Subject: rewrite apparmor.vim generation and integrate into build

This patch replaces the apparmor.vim generating script with a python version that eliminates the need for using the replace tool from the mysql-server package. It makes use of the automatically generated lists of capabilities and network protocols provided by the build infrastructure. I did not capture all the notes and TODOs that Christian had in the shell script; I can do so if desired. It also hooks the generation of the apparmor.vim file into the utils/ build and clean stages.
2025-03-04 16:35:02 +01:00 · 2012-03-22 13:26:20 -07:00 · 2012-03-22 13:26:20 -07:00 · b4feb99841
commit b4feb99841
parent 63c43ae9f5
5 changed files with 125 additions and 365 deletions
--- a/utils/Makefile
+++ b/utils/Makefile
@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5
 all: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) -C po all
 	$(MAKE) -C vim all
 # need some better way of determining this
 DESTDIR=/
@ -67,6 +68,7 @@ clean: _clean
 	rm -f core core.* *.o *.s *.a *~
 	rm -f Make.rules
 	$(MAKE) -C po clean
 	$(MAKE) -C vim clean
 # ${CAPABILITIES} is defined in common/Make.rules
 .PHONY: check_severity_db
--- a/utils/apparmor.vim
+++ b/utils/apparmor.vim
@ -1,234 +0,0 @@
 " $Id: apparmor.vim,v 1.11 2011/01/31 22:48:07 cb Exp $
 "
 " ----------------------------------------------------------------------
 "    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
 "    Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.
 "      
 "    This program is free software; you can redistribute it and/or
 "    modify it under the terms of version 2 of the GNU General Public
 "    License as published by the Free Software Foundation.
 "      
 "    This program is distributed in the hope that it will be useful,
 "    but WITHOUT ANY WARRANTY; without even the implied warranty of
 "    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 "    GNU General Public License for more details.
 "      
 "    You should have received a copy of the GNU General Public License
 "    along with this program; if not, contact Novell, Inc.
 "      
 "    To contact Novell about this file by physical or electronic mail, 
 "    you may find current contact information at www.novell.com.
 "
 "    To contact Christian Boltz about this file by physical or electronic
 "    mail, you may find current contact information at www.cboltz.de/en/kontakt.
 "
 "    If you want to report a bug via bugzilla.novell.com, please assign it
 "    to suse-beta[AT]cboltz.de (replace [AT] with @).
 " ----------------------------------------------------------------------
 "
 " stick this file into ~/.vim/syntax/ and add these commands into your .vimrc 
 " to have vim automagically use this syntax file for these directories:
 "
 " autocmd BufNewFile,BufRead /etc/apparmor.d/*        set syntax=apparmor
 " autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor
 " profiles are case sensitive
 syntax case match
 " color setup...
 " adjust colors according to the background
 " switching colors depending on the background color doesn't work
 " unfortunately, so we use colors that work with light and dark background.
 " Patches welcome ;-)
 "if &background == "light"
 " light background
 	hi sdProfileName ctermfg=lightblue
 	hi sdHatName ctermfg=darkblue
 	hi sdExtHat ctermfg=darkblue
 "	hi sdComment2 ctermfg=darkblue
 	hi sdGlob       ctermfg=darkmagenta
 	hi sdAlias      ctermfg=darkmagenta
 	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
 	hi sdEntryUX     ctermfg=darkred cterm=underline
 	hi sdEntryUXe     ctermfg=darkred
 	hi sdEntryIX     ctermfg=darkcyan
 	hi sdEntryM     ctermfg=darkcyan
 	hi sdEntryPX     ctermfg=darkgreen cterm=underline
 	hi sdEntryPXe     ctermfg=darkgreen
 	hi sdEntryW     ctermfg=darkyellow
 	hi sdCap	ctermfg=lightblue
 	hi sdSetCap     ctermfg=black ctermbg=yellow
 	hi sdNetwork	ctermfg=lightblue
 	hi sdNetworkDanger ctermfg=darkred
 	hi sdCapKey	cterm=underline ctermfg=lightblue
 	hi sdCapDanger ctermfg=darkred
 	hi sdRLimit ctermfg=lightblue
 	hi def link sdEntryR Normal
 	hi def link sdEntryK Normal
 	hi def link sdFlags Normal
 	hi sdEntryChangeProfile     ctermfg=darkgreen cterm=underline
 "else 
 " dark background
 "	hi sdProfileName ctermfg=white
 "	hi sdHatName ctermfg=white
 "	hi sdGlob       ctermfg=magenta
 "	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
 "	hi sdEntryUX     ctermfg=red cterm=underline
 "	hi sdEntryUXe     ctermfg=red
 "	hi sdEntryIX     ctermfg=cyan
 "	hi sdEntryM     ctermfg=cyan
 "	hi sdEntryPX     ctermfg=green cterm=underline
 "	hi sdEntryPXe     ctermfg=green
 "	hi sdEntryW     ctermfg=yellow
 "	hi sdCap	ctermfg=lightblue
 "	hi sdCapKey	cterm=underline ctermfg=lightblue
 "	hi def link sdEntryR Normal
 "	hi def link sdFlags Normal
 "	hi sdCapDanger ctermfg=red
 "endif
 hi def link sdInclude     Include
 high def link sdComment     Comment
 "high def link sdComment2     Comment
 high def link sdFlagKey     TODO
 high def link sdError      ErrorMsg
 " always sync from the start.  should be relatively quick since we don't have
 " that many rules and profiles shouldn't be _extremely_ large...
