apparmor/utils/vim/apparmor.vim.in

" $Id: apparmor.vim.in,v 1.11 2011/03/28 11:23:13 cb Exp $
"
" ----------------------------------------------------------------------
"    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
"    Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.
"      
"    This program is free software; you can redistribute it and/or
"    modify it under the terms of version 2 of the GNU General Public
"    License as published by the Free Software Foundation.
"      
"    This program is distributed in the hope that it will be useful,
"    but WITHOUT ANY WARRANTY; without even the implied warranty of
"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
"    GNU General Public License for more details.
"      
"    You should have received a copy of the GNU General Public License
"    along with this program; if not, contact Novell, Inc.
"      
"    To contact Novell about this file by physical or electronic mail, 
"    you may find current contact information at www.novell.com.
"
"    To contact Christian Boltz about this file by physical or electronic
"    mail, you may find current contact information at www.cboltz.de/en/kontakt.
"
"    If you want to report a bug via bugzilla.novell.com, please assign it
"    to suse-beta[AT]cboltz.de (replace [AT] with @).
" ----------------------------------------------------------------------
"
" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc 
" to have vim automagically use this syntax file for these directories:
"
" autocmd BufNewFile,BufRead /etc/apparmor.d/*        set syntax=apparmor
" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor

" profiles are case sensitive
syntax case match

" color setup...

" adjust colors according to the background

" switching colors depending on the background color doesn't work
" unfortunately, so we use colors that work with light and dark background.
" Patches welcome ;-)

"if &background == "light"
" light background
	hi sdProfileName ctermfg=lightblue
	hi sdHatName ctermfg=darkblue
	hi sdExtHat ctermfg=darkblue
"	hi sdComment2 ctermfg=darkblue
	hi sdGlob       ctermfg=darkmagenta
	hi sdAlias      ctermfg=darkmagenta
	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
	hi sdEntryUX     ctermfg=darkred cterm=underline
	hi sdEntryUXe     ctermfg=darkred
	hi sdEntryIX     ctermfg=darkcyan
	hi sdEntryM     ctermfg=darkcyan
	hi sdEntryPX     ctermfg=darkgreen cterm=underline
	hi sdEntryPXe     ctermfg=darkgreen
	hi sdEntryW     ctermfg=darkyellow
	hi sdCap	ctermfg=lightblue
	hi sdSetCap     ctermfg=black ctermbg=yellow
	hi sdNetwork	ctermfg=lightblue
	hi sdNetworkDanger ctermfg=darkred
	hi sdCapKey	cterm=underline ctermfg=lightblue
	hi sdCapDanger ctermfg=darkred
	hi sdRLimit ctermfg=lightblue
	hi def link sdEntryR Normal
	hi def link sdEntryK Normal
	hi def link sdFlags Normal
	hi sdEntryChangeProfile     ctermfg=darkgreen cterm=underline
"else 
" dark background
"	hi sdProfileName ctermfg=white
"	hi sdHatName ctermfg=white
"	hi sdGlob       ctermfg=magenta
"	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
"	hi sdEntryUX     ctermfg=red cterm=underline
"	hi sdEntryUXe     ctermfg=red
"	hi sdEntryIX     ctermfg=cyan
"	hi sdEntryM     ctermfg=cyan
"	hi sdEntryPX     ctermfg=green cterm=underline
"	hi sdEntryPXe     ctermfg=green
"	hi sdEntryW     ctermfg=yellow
"	hi sdCap	ctermfg=lightblue
"	hi sdCapKey	cterm=underline ctermfg=lightblue
"	hi def link sdEntryR Normal
"	hi def link sdFlags Normal
"	hi sdCapDanger ctermfg=red
"endif

hi def link sdInclude     Include
high def link sdComment     Comment
"high def link sdComment2     Comment
high def link sdFlagKey     TODO
high def link sdError      ErrorMsg


