diff --git a/utils/Makefile b/utils/Makefile index d2d865d48..d48fd7296 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5 all: ${MANPAGES} ${HTMLMANPAGES} $(MAKE) -C po all + $(MAKE) -C vim all # need some better way of determining this DESTDIR=/ @@ -67,6 +68,7 @@ clean: _clean rm -f core core.* *.o *.s *.a *~ rm -f Make.rules $(MAKE) -C po clean + $(MAKE) -C vim clean # ${CAPABILITIES} is defined in common/Make.rules .PHONY: check_severity_db diff --git a/utils/apparmor.vim b/utils/apparmor.vim deleted file mode 100644 index 24053c8f2..000000000 --- a/utils/apparmor.vim +++ /dev/null @@ -1,234 +0,0 @@ -" $Id: apparmor.vim,v 1.11 2011/01/31 22:48:07 cb Exp $ -" -" ---------------------------------------------------------------------- -" Copyright (c) 2005 Novell, Inc. All Rights Reserved. -" Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved. -" -" This program is free software; you can redistribute it and/or -" modify it under the terms of version 2 of the GNU General Public -" License as published by the Free Software Foundation. -" -" This program is distributed in the hope that it will be useful, -" but WITHOUT ANY WARRANTY; without even the implied warranty of -" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -" GNU General Public License for more details. -" -" You should have received a copy of the GNU General Public License -" along with this program; if not, contact Novell, Inc. -" -" To contact Novell about this file by physical or electronic mail, -" you may find current contact information at www.novell.com. -" -" To contact Christian Boltz about this file by physical or electronic -" mail, you may find current contact information at www.cboltz.de/en/kontakt. -" -" If you want to report a bug via bugzilla.novell.com, please assign it -" to suse-beta[AT]cboltz.de (replace [AT] with @). -" ---------------------------------------------------------------------- -" -" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc -" to have vim automagically use this syntax file for these directories: -" -" autocmd BufNewFile,BufRead /etc/apparmor.d/* set syntax=apparmor -" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor - -" profiles are case sensitive -syntax case match - -" color setup... - -" adjust colors according to the background - -" switching colors depending on the background color doesn't work -" unfortunately, so we use colors that work with light and dark background. -" Patches welcome ;-) - -"if &background == "light" -" light background - hi sdProfileName ctermfg=lightblue - hi sdHatName ctermfg=darkblue - hi sdExtHat ctermfg=darkblue -" hi sdComment2 ctermfg=darkblue - hi sdGlob ctermfg=darkmagenta - hi sdAlias ctermfg=darkmagenta - hi sdEntryWriteExec ctermfg=black ctermbg=yellow - hi sdEntryUX ctermfg=darkred cterm=underline - hi sdEntryUXe ctermfg=darkred - hi sdEntryIX ctermfg=darkcyan - hi sdEntryM ctermfg=darkcyan - hi sdEntryPX ctermfg=darkgreen cterm=underline - hi sdEntryPXe ctermfg=darkgreen - hi sdEntryW ctermfg=darkyellow - hi sdCap ctermfg=lightblue - hi sdSetCap ctermfg=black ctermbg=yellow - hi sdNetwork ctermfg=lightblue - hi sdNetworkDanger ctermfg=darkred - hi sdCapKey cterm=underline ctermfg=lightblue - hi sdCapDanger ctermfg=darkred - hi sdRLimit ctermfg=lightblue - hi def link sdEntryR Normal - hi def link sdEntryK Normal - hi def link sdFlags Normal - hi sdEntryChangeProfile ctermfg=darkgreen cterm=underline -"else -" dark background -" hi sdProfileName ctermfg=white -" hi sdHatName ctermfg=white -" hi sdGlob ctermfg=magenta -" hi sdEntryWriteExec ctermfg=black ctermbg=yellow -" hi sdEntryUX ctermfg=red cterm=underline -" hi sdEntryUXe ctermfg=red -" hi sdEntryIX ctermfg=cyan -" hi sdEntryM ctermfg=cyan -" hi sdEntryPX ctermfg=green cterm=underline -" hi sdEntryPXe ctermfg=green -" hi sdEntryW ctermfg=yellow -" hi sdCap ctermfg=lightblue -" hi sdCapKey cterm=underline ctermfg=lightblue -" hi def link sdEntryR Normal -" hi def link sdFlags Normal -" hi sdCapDanger ctermfg=red -"endif - -hi def link sdInclude Include -high def link sdComment Comment -"high def link sdComment2 Comment -high def link sdFlagKey TODO -high def link sdError ErrorMsg - - -" always sync from the start. should be relatively quick since we don't have -" that many rules and profiles shouldn't be _extremely_ large... -syn sync fromstart - -syn keyword sdFlagKey complain debug - -" highlight invalid syntax -syn match sdError /{/ contained -syn match sdError /}/ -syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error -" TODO: do not mark lines containing only whitespace as error - -" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.