cast to smaller integer type 'enum cil_flavor' from 'void *' [-Werror,-Wvoid-pointer-to-enum-cast]
                                                    enum cil_flavor op = (enum cil_flavor)i->data;
                                                                         ^~~~~~~~~~~~~~~~~~~~~~~~

Similar to 32f8ed3d6b0b.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/cil/src/cil_verify.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index dc29ea66..d994d717 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -1746,7 +1746,7 @@ static int __cil_verify_classperms(struct cil_list *classperms,
 							goto exit;
 						}
 					} else {
-						enum cil_flavor op = (enum cil_flavor)i->data;
+						enum cil_flavor op = (enum cil_flavor)(uintptr_t)i->data;
 						if (op == CIL_ALL) {
 							struct cil_class *mc = cp->class;
 							struct cil_list *perm_list;
-- 
2.33.0

[PATCH 5/9] checkpolicy: policy_define: cleanup declarations

[Christian Göttsche]

The variable curfile is nowhere used.

Static functions do not need to be forward declared if not used before
their definition.

The error buffer errormsg can be a simple scoped variable. Also
vsnprintf(3) always NUL-terminates the buffer, so the whole length can
be passed.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/policy_define.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 185d5704..cda3337b 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -67,7 +67,6 @@ extern void yyerror2(const char *fmt, ...);
 policydb_t *policydbp;
 queue_t id_queue = 0;
 unsigned int pass;
-char *curfile = 0;
 int mlspol = 0;
 
 extern unsigned long policydb_lineno;
@@ -78,12 +77,6 @@ extern char source_file[PATH_MAX];
 extern int yywarn(const char *msg);
 extern int yyerror(const char *msg);
 
-#define ERRORMSG_LEN 255
-static char errormsg[ERRORMSG_LEN + 1] = {0};
-
-static int id_has_dot(const char *id);
-static int parse_security_context(context_struct_t *c);
-
 /* initialize all of the state variables for the scanner/parser */
 void init_parser(int pass_number)
 {
@@ -95,9 +88,10 @@ void init_parser(int pass_number)
 
 void yyerror2(const char *fmt, ...)
 {
+	char errormsg[256];
 	va_list ap;
 	va_start(ap, fmt);
-	vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
+	vsnprintf(errormsg, sizeof(errormsg), fmt, ap);
 	yyerror(errormsg);
 	va_end(ap);
 }
-- 
2.33.0

[PATCH 6/9] checkpolicy: print reason of fopen failure

[Christian Göttsche]

Print the reason why opening a source policy file failed, e.g:

    checkpolicy:  unable to open policy.conf:  No such file or directory

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/parse_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
index 1795e93c..8c1f393c 100644
--- a/checkpolicy/parse_util.c
+++ b/checkpolicy/parse_util.c
@@ -36,7 +36,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
 {
 	yyin = fopen(file, "r");
 	if (!yyin) {
-		fprintf(stderr, "%s:  unable to open %s\n", progname, file);
+		fprintf(stderr, "%s:  unable to open %s:  %s\n", progname, file, strerror(errno));
 		return -1;
 	}
 	set_source_file(file);
-- 
2.33.0

[PATCH 7/9] checkpolicy: update documentation

[Christian Göttsche]

Add missing command-line arguments to synopsis and highlight mentions of
other tools in man pages.

Add missing space between arguments in help message.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/checkmodule.8 | 11 +++++++----
 checkpolicy/checkpolicy.8 |  8 +++++---
 checkpolicy/checkpolicy.c |  2 +-
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
index c4b1592b..1061a6f2 100644
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@@ -3,7 +3,7 @@
 checkmodule \- SELinux policy module compiler
 .SH SYNOPSIS
 .B checkmodule
-.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]"
 .SH "DESCRIPTION"
 This manual page describes the
 .BR checkmodule
@@ -15,9 +15,12 @@ into a binary representation.  It can generate either a base policy
 module (default) or a non-base policy module (\-m option); typically,
 you would build a non-base policy module to add to an existing module
 store that already has a base module provided by the base policy.  Use
-semodule_package to combine this module with its optional file
-contexts to create a policy package, and then use semodule to install
-the module package into the module store and load the resulting policy.
+.B semodule_package(8)
+to combine this module with its optional file
+contexts to create a policy package, and then use
+.B semodule(8)
+to install the module package into the module store and load the resulting
+policy.
 