" always sync from the start.  should be relatively quick since we don't have
" that many rules and profiles shouldn't be _extremely_ large...
syn sync fromstart

syn keyword	sdFlagKey	complain debug

" highlight invalid syntax
syn match sdError /{/ contained
syn match sdError /}/
syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error
" TODO: do not mark lines containing only whitespace as error

" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*
" This allows incorrect lines also and should be checked better.
" This also (accidently ;-) includes variable definitions (@{FOO}=/bar)
" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/

syn match sdAlias /\v^alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob

" syn match sdComment /#.*/

syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile


" TODO: support audit and deny keywords for all rules (not only for files)
" TODO: higlight audit and deny keywords everywhere

" Capability line

" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)
syn keyword  sdCapKey          @@sdKapKey@@

" dangerous capabilities - highlighted separately
syn keyword sdCapDanger	       @@sdKapKeyDanger@@

" full line. Keywords are from sdCapKey + sdCapDanger
syn match  sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" set capability was removed - TODO: remove everywhere in apparmor.vim
" syn match  sdSetCap /\v^\s*set\s+capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude


" Network line
" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)
syn match  sdNetwork         /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(stream|dgram|seqpacket|rdm|packet))?(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" network rules containing 'raw'
syn match  sdNetworkDanger         /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(raw))(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" 'all networking' includes raw -> mark as dangerous
syn match  sdNetworkDanger         /\v^\s*@@auditdeny@@network@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude


" Change Profile
" TODO: audit and deny support will be added (JJ, 2011-01-11)
syn match   sdEntryChangeProfile    /\v^\s*change_profile\s+-\>\s+\S+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude


" rlimit
" TODO: audit and deny support will be added (JJ, 2011-01-11)
"
"syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment

" link rules
syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob


" file permissions
"
" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
"
" write + exec/mmap - danger!
" known bug: accepts 'aw' to keep things simple
syn match  sdEntryWriteExec /@@FILE@@(l|r|w|a|m|k|[iuUpPcC]x)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" ux(mr) - unconstrained entry, flag the line red
" also includes pux which is unconstrained if no profile exists
syn match  sdEntryUX /@@FILE@@(r|m|k|ux|pux)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" Ux(mr) and PUx(mr) - like ux + clean environment
syn match  sdEntryUXe /@@FILE@@(r|m|k|Ux|PUx)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue
syn match  sdEntryPX /@@FILE@@(r|m|k|px|cx|pix|cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment
syn match  sdEntryPXe /@@FILE@@(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" ix(mr) - standard exec entry, flag the line green
syn match  sdEntryIX /@@FILE@@(r|m|k|ix)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" mr - mmap with PROT_EXEC
syn match  sdEntryM /@@FILE@@(r|m|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" if we've got u or i without x, it's an error
" rule is superfluous because of the '/.*/ is an error' rule ;-)
"syn match  sdError /@@FILE@@(l|r|w|k|u|p|i)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" write + append is an error also
"syn match  sdError /@@FILE@@(\S*r\S*a\S*|\S*a\S*w\S*)@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
syn match  sdError /@@FILE@@\S*(w\S*a|a\S*w)\S*@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" write entry, flag the line yellow
syn match  sdEntryW /@@FILE@@(l|r|w|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" append entry, flag the line yellow
syn match  sdEntryW /@@FILE@@(l|r|a|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

" read entry + locking, currently no highlighting
syn match  sdEntryK /@@FILE@@[rlk]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" read entry, no highlighting
syn match  sdEntryR /@@FILE@@[rl]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude

syn match sdExtHat  /\v^\s+(\^|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...}


syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+@@flags@@=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob
syn match sdProfileStart /{/ contained 
syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=
                                                " TODO: Removing the $ mark from end= will allow non-comments also :-(
syn match sdHatName /\v^\s+(\^|profile\s+)\S+\s+@@flags@@=\{/ contains=sdProfileStart,sdFlags,sdComment
syn match sdHatStart /{/ contained 
syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]
syn match sdFlags /\v@@flags@@/ contained contains=sdFlagKey

syn match sdComment /\s*#.*$/
" NOTE: contains=sdComment changes #include highlighting to comment color.
" NOTE: Comment highlighting still works without contains=sdComment.
syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
syn match sdInclude /\s*include\s<\S*>/  " TODO: doesn't check until $