* -" This allows incorrect lines also and should be checked better. -" This also (accidently ;-) includes variable definitions (@{FOO}=/bar) -" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained -syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/ - -syn match sdAlias /\v^alias\s+(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob - -" syn match sdComment /#.*/ - -syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile - - -" TODO: support audit and deny keywords for all rules (not only for files) -" TODO: higlight audit and deny keywords everywhere - -" Capability line - -" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining) -syn keyword sdCapKey chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease - -" dangerous capabilities - highlighted separately -syn keyword sdCapDanger sys_admin audit_control audit_write set_fcap mac_override mac_admin - -" full line. Keywords are from sdCapKey + sdCapDanger -syn match sdCap /\v^\s*(audit\s+)?(deny\s+)?capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" set capability was removed - TODO: remove everywhere in apparmor.vim -" syn match sdSetCap /\v^\s*set\s+capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - - -" Network line -" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...) -" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11) -syn match sdNetwork /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(stream|dgram|seqpacket|rdm|packet))?(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" network rules containing 'raw' -syn match sdNetworkDanger /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(raw))(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" 'all networking' includes raw -> mark as dangerous -syn match sdNetworkDanger /\v^\s*(audit\s+)?(deny\s+)?network\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - - -" Change Profile -" TODO: audit and deny support will be added (JJ, 2011-01-11) -syn match sdEntryChangeProfile /\v^\s*change_profile\s+-\>\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - - -" rlimit -" TODO: audit and deny support will be added (JJ, 2011-01-11) -" -"syn match sdRLimit /\v^\s*rlimit\s+()\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment -syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment -syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment -syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment -syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment - -" link rules -syn match sdEntryW /\v^\s+(audit\s+)?(deny\s+)?(owner\s+)?link\s+(subset\s+)?(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob - - -" file permissions -" -" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise -" -" write + exec/mmap - danger! -" known bug: accepts 'aw' to keep things simple -syn match sdEntryWriteExec /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|a|m|k|[iuUpPcC]x)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - -" ux(mr) - unconstrained entry, flag the line red -syn match sdEntryUX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" Ux(mr) - like ux + clean environment -syn match sdEntryUXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue -syn match sdEntryPX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|px|cx|pix|cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment -syn match sdEntryPXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Px|Cx|Pix|Cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" ix(mr) - standard exec entry, flag the line green -syn match sdEntryIX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ix)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" mr - mmap with PROT_EXEC -syn match sdEntryM /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - -" if we've got u or i without x, it's an error -" rule is superfluous because of the '/.*/ is an error' rule ;-) -"syn match sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k|u|p|i)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - -" write + append is an error also -"syn match sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(\S*r\S*a\S*|\S*a\S*w\S*)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -syn match sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+\S*(w\S*a|a\S*w)\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - -" write entry, flag the line yellow -syn match sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" append entry, flag the line yellow -syn match sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|a|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - -" read entry + locking, currently no highlighting -syn match sdEntryK /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rlk]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude -" read entry, no highlighting -syn match sdEntryR /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude - -syn match sdExtHat /\v^\s+(\^|profile\s+)\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment " hat without {...