 syn sync fromstart
 syn keyword	sdFlagKey	complain debug
 " highlight invalid syntax
 syn match sdError /{/ contained
 syn match sdError /}/
 syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error
 " TODO: do not mark lines containing only whitespace as error
 " TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*
 " This allows incorrect lines also and should be checked better.
 " This also (accidently ;-) includes variable definitions (@{FOO}=/bar)
 " TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
 syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/
 syn match sdAlias /\v^alias\s+(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob
 " syn match sdComment /#.*/
 syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile
 " TODO: support audit and deny keywords for all rules (not only for files)
 " TODO: higlight audit and deny keywords everywhere
 " Capability line
 " normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)
 syn keyword  sdCapKey          chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
 " dangerous capabilities - highlighted separately
 syn keyword sdCapDanger	       sys_admin audit_control audit_write set_fcap mac_override mac_admin
 " full line. Keywords are from sdCapKey + sdCapDanger
 syn match  sdCap /\v^\s*(audit\s+)?(deny\s+)?capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " set capability was removed - TODO: remove everywhere in apparmor.vim
 " syn match  sdSetCap /\v^\s*set\s+capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " Network line
 " Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
 " TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)
 syn match  sdNetwork         /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(stream|dgram|seqpacket|rdm|packet))?(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " network rules containing 'raw'
 syn match  sdNetworkDanger         /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(raw))(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " 'all networking' includes raw -> mark as dangerous
 syn match  sdNetworkDanger         /\v^\s*(audit\s+)?(deny\s+)?network\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " Change Profile
 " TODO: audit and deny support will be added (JJ, 2011-01-11)
 syn match   sdEntryChangeProfile    /\v^\s*change_profile\s+-\>\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " rlimit
 " TODO: audit and deny support will be added (JJ, 2011-01-11)
 "
 "syn match sdRLimit /\v^\s*rlimit\s+()\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
 " link rules
 syn match sdEntryW /\v^\s+(audit\s+)?(deny\s+)?(owner\s+)?link\s+(subset\s+)?(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob
 " file permissions
 "
 " TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
 "
 " write + exec/mmap - danger!
 " known bug: accepts 'aw' to keep things simple
 syn match  sdEntryWriteExec /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|a|m|k|[iuUpPcC]x)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " ux(mr) - unconstrained entry, flag the line red
 syn match  sdEntryUX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " Ux(mr) - like ux + clean environment
 syn match  sdEntryUXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " px/cx/pix/cix(mrk) - standard exec entry, flag the line blue
 syn match  sdEntryPX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|px|cx|pix|cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment
 syn match  sdEntryPXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Px|Cx|Pix|Cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " ix(mr) - standard exec entry, flag the line green
 syn match  sdEntryIX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ix)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " mr - mmap with PROT_EXEC
 syn match  sdEntryM /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " if we've got u or i without x, it's an error
 " rule is superfluous because of the '/.*/ is an error' rule ;-)
 "syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k|u|p|i)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " write + append is an error also
 "syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(\S*r\S*a\S*|\S*a\S*w\S*)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+\S*(w\S*a|a\S*w)\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " write entry, flag the line yellow
 syn match  sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " append entry, flag the line yellow
 syn match  sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|a|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " read entry + locking, currently no highlighting
 syn match  sdEntryK /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rlk]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " read entry, no highlighting
 syn match  sdEntryR /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 syn match sdExtHat  /\v^\s+(\^|profile\s+)\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment " hat without {...}
 syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob
 syn match sdProfileStart /{/ contained 
 syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=
                                                " TODO: Removing the $ mark from end= will allow non-comments also :-(
 syn match sdHatName /\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdFlags,sdComment
 syn match sdHatStart /{/ contained 
 syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]
 syn match sdFlags /\v((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)/ contained contains=sdFlagKey
 syn match sdComment /\s*#.*$/
 " NOTE: contains=sdComment changes #include highlighting to comment color.