" basic profile block...
" \s+ does not work in end=, therefore using \s\s*
syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
Add files to generate apparmor.vim to bzr. Basically the files will generate apparmor.vim as included in openSUSE 11.4 (and posted here before at the end of january). The only difference is that the patch that Steve posted some days ago is already included (patch summary: sdGlob: first character of variable name has to be :alpha:, followed by any number of :alnum: or _) 2011-04-05 23:56:14 +02:00			`" $Id: apparmor.vim.in,v 1.11 2011/03/28 11:23:13 cb Exp $`
			`"`
			`" ----------------------------------------------------------------------`
			`" Copyright (c) 2005 Novell, Inc. All Rights Reserved.`
			`" Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.`
			`"`
			`" This program is free software; you can redistribute it and/or`
			`" modify it under the terms of version 2 of the GNU General Public`
			`" License as published by the Free Software Foundation.`
			`"`
			`" This program is distributed in the hope that it will be useful,`
			`" but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`" GNU General Public License for more details.`
			`"`
			`" You should have received a copy of the GNU General Public License`
			`" along with this program; if not, contact Novell, Inc.`
			`"`
			`" To contact Novell about this file by physical or electronic mail,`
			`" you may find current contact information at www.novell.com.`
			`"`
			`" To contact Christian Boltz about this file by physical or electronic`
			`" mail, you may find current contact information at www.cboltz.de/en/kontakt.`
			`"`
			`" If you want to report a bug via bugzilla.novell.com, please assign it`
			`" to suse-beta[AT]cboltz.de (replace [AT] with @).`
			`" ----------------------------------------------------------------------`
			`"`
			`" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc`
			`" to have vim automagically use this syntax file for these directories:`
			`"`
			`" autocmd BufNewFile,BufRead /etc/apparmor.d/* set syntax=apparmor`
			`" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor`

			`" profiles are case sensitive`
			`syntax case match`

			`" color setup...`

			`" adjust colors according to the background`

			`" switching colors depending on the background color doesn't work`
			`" unfortunately, so we use colors that work with light and dark background.`
			`" Patches welcome ;-)`

			`"if &background == "light"`
			`" light background`
			`hi sdProfileName ctermfg=lightblue`
			`hi sdHatName ctermfg=darkblue`
			`hi sdExtHat ctermfg=darkblue`
			`" hi sdComment2 ctermfg=darkblue`
			`hi sdGlob ctermfg=darkmagenta`
			`hi sdAlias ctermfg=darkmagenta`
			`hi sdEntryWriteExec ctermfg=black ctermbg=yellow`
			`hi sdEntryUX ctermfg=darkred cterm=underline`
			`hi sdEntryUXe ctermfg=darkred`
			`hi sdEntryIX ctermfg=darkcyan`
			`hi sdEntryM ctermfg=darkcyan`
			`hi sdEntryPX ctermfg=darkgreen cterm=underline`
			`hi sdEntryPXe ctermfg=darkgreen`
			`hi sdEntryW ctermfg=darkyellow`
			`hi sdCap ctermfg=lightblue`
			`hi sdSetCap ctermfg=black ctermbg=yellow`
			`hi sdNetwork ctermfg=lightblue`
			`hi sdNetworkDanger ctermfg=darkred`
			`hi sdCapKey cterm=underline ctermfg=lightblue`
			`hi sdCapDanger ctermfg=darkred`
			`hi sdRLimit ctermfg=lightblue`
			`hi def link sdEntryR Normal`
			`hi def link sdEntryK Normal`
			`hi def link sdFlags Normal`
			`hi sdEntryChangeProfile ctermfg=darkgreen cterm=underline`
			`"else`
			`" dark background`
			`" hi sdProfileName ctermfg=white`
			`" hi sdHatName ctermfg=white`
			`" hi sdGlob ctermfg=magenta`
			`" hi sdEntryWriteExec ctermfg=black ctermbg=yellow`
			`" hi sdEntryUX ctermfg=red cterm=underline`
			`" hi sdEntryUXe ctermfg=red`
			`" hi sdEntryIX ctermfg=cyan`
			`" hi sdEntryM ctermfg=cyan`
			`" hi sdEntryPX ctermfg=green cterm=underline`
			`" hi sdEntryPXe ctermfg=green`
			`" hi sdEntryW ctermfg=yellow`
			`" hi sdCap ctermfg=lightblue`
			`" hi sdCapKey cterm=underline ctermfg=lightblue`
			`" hi def link sdEntryR Normal`
			`" hi def link sdFlags Normal`
			`" hi sdCapDanger ctermfg=red`
			`"endif`

