File: apparmor.vim.in

package info (click to toggle)
apparmor 4.1.0-1
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 34,800 kB
sloc: ansic: 24,940; python: 24,595; sh: 12,524; cpp: 9,024; yacc: 2,061; makefile: 1,921; lex: 1,215; pascal: 1,145; perl: 1,033; ruby: 365; lisp: 282; exp: 250; java: 212; xml: 159
file content (207 lines) | stat: -rw-r--r-- 10,362 bytes
" ----------------------------------------------------------------------
"    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
"    Copyright (c) 2006-2023 Christian Boltz. All Rights Reserved.
"
"    This program is free software; you can redistribute it and/or
"    modify it under the terms of version 2 of the GNU General Public
"    License as published by the Free Software Foundation.
"
"    This program is distributed in the hope that it will be useful,
"    but WITHOUT ANY WARRANTY; without even the implied warranty of
"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
"    GNU General Public License for more details.
"
"    You should have received a copy of the GNU General Public License
"    along with this program; if not, contact Novell, Inc.
"
"    If you want to report a bug for apparmor.vim, please do so at
"    - https://gitlab.com/apparmor/apparmor/ or
"    - https://bugzilla.opensuse.org (assign it to suse-beta[AT]cboltz.de)
" ----------------------------------------------------------------------
"
" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc
" to have vim automagically use this syntax file for these directories:
"
" autocmd BufNewFile,BufRead /etc/apparmor.d/*                      set syntax=apparmor
" autocmd BufNewFile,BufRead /usr/share/apparmor/extra-profiles/*   set syntax=apparmor

" profiles are case sensitive
syntax case match

" color setup...

" adjust colors according to the background

" switching colors depending on the background color doesn't work
" unfortunately, so we use colors that work with light and dark background.
" Patches welcome ;-)

"if &background == "light"
" light background
	hi sdProfileName ctermfg=lightblue
	hi sdHatName ctermfg=darkblue
	hi sdExtHat ctermfg=darkblue
"	hi sdComment2 ctermfg=darkblue
	hi sdGlob       ctermfg=darkmagenta
	hi sdAlias      ctermfg=darkmagenta
	hi sdAll        ctermfg=darkred ctermbg=yellow
	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
	hi sdEntryUX     ctermfg=darkred cterm=underline
	hi sdEntryUXe     ctermfg=darkred
	hi sdEntryIX     ctermfg=darkcyan
	hi sdEntryM     ctermfg=darkcyan
	hi sdEntryPX     ctermfg=darkgreen cterm=underline
	hi sdEntryPXe     ctermfg=darkgreen
	hi sdEntryW     ctermfg=darkyellow
	hi sdCap	ctermfg=lightblue
	hi sdSetCap     ctermfg=black ctermbg=yellow
	hi sdNetwork	ctermfg=lightblue
	hi sdNetworkDanger ctermfg=darkred
	hi sdCapKey	cterm=underline ctermfg=lightblue
	hi sdCapDanger ctermfg=darkred
	hi sdRLimit ctermfg=lightblue
	hi sdUserns ctermfg=darkred
	hi def link sdEntryR Normal
	hi def link sdEntryK Normal
	hi def link sdFlags Normal
	hi sdEntryChangeProfile     ctermfg=darkgreen cterm=underline
"else 
" dark background
"	hi sdProfileName ctermfg=white
"	hi sdHatName ctermfg=white
"	hi sdGlob       ctermfg=magenta
"	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
"	hi sdEntryUX     ctermfg=red cterm=underline
"	hi sdEntryUXe     ctermfg=red
"	hi sdEntryIX     ctermfg=cyan
"	hi sdEntryM     ctermfg=cyan
"	hi sdEntryPX     ctermfg=green cterm=underline
"	hi sdEntryPXe     ctermfg=green
"	hi sdEntryW     ctermfg=yellow
"	hi sdCap	ctermfg=lightblue
"	hi sdCapKey	cterm=underline ctermfg=lightblue
"	hi def link sdEntryR Normal
"	hi def link sdFlags Normal
"	hi sdCapDanger ctermfg=red
"endif

hi def link sdInclude     Include
high def link sdComment     Comment
"high def link sdComment2     Comment
high def link sdFlagKey     TODO
high def link sdError      ErrorMsg