 .SH OPTIONS
 .TP
diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index f4e6fb24..2984c238 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-O] [\-E] [\-V] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@@ -13,8 +13,10 @@ command.
 .B checkpolicy
 is a program that checks and compiles a SELinux security policy configuration
 into a binary representation that can be loaded into the kernel.  If no 
-input file name is specified, checkpolicy will attempt to read from
-policy.conf or policy, depending on whether the \-b flag is specified.
+input file name is specified,
+.B checkpolicy
+will attempt to read from policy.conf or policy, depending on whether the \-b
+flag is specified.
 
 .SH OPTIONS
 .TP
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 9459486b..6740c6d4 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -109,7 +109,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
-	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O]"
+	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] "
 	     "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
-- 
2.33.0

[PATCH 8/9] checkpolicy: drop incorrect cast

[Christian Göttsche]

The function require_symbol takes the type hashtab_datum_t (alias void*)
as third argument. Do not cast to hashtab_datum_t* alias void**. Since
explicit casting to void* is unnecessary, drop the casts.

    module_compiler.c:1002:36: warning: cast from 'cond_bool_datum_t *' (aka 'struct cond_bool_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
                require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    module_compiler.c:1092:40: warning: cast from 'cat_datum_t *' (aka 'struct cat_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
            retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
                                                  ^~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/module_compiler.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index e8f15f4e..a1cf9fc4 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -999,7 +999,7 @@ static int require_bool_tunable(int pass, int is_tunable)
 	if (is_tunable)
 		booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
 	retval =
-	    require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
+	    require_symbol(SYM_BOOLS, id, booldatum,
 			   &booldatum->s.value, &booldatum->s.value);
 	if (retval != 0) {
 		cond_destroy_bool(id, booldatum, NULL);
@@ -1051,7 +1051,7 @@ int require_sens(int pass)
 		return -1;
 	}
 	mls_level_init(level->level);
-	retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
+	retval = require_symbol(SYM_LEVELS, id, level,
 				&level->level->sens, &level->level->sens);
 	if (retval != 0) {
 		free(id);
@@ -1089,7 +1089,7 @@ int require_cat(int pass)
 	}
 	cat_datum_init(cat);
 
-	retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
+	retval = require_symbol(SYM_CATS, id, cat,
 				&cat->s.value, &cat->s.value);
 	if (retval != 0) {
 		free(id);
-- 
2.33.0

[PATCH 9/9] checkpolicy: delay down-cast to avoid align warning

[Christian Göttsche]

Delay the down-cast from hashtab_datum_t, alias void*, to the actual
type once its kind has been determined.

    module_compiler.c:174:19: warning: cast from 'symtab_datum_t *' (aka 'struct symtab_datum *') to 'level_datum_t *' (aka 'struct level_datum *') increases required alignment from 4 to 8 [-Wcast-align]
                            *dest_value = ((level_datum_t *)s)->level->sens;
                                           ^~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/module_compiler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index a1cf9fc4..5f5b0b19 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -165,7 +165,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_
 			    decl->decl_id, dest_value);
 
 	if (ret == 1 && dest_value) {
-		symtab_datum_t *s =
+		hashtab_datum_t s =
 			hashtab_search(policydbp->symtab[symbol_type].table,
 				       key);
 		assert(s != NULL);
@@ -173,7 +173,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_
 		if (symbol_type == SYM_LEVELS) {
 			*dest_value = ((level_datum_t *)s)->level->sens;
 		} else {
-			*dest_value = s->value;
+			*dest_value = ((symtab_datum_t *)s)->value;
 		}
 	} else if (ret == -2) {
 		return -2;
-- 
2.33.0

Re: [PATCH 1/9] libsepol: ebitmap: mark nodes of const ebitmaps const

[James Carter]

On Tue, Sep 28, 2021 at 11:47 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Mark pointers to nodes of const ebitmaps also const. C does not enforce
> a transitive const-ness, but it clarifies the intent and improves
> maintainability.
>
> Follow-up of 390ec54d278a
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