			`hi def link sdInclude Include`
			`high def link sdComment Comment`
			`"high def link sdComment2 Comment`
			`high def link sdFlagKey TODO`
			`high def link sdError ErrorMsg`


			`" always sync from the start. should be relatively quick since we don't have`
			`" that many rules and profiles shouldn't be _extremely_ large...`
			`syn sync fromstart`

			`syn keyword sdFlagKey complain debug`

			`" highlight invalid syntax`
			`syn match sdError /{/ contained`
			`syn match sdError /}/`
			`syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error`
			`" TODO: do not mark lines containing only whitespace as error`

			`" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*`
			`" This allows incorrect lines also and should be checked better.`
			`" This also (accidently ;-) includes variable definitions (@{FOO}=/bar)`
			`" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained`
			`syn match sdGlob /\v\?\|\\|\{.,.\}\|[[^\]]\+\]\|\@\{[a-zA-Z][a-zA-Z0-9_]\}/`

			`syn match sdAlias /\v^alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob`

			`" syn match sdComment /#.*/`

			`syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile`


			`" TODO: support audit and deny keywords for all rules (not only for files)`
			`" TODO: higlight audit and deny keywords everywhere`

			`" Capability line`

			`" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)`
			`syn keyword sdCapKey @@sdKapKey@@`

			`" dangerous capabilities - highlighted separately`
			`syn keyword sdCapDanger @@sdKapKeyDanger@@`

			`" full line. Keywords are from sdCapKey + sdCapDanger`
			`syn match sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" set capability was removed - TODO: remove everywhere in apparmor.vim`
			`" syn match sdSetCap /\v^\s*set\s+capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`


			`" Network line`
			`" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)`
			`" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)`
			`syn match sdNetwork /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(stream\|dgram\|seqpacket\|rdm\|packet))?(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" network rules containing 'raw'`
			`syn match sdNetworkDanger /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(raw))(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" 'all networking' includes raw -> mark as dangerous`
			`syn match sdNetworkDanger /\v^\s*@@auditdeny@@network@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`


			`" Change Profile`
			`" TODO: audit and deny support will be added (JJ, 2011-01-11)`
			`syn match sdEntryChangeProfile /\v^\s*change_profile\s+-\>\s+\S+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`


			`" rlimit`
			`" TODO: audit and deny support will be added (JJ, 2011-01-11)`
			`"`
			`"syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment`
			`syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile\|nproc\|rtprio)\s+[0-9]+@@EOL@@/ contains=sdComment`
			`syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks\|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment`
			`syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize\|data\|stack\|core\|rss\|as\|memlock\|msgqueue)\s+\<\=\s+[0-9]+([KMG])?@@EOL@@/ contains=sdComment`
			`syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]\|-20\|1?[0-9])@@EOL@@/ contains=sdComment`

			`" link rules`
			`syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob`


			`" file permissions`
			`"`
			`" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise`
			`"`
			`" write + exec/mmap - danger!`
			`" known bug: accepts 'aw' to keep things simple`
			`syn match sdEntryWriteExec /@@FILE@@(l\|r\|w\|a\|m\|k\|[iuUpPcC]x)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`