" always sync from the start.  should be relatively quick since we don't have
" that many rules and profiles shouldn't be _extremely_ large...
syn sync fromstart

syn keyword	sdFlagKey	complain debug

" highlight invalid syntax
syn match sdError /{/ contained
syn match sdError /}/
syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error
" TODO: do not mark lines containing only whitespace as error

" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*
" This allows incorrect lines also and should be checked better.
" This also (accidentally ;-) includes variable definitions (@{FOO}=/bar)
" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/

syn match sdAlias /\v^\s*alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment

" syn match sdComment /#.*/

" List of all (supported) rules inside a profile.
" XXX When adding support for a new rule type, also add it here. XXX
" XXX Otherwise it will be highlighted as an error.              XXX
syn cluster sdEntry contains=sdAll,sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile,sdUserns


" TODO: support audit and deny keywords for all rules (not only for files)
" TODO: highlight audit and deny keywords everywhere

" 'all' rule
syn match  sdAll /\v^\s*@@auditdeny@@all@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude


" Capability line

" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)
syn keyword  sdCapKey          @@sdKapKey@@

" dangerous capabilities - highlighted separately
syn keyword sdCapDanger	       @@sdKapKeyDanger@@

" full line. Keywords are from sdCapKey + sdCapDanger
syn match  sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" all capabilities ('capability' without any keyword)
syn match  sdCapDanger /\v^\s*@@auditdeny@@capability@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" Network line
" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)
syn match  sdNetwork         /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(stream|dgram|seqpacket|rdm|packet))?(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" network rules containing 'raw'
syn match  sdNetworkDanger         /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(raw))(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" 'all networking' includes raw -> mark as dangerous
syn match  sdNetworkDanger         /\v^\s*@@auditdeny@@network@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude


" Change Profile
syn match   sdEntryChangeProfile    /\v^\s*@@auditdeny@@change_profile\s+(safe\s+[/@]\S+|unsafe\s+[/@]\S+|[/@]\S+)?\s*(-\>\s*\S+)?@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" bare change_profile rule
syn match   sdEntryChangeProfile    /\v^\s*@@auditdeny@@change_profile@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" rlimit
" TODO: audit and deny support will be added (JJ, 2011-01-11)
"
"syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|ofile|nproc|rtprio)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+\s*(s|sec|second|seconds|min|minute|minutes|h|hour|hours|d|day|days|week|weeks)?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+\s*(us|microsecond|microseconds|ms|millisecond|milliseconds|s|sec|second|seconds|min|minute|minutes|h|hour|hours|d|day|days|week|weeks)?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment

" userns
syn match sdUserns /\v^\s*@@auditdeny@@userns(\s+create)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" link rules
syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment


syn match sdExtHat  /\v^\s+(\^|hat\s+|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...}




syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+@@flags@@=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob
syn match sdProfileStart /{/ contained 
syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=
                                                " TODO: Removing the $ mark from end= will allow non-comments also :-(
syn match sdHatName /\v^\s+(\^|hat\s+|profile\s+)\S+\s+@@flags@@=\{/ contains=sdProfileStart,sdFlags,sdComment
syn match sdHatStart /{/ contained 
syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]
syn match sdFlags /\v@@flags@@/ contained contains=sdFlagKey

syn match sdComment /\s*#.*$/
" NOTE: contains=sdComment changes #include highlighting to comment color.
" NOTE: Comment highlighting still works without contains=sdComment.
syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
syn match sdInclude /\s*include\s<\S*>/  " TODO: doesn't check until $
syn match sdInclude /\s*#include\sif\sexists\s<\S*>/ " TODO: doesn't check until $
syn match sdInclude /\s*include\sif\sexists\s<\S*>/  " TODO: doesn't check until $

syn match sdInclude /\s*abi\s<\S*>\s*,/ contains=sdComment  " TODO: doesn't check until $

" basic profile block...
" \s+ does not work in end=, therefore using \s\s*
syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
syn region Hat start=/\v^\s+(\^|hat\s+|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude

" file permissions