 " NOTE: Comment highlighting still works without contains=sdComment.
 syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
 syn match sdInclude /\s*include\s<\S*>/  " TODO: doesn't check until $
 " basic profile block...
 " \s+ does not work in end=, therefore using \s\s*
 syn region Normal start=/\v^(profile\s+)?\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
 syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
--- a/utils/vim/Makefile
+++ b/utils/vim/Makefile
@ -1,5 +1,18 @@
-apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh
+COMMONDIR=../../common/
-	sh create-apparmor.vim.sh
+
 all:
 include common/Make.rules
 COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
 ifeq ($(COMMONDIR_EXISTS), true)
 common/Make.rules: $(COMMONDIR)/Make.rules
 	ln -sf $(COMMONDIR) .
 endif
 all: apparmor.vim
 apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
 	python create-apparmor.vim.py > $@
 clean:
 	rm -f apparmor.vim
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@ -0,0 +1,108 @@
 #!/usr/bin/python
 #
 #    Copyright (C) 2012 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 #    Written by Steve Beattie <steve@nxnw.org>, based on work by
 #    Christian Boltz <apparmor@cboltz.de>
 import os
 import re
 import subprocess
 import sys
 # dangerous capabilities
 danger_caps=["audit_control",
             "audit_write",
             "mac_override",
             "mac_admin",
             "set_fcap",
             "sys_admin",
             "sys_module",
             "sys_rawio"]
 aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
 aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)'
 def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
    '''Try to execute given command (array) and return its stdout, or
    return a textual error if it failed.'''
    try:
        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
    except OSError, e:
        return [127, str(e)]
    out, outerr = sp.communicate(input)
    # Handle redirection of stdout
    if out == None:
        out = ''
    # Handle redirection of stderr
    if outerr == None:
        outerr = ''
    return [sp.returncode,out+outerr]
 # get capabilities list
 (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
 if rc != 0:
    print >>sys.stderr, ("make list_capabilities failed: " + output)
    exit(rc)
 capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
 benign_caps =[]
 for cap in capabilities:
    if cap not in danger_caps:
        benign_caps.append(cap)
 # get network protos list
 (rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
 if rc != 0:
    print >>sys.stderr, ("make list_af_names failed: " + output)
    exit(rc)
 af_names = []
 af_pairs = re.sub('AF_', '', output.strip()).lower().split(",")
 for af_pair in af_pairs:
    af_name = af_pair.lstrip().split(" ")[0]
    # skip max af name definition
    if len(af_name) > 0 and af_name != "max":
        af_names.append(af_name)
 # TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey,
 # but not in aa_flags...
 # -> currently (2011-01-11) not, but might come back
 aa_regex_map = {
    'FILE':             r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+',
    'DENYFILE':         r'\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+',
    'auditdenyowner':   r'(audit\s+)?(deny\s+)?(owner\s+)?',
    'auditdeny':        r'(audit\s+)?(deny\s+)?',
    'FILENAME':         r'(\/|\@\{\S*\})\S*',
    'EOL':              r'\s*,(\s*$|(\s*#.*$)\@=)',
    'TRANSITION':       r'(\s+-\>\s+\S+)?',
    'sdKapKey':         " ".join(benign_caps),
    'sdKapKeyDanger':   " ".join(danger_caps),
    'sdKapKeyRegex':    "|".join(capabilities),
    'sdNetworkType':    aa_network_types,
    'sdNetworkProto':   "|".join(af_names),
    'flags':            r'((flags\s*\=\s*)?\(\s*' + aa_flags + r'(\s*,\s*' + aa_flags + r')*\s*\)\s+)',
 }
 def my_repl(matchobj):
    #print matchobj.group(1)
    if matchobj.group(1) in aa_regex_map:
        return aa_regex_map[matchobj.group(1)]
    return matchobj.group(0)
 regex = "@@(" + "|".join(aa_regex_map) + ")@@"
 with file("apparmor.vim.in") as template:
    for line in template:
        line = re.sub(regex, my_repl, line.rstrip())
        print line
--- a/utils/vim/create-apparmor.vim.sh
+++ b/utils/vim/create-apparmor.vim.sh
@ -1,129 +0,0 @@
 #!/bin/bash
 # not-too-dangerous capabilities
 sdKapKey="chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease"
 # dangerous capabilities
 sdKapKeyDanger="audit_control audit_write mac_override mac_admin set_fcap sys_admin sys_module sys_rawio"
 sdNetworkProto="inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth"
 sdNetworkType='\s+tcp|\s+udp|\s+icmp'
 sdFlags="complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative"
 # TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey, but not in sdFlags...
 # -> currently (2011-01-11) not, but might come back
 sdKapKeyRegex="$(echo "$sdKapKey $sdKapKeyDanger" | sed 's/ /|/g')"
 sdFlagsRegex="($sdFlags)"
 #	'@@FILE@@'            '\v^\s*((owner\s+)|(audit\s+)|(deny\s+))*(\/|\@\{\S*\})\S*\s+'   \
 replace                                                                                    \
 	'@@FILE@@'            '\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+'     \
 	'@@DENYFILE@@'        '\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+'        \
    '@@auditdenyowner@@'  '(audit\s+)?(deny\s+)?(owner\s+)?'                               \
    '@@auditdeny@@'       '(audit\s+)?(deny\s+)?'                                          \
 	'@@FILENAME@@'        '(\/|\@\{\S*\})\S*'                                              \
 	'@@EOL@@'             '\s*,(\s*$|(\s*#.*$)\@=)'                                        \
 	'@@TRANSITION@@'      '(\s+-\>\s+\S+)?'                                                \
 	'@@sdKapKey@@'        "$sdKapKey"                                                      \
 	'@@sdKapKeyDanger@@'  "$sdKapKeyDanger"                                                \
 	'@@sdKapKeyRegex@@'   "$sdKapKeyRegex"                                                 \
 	'@@sdNetworkProto@@'  "$sdNetworkProto"                                                \
 	'@@sdNetworkType@@'   "$sdNetworkType"                                                 \
 	'@@flags@@'           "((flags\s*\=\s*)?\(\s*$sdFlagsRegex(\s*,\s*$sdFlagsRegex)*\s*\)\s+)"         \
 	                                                                                       \
 < apparmor.vim.in                                                                          \
 > apparmor.vim
 # @@FILE@@: Start of a file rule (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
 # @@FILENAME@@: Just a filename (taken from @@FILE@@)
 # @@EOL@@: End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
 # I had to learn that vim has a restriction on the number of (...) I may use in
 # a RegEx (up to 9 are allowed), and therefore had to change the RegEx that
 # matches tcp/udp/icmp from "(\s+(tcp|udp|icmp))?" to
 # "(\s+tcp|\s+udp|\s+icmp)?". *argh*
 # (sdNetworkProto could be changed the same way if needed)
 # TODO: permissions first
 # valid rules:
 # owner rw /foo,
 # owner /foo rw,
 # INVALID rules
 # rw owner /foo,
 # rw /foo owner,
 # /foo owner rw,
 # /foo rw owner,
 # the *** proposed *** syntax for owner= and user= is
 # 
 # owner=<name> <whitespace> <rule>
 # owner='('<names>')' <whitespace> <rule>
 # 
 # where the list followed the syntax for the flags value, however the list
 # syntax part needs to be made consistent, ie. we either need to fix the
 # flags list separator or make the list separator here the same as flags
 # and also fix it for variables, etc.  switching flags to use just whitespace
 # is by far the easiest.
 # 
 # So going with the whitespace separator we would have
 # owner=jj /foo r,
 # owner=(jj) /foo r,
 # owner=(jj smb) /foo r,
 # > capability dac_override {
 # >     /file/bar rw,
 # > }
 # > capability chown {
 # >    /file/bar (user1, user2),
 # > }
 # > (Are those things specific to dac_override and chown?)
 # > 
 # Hehe, now your veering even more into unimplemented stuff :)  Those where
 # merely proposed syntax and I don't believe we are using them now.
 # The idea behind those was a way to enhance the capabilities and remain
 # backwards compatible.
 # 
 # And use the syntax for each would have to be capability (or type specific)
 # 
 # eg. for chown we could have a path and user
 # 
 #   chown /foo to (user1 user2),
 # 
 # but for setuid it wouldn't have a path.
 #    setuid to (user1 user2)
 #  
 # 
 # > uses ipc,
 # > ipc rw /profile,
 # > ipc signal w (child) /profile,
 # > deny ipc signal w (kill) /profile,
 # > 
 # > Which keywords can apply to ipc? I'd guess audit and deny. What about 
 # > owner?
 # > 
 # owner and user could be selectively applied but not to allow of ipc
 # 
 # owner doesn't really make sense for signal, but user might this is just
 # another place we need to look at before we commit to the syntax.
 #
 # ipc may hit spring 2011
 # > That all said: are there some example profiles I could use to test 
 # > apparmor.vim?
 # > 
 # Hrmmm, yes.  The goal is to keep adding to the parser test suite, and
 # get it to contain at least on example of every valid syntax and also
 # example profiles of invalid syntax.  I won't say that the coverage
 # is complete yet but it does have hundreds of simple examples.
 # 
 # it can be found in parser/tst/simple_tests/
 #