			`" ux(mr) - unconstrained entry, flag the line red`
Allow pux and PUx permissions in apparmor.vim I intentionally don't allow pUx and Pux since the behaviour of those is very unexpected (the first letter decides if the environment is cleaned up or not - at least that's the result of the discussion in April) and the average user won't know this. Acked-by: John Johansen <john.johansen@canonical.com> 2011-08-19 00:28:10 +02:00			`" also includes pux which is unconstrained if no profile exists`
			`syn match sdEntryUX /@@FILE@@(r\|m\|k\|ux\|pux)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" Ux(mr) and PUx(mr) - like ux + clean environment`
			`syn match sdEntryUXe /@@FILE@@(r\|m\|k\|Ux\|PUx)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
Add files to generate apparmor.vim to bzr. Basically the files will generate apparmor.vim as included in openSUSE 11.4 (and posted here before at the end of january). The only difference is that the patch that Steve posted some days ago is already included (patch summary: sdGlob: first character of variable name has to be :alpha:, followed by any number of :alnum: or _) 2011-04-05 23:56:14 +02:00			`" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue`
			`syn match sdEntryPX /@@FILE@@(r\|m\|k\|px\|cx\|pix\|cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment`
			`syn match sdEntryPXe /@@FILE@@(r\|m\|k\|Px\|Cx\|Pix\|Cix)+@@TRANSITION@@@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" ix(mr) - standard exec entry, flag the line green`
			`syn match sdEntryIX /@@FILE@@(r\|m\|k\|ix)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" mr - mmap with PROT_EXEC`
			`syn match sdEntryM /@@FILE@@(r\|m\|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`

			`" if we've got u or i without x, it's an error`
			`" rule is superfluous because of the '/.*/ is an error' rule ;-)`
			`"syn match sdError /@@FILE@@(l\|r\|w\|k\|u\|p\|i)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`

			`" write + append is an error also`
			`"syn match sdError /@@FILE@@(\Sr\Sa\S\|\Sa\Sw\S)@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`syn match sdError /@@FILE@@\S(w\Sa\|a\Sw)\S@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`

			`" write entry, flag the line yellow`
			`syn match sdEntryW /@@FILE@@(l\|r\|w\|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" append entry, flag the line yellow`
			`syn match sdEntryW /@@FILE@@(l\|r\|a\|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`

			`" read entry + locking, currently no highlighting`
			`syn match sdEntryK /@@FILE@@[rlk]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`
			`" read entry, no highlighting`
			`syn match sdEntryR /@@FILE@@[rl]+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude`

			`syn match sdExtHat /\v^\s+(\^\|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...}`




			`syn match sdProfileName /\v^((profile\s+)?\/\S+\|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+@@flags@@=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob`
			`syn match sdProfileStart /{/ contained`
			`syn match sdProfileEnd /^}\s(#.)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=`
			`" TODO: Removing the $ mark from end= will allow non-comments also :-(`
			`syn match sdHatName /\v^\s+(\^\|profile\s+)\S+\s+@@flags@@=\{/ contains=sdProfileStart,sdFlags,sdComment`
			`syn match sdHatStart /{/ contained`
			`syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]`
			`syn match sdFlags /\v@@flags@@/ contained contains=sdFlagKey`

			`syn match sdComment /\s#.$/`
			`" NOTE: contains=sdComment changes #include highlighting to comment color.`
			`" NOTE: Comment highlighting still works without contains=sdComment.`
			`syn match sdInclude /\s#include\s<\S>/ " TODO: doesn't check until $`
			`syn match sdInclude /\sinclude\s<\S>/ " TODO: doesn't check until $`

			`" basic profile block...`
			`" \s+ does not work in end=, therefore using \s\s*`
			`syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude`
			`syn region Hat start=/\v^\s+(\^\|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s}\s$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude`