apparmor.vim:

- allow "deny [filename] x" rules
- add support for "make clean"

Acked-by: John Johansen <john.johansen@canonical.com>

utils/vim/Makefile

@@ -1,2 +1,5 @@
 apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh
 	sh create-apparmor.vim.sh
+
+clean:
+	rm -f apparmor.vim

utils/vim/apparmor.vim.in

@@ -188,6 +188,8 @@ syn match  sdEntryPXe /@@FILE@@(r|m|k|Px|Cx|Pix|Cix)+@@TRANSITION@@@@EOL@@/ cont
 syn match  sdEntryIX /@@FILE@@(r|m|k|ix)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " mr - mmap with PROT_EXEC
 syn match  sdEntryM /@@FILE@@(r|m|k)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+" special case: deny x is allowed (doesn't need to be ix, px, ux or cx)
+syn match  sdEntryM /@@DENYFILE@@(r|m|k|x)+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 
 " if we've got u or i without x, it's an error
 " rule is superfluous because of the '/.*/ is an error' rule ;-)

utils/vim/create-apparmor.vim.sh

@@ -21,6 +21,7 @@ sdFlagsRegex="($sdFlags)"
 #	'@@FILE@@'            '\v^\s*((owner\s+)|(audit\s+)|(deny\s+))*(\/|\@\{\S*\})\S*\s+'   \
 replace                                                                                    \
 	'@@FILE@@'            '\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+'     \
+	'@@DENYFILE@@'        '\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+'        \
     '@@auditdenyowner@@'  '(audit\s+)?(deny\s+)?(owner\s+)?'                               \
     '@@auditdeny@@'       '(audit\s+)?(deny\s+)?'                                          \
 	'@@FILENAME@@'        '(\/|\@\{\S*\})\S*'                                              \