} - - - - -syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob -syn match sdProfileStart /{/ contained -syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end= - " TODO: Removing the $ mark from end= will allow non-comments also :-( -syn match sdHatName /\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdFlags,sdComment -syn match sdHatStart /{/ contained -syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd] -syn match sdFlags /\v((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)/ contained contains=sdFlagKey - -syn match sdComment /\s*#.*$/ -" NOTE: contains=sdComment changes #include highlighting to comment color. -" NOTE: Comment highlighting still works without contains=sdComment. -syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $ -syn match sdInclude /\s*include\s<\S*>/ " TODO: doesn't check until $ - -" basic profile block... -" \s+ does not work in end=, therefore using \s\s* -syn region Normal start=/\v^(profile\s+)?\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude -syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude - - diff --git a/utils/vim/Makefile b/utils/vim/Makefile index 1ecb40c0c..4eb1947de 100644 --- a/utils/vim/Makefile +++ b/utils/vim/Makefile @@ -1,5 +1,18 @@ -apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh - sh create-apparmor.vim.sh +COMMONDIR=../../common/ + +all: +include common/Make.rules + +COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true)) +ifeq ($(COMMONDIR_EXISTS), true) +common/Make.rules: $(COMMONDIR)/Make.rules + ln -sf $(COMMONDIR) . +endif + +all: apparmor.vim + +apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py + python create-apparmor.vim.py > $@ clean: rm -f apparmor.vim diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py new file mode 100644 index 000000000..1afcec38e --- /dev/null +++ b/utils/vim/create-apparmor.vim.py @@ -0,0 +1,108 @@ +#!/usr/bin/python +# +# Copyright (C) 2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Written by Steve Beattie , based on work by +# Christian Boltz + +import os +import re +import subprocess +import sys + +# dangerous capabilities +danger_caps=["audit_control", + "audit_write", + "mac_override", + "mac_admin", + "set_fcap", + "sys_admin", + "sys_module", + "sys_rawio"] + +aa_network_types=r'\s+tcp|\s+udp|\s+icmp' + +aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)' + +def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None): + '''Try to execute given command (array) and return its stdout, or + return a textual error if it failed.''' + + try: + sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True) + except OSError, e: + return [127, str(e)] + + out, outerr = sp.communicate(input) + + # Handle redirection of stdout + if out == None: + out = '' + # Handle redirection of stderr + if outerr == None: + outerr = '' + return [sp.returncode,out+outerr] + +# get capabilities list +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities']) +if rc != 0: + print >>sys.stderr, ("make list_capabilities failed: " + output) + exit(rc) + +capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ") +benign_caps =[] +for cap in capabilities: + if cap not in danger_caps: + benign_caps.append(cap) + +# get network protos list +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) +if rc != 0: + print >>sys.stderr, ("make list_af_names failed: " + output) + exit(rc) + +af_names = [] +af_pairs = re.sub('AF_', '', output.strip()).lower().split(",") +for af_pair in af_pairs: + af_name = af_pair.lstrip().split(" ")[0] + # skip max af name definition + if len(af_name) > 0 and af_name != "max": + af_names.append(af_name) + +# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey, +# but not in aa_flags... +# -> currently (2011-01-11) not, but might come back + +aa_regex_map = { + 'FILE': r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+', + 'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+', + 'auditdenyowner': r'(audit\s+)?(deny\s+)?(owner\s+)?', + 'auditdeny': r'(audit\s+)?(deny\s+)?', + 'FILENAME': r'(\/|\@\{\S*\})\S*', + 'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', + 'TRANSITION': r'(\s+-\>\s+\S+)?', + 'sdKapKey': " ".join(benign_caps), + 'sdKapKeyDanger': " ".join(danger_caps), + 'sdKapKeyRegex': "|".join(capabilities), + 'sdNetworkType': aa_network_types, + 'sdNetworkProto': "|".join(af_names), + 'flags': r'((flags\s*\=\s*)?