For all 9 patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/ebitmap.c | 16 +++++++++-------
>  1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c
> index 4e9acdf8..1de3816a 100644
> --- a/libsepol/src/ebitmap.c
> +++ b/libsepol/src/ebitmap.c
> @@ -17,7 +17,8 @@
>
>  int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
>  {
> -       ebitmap_node_t *n1, *n2, *new, *prev;
> +       const ebitmap_node_t *n1, *n2;
> +       ebitmap_node_t *new, *prev;
>
>         ebitmap_init(dst);
>
> @@ -154,7 +155,7 @@ int ebitmap_hamming_distance(const ebitmap_t * e1, const ebitmap_t * e2)
>
>  int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
>  {
> -       ebitmap_node_t *n1, *n2;
> +       const ebitmap_node_t *n1, *n2;
>
>         if (e1->highbit != e2->highbit)
>                 return 0;
> @@ -175,7 +176,8 @@ int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
>
>  int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
>  {
> -       ebitmap_node_t *n, *new, *prev;
> +       const ebitmap_node_t *n;
> +       ebitmap_node_t *new, *prev;
>
>         ebitmap_init(dst);
>         n = src->node;
> @@ -204,7 +206,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
>
>  int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
>  {
> -       ebitmap_node_t *n1, *n2;
> +       const ebitmap_node_t *n1, *n2;
>
>         if (e1->highbit < e2->highbit)
>                 return 0;
> @@ -231,8 +233,8 @@ int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
>
>  int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
>  {
> -       ebitmap_node_t *n1 = e1->node;
> -       ebitmap_node_t *n2 = e2->node;
> +       const ebitmap_node_t *n1 = e1->node;
> +       const ebitmap_node_t *n2 = e2->node;
>
>         while (n1 && n2) {
>                 if (n1->startbit < n2->startbit) {
> @@ -253,7 +255,7 @@ int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
>
>  int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
>  {
> -       ebitmap_node_t *n;
> +       const ebitmap_node_t *n;
>
>         if (e->highbit < bit)
>                 return 0;
> --
> 2.33.0
>

Re: [PATCH 1/9] libsepol: ebitmap: mark nodes of const ebitmaps const

[James Carter]

On Thu, Sep 30, 2021 at 3:40 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Sep 28, 2021 at 11:47 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Mark pointers to nodes of const ebitmaps also const. C does not enforce
> > a transitive const-ness, but it clarifies the intent and improves
> > maintainability.
> >
> > Follow-up of 390ec54d278a
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For all 9 patches:
> Acked-by: James Carter <jwcart2@gmail.com>
>

All nine patches have been merged.
Thanks,
Jim

> > ---
> >  libsepol/src/ebitmap.c | 16 +++++++++-------
> >  1 file changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c
> > index 4e9acdf8..1de3816a 100644
> > --- a/libsepol/src/ebitmap.c
> > +++ b/libsepol/src/ebitmap.c
> > @@ -17,7 +17,8 @@
> >
> >  int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
> >  {
> > -       ebitmap_node_t *n1, *n2, *new, *prev;
> > +       const ebitmap_node_t *n1, *n2;
> > +       ebitmap_node_t *new, *prev;
> >
> >         ebitmap_init(dst);
> >
> > @@ -154,7 +155,7 @@ int ebitmap_hamming_distance(const ebitmap_t * e1, const ebitmap_t * e2)
> >
> >  int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
> >  {
> > -       ebitmap_node_t *n1, *n2;
> > +       const ebitmap_node_t *n1, *n2;
> >
> >         if (e1->highbit != e2->highbit)
> >                 return 0;
> > @@ -175,7 +176,8 @@ int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
> >
> >  int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
> >  {
> > -       ebitmap_node_t *n, *new, *prev;
> > +       const ebitmap_node_t *n;
> > +       ebitmap_node_t *new, *prev;
> >
> >         ebitmap_init(dst);
> >         n = src->node;
> > @@ -204,7 +206,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
> >
> >  int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
> >  {
> > -       ebitmap_node_t *n1, *n2;
> > +       const ebitmap_node_t *n1, *n2;
> >
> >         if (e1->highbit < e2->highbit)
> >                 return 0;
> > @@ -231,8 +233,8 @@ int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
> >
> >  int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
> >  {
> > -       ebitmap_node_t *n1 = e1->node;
> > -       ebitmap_node_t *n2 = e2->node;
> > +       const ebitmap_node_t *n1 = e1->node;
> > +       const ebitmap_node_t *n2 = e2->node;
> >
> >         while (n1 && n2) {
> >                 if (n1->startbit < n2->startbit) {
> > @@ -253,7 +255,7 @@ int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
> >
> >  int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
> >  {
> > -       ebitmap_node_t *n;
> > +       const ebitmap_node_t *n;
> >
> >         if (e->highbit < bit)
> >                 return 0;
> > --
> > 2.33.0
> >