\(\s*' + aa_flags + r'(\s*,\s*' + aa_flags + r')*\s*\)\s+)', +} + +def my_repl(matchobj): + #print matchobj.group(1) + if matchobj.group(1) in aa_regex_map: + return aa_regex_map[matchobj.group(1)] + + return matchobj.group(0) + +regex = "@@(" + "|".join(aa_regex_map) + ")@@" + +with file("apparmor.vim.in") as template: + for line in template: + line = re.sub(regex, my_repl, line.rstrip()) + print line diff --git a/utils/vim/create-apparmor.vim.sh b/utils/vim/create-apparmor.vim.sh deleted file mode 100755 index 1652611ba..000000000 --- a/utils/vim/create-apparmor.vim.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/bash - -# not-too-dangerous capabilities -sdKapKey="chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease" - -# dangerous capabilities -sdKapKeyDanger="audit_control audit_write mac_override mac_admin set_fcap sys_admin sys_module sys_rawio" - -sdNetworkProto="inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth" - -sdNetworkType='\s+tcp|\s+udp|\s+icmp' - -sdFlags="complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative" -# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey, but not in sdFlags... -# -> currently (2011-01-11) not, but might come back - -sdKapKeyRegex="$(echo "$sdKapKey $sdKapKeyDanger" | sed 's/ /|/g')" - -sdFlagsRegex="($sdFlags)" - -# '@@FILE@@' '\v^\s*((owner\s+)|(audit\s+)|(deny\s+))*(\/|\@\{\S*\})\S*\s+' \ -replace \ - '@@FILE@@' '\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+' \ - '@@DENYFILE@@' '\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+' \ - '@@auditdenyowner@@' '(audit\s+)?(deny\s+)?(owner\s+)?' \ - '@@auditdeny@@' '(audit\s+)?(deny\s+)?' \ - '@@FILENAME@@' '(\/|\@\{\S*\})\S*' \ - '@@EOL@@' '\s*,(\s*$|(\s*#.*$)\@=)' \ - '@@TRANSITION@@' '(\s+-\>\s+\S+)?' \ - '@@sdKapKey@@' "$sdKapKey" \ - '@@sdKapKeyDanger@@' "$sdKapKeyDanger" \ - '@@sdKapKeyRegex@@' "$sdKapKeyRegex" \ - '@@sdNetworkProto@@' "$sdNetworkProto" \ - '@@sdNetworkType@@' "$sdNetworkType" \ - '@@flags@@' "((flags\s*\=\s*)?\(\s*$sdFlagsRegex(\s*,\s*$sdFlagsRegex)*\s*\)\s+)" \ - \ -< apparmor.vim.in \ -> apparmor.vim - - -# @@FILE@@: Start of a file rule (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_) -# @@FILENAME@@: Just a filename (taken from @@FILE@@) -# @@EOL@@: End of a line (whitespace_?_, comma, whitespace_?_ comment.*) - - -# I had to learn that vim has a restriction on the number of (...) I may use in -# a RegEx (up to 9 are allowed), and therefore had to change the RegEx that -# matches tcp/udp/icmp from "(\s+(tcp|udp|icmp))?" to -# "(\s+tcp|\s+udp|\s+icmp)?". *argh* -# (sdNetworkProto could be changed the same way if needed) - - -# TODO: permissions first -# valid rules: -# owner rw /foo, -# owner /foo rw, - -# INVALID rules -# rw owner /foo, -# rw /foo owner, -# /foo owner rw, -# /foo rw owner, - - -# the *** proposed *** syntax for owner= and user= is -# -# owner= -# owner='('')' -# -# where the list followed the syntax for the flags value, however the list -# syntax part needs to be made consistent, ie. we either need to fix the -# flags list separator or make the list separator here the same as flags -# and also fix it for variables, etc. switching flags to use just whitespace -# is by far the easiest. -# -# So going with the whitespace separator we would have -# owner=jj /foo r, -# owner=(jj) /foo r, -# owner=(jj smb) /foo r, - -# > capability dac_override { -# > /file/bar rw, -# > } -# > capability chown { -# > /file/bar (user1, user2), -# > } -# > (Are those things specific to dac_override and chown?) -# > -# Hehe, now your veering even more into unimplemented stuff :) Those where -# merely proposed syntax and I don't believe we are using them now. -# The idea behind those was a way to enhance the capabilities and remain -# backwards compatible. -# -# And use the syntax for each would have to be capability (or type specific) -# -# eg. for chown we could have a path and user -# -# chown /foo to (user1 user2), -# -# but for setuid it wouldn't have a path. -# setuid to (user1 user2) -# -# -# > uses ipc, -# > ipc rw /profile, -# > ipc signal w (child) /profile, -# > deny ipc signal w (kill) /profile, -# > -# > Which keywords can apply to ipc? I'd guess audit and deny. What about -# > owner? -# > -# owner and user could be selectively applied but not to allow of ipc -# -# owner doesn't really make sense for signal, but user might this is just -# another place we need to look at before we commit to the syntax. -# -# ipc may hit spring 2011 - - -# > That all said: are there some example profiles I could use to test -# > apparmor.vim? -# > -# Hrmmm, yes. The goal is to keep adding to the parser test suite, and -# get it to contain at least on example of every valid syntax and also -# example profiles of invalid syntax. I won't say that the coverage -# is complete yet but it does have hundreds of simple examples. -# -# it can be found in parser/tst/simple_tests/ -#