" ---------------------------------------------------------------------- " Copyright (c) 2005 Novell, Inc. All Rights Reserved. " Copyright (c) 2006-2023 Christian Boltz. All Rights Reserved. " " This program is free software; you can redistribute it and/or " modify it under the terms of version 2 of the GNU General Public " License as published by the Free Software Foundation. " " This program is distributed in the hope that it will be useful, " but WITHOUT ANY WARRANTY; without even the implied warranty of " MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the " GNU General Public License for more details. " " You should have received a copy of the GNU General Public License " along with this program; if not, contact Novell, Inc. " " If you want to report a bug for apparmor.vim, please do so at " - https://gitlab.com/apparmor/apparmor/ or " - https://bugzilla.opensuse.org (assign it to suse-beta[AT]cboltz.de) " ---------------------------------------------------------------------- " " stick this file into ~/.vim/syntax/ and add these commands into your .vimrc " to have vim automagically use this syntax file for these directories: " " autocmd BufNewFile,BufRead /etc/apparmor.d/* set syntax=apparmor " autocmd BufNewFile,BufRead /usr/share/apparmor/extra-profiles/* set syntax=apparmor " profiles are case sensitive syntax case match " color setup... " adjust colors according to the background " switching colors depending on the background color doesn't work " unfortunately, so we use colors that work with light and dark background. " Patches welcome ;-) "if &background == "light" " light background hi sdProfileName ctermfg=lightblue hi sdHatName ctermfg=darkblue hi sdExtHat ctermfg=darkblue " hi sdComment2 ctermfg=darkblue hi sdGlob ctermfg=darkmagenta hi sdAlias ctermfg=darkmagenta hi sdAll ctermfg=darkred ctermbg=yellow hi sdEntryWriteExec ctermfg=black ctermbg=yellow hi sdEntryUX ctermfg=darkred cterm=underline hi sdEntryUXe ctermfg=darkred hi sdEntryIX ctermfg=darkcyan hi sdEntryM ctermfg=darkcyan hi sdEntryPX ctermfg=darkgreen cterm=underline hi sdEntryPXe ctermfg=darkgreen hi sdEntryW ctermfg=darkyellow hi sdCap ctermfg=lightblue hi sdSetCap ctermfg=black ctermbg=yellow hi sdNetwork ctermfg=lightblue hi sdNetworkDanger ctermfg=darkred hi sdCapKey cterm=underline ctermfg=lightblue hi sdCapDanger ctermfg=darkred hi sdRLimit ctermfg=lightblue hi def link sdEntryR Normal hi def link sdEntryK Normal hi def link sdFlags Normal hi sdEntryChangeProfile ctermfg=darkgreen cterm=underline "else " dark background " hi sdProfileName ctermfg=white " hi sdHatName ctermfg=white " hi sdGlob ctermfg=magenta " hi sdEntryWriteExec ctermfg=black ctermbg=yellow " hi sdEntryUX ctermfg=red cterm=underline " hi sdEntryUXe ctermfg=red " hi sdEntryIX ctermfg=cyan " hi sdEntryM ctermfg=cyan " hi sdEntryPX ctermfg=green cterm=underline " hi sdEntryPXe ctermfg=green " hi sdEntryW ctermfg=yellow " hi sdCap ctermfg=lightblue " hi sdCapKey cterm=underline ctermfg=lightblue " hi def link sdEntryR Normal " hi def link sdFlags Normal " hi sdCapDanger ctermfg=red "endif hi def link sdInclude Include high def link sdComment Comment "high def link sdComment2 Comment high def link sdFlagKey TODO high def link sdError ErrorMsg " always sync from the start. should be relatively quick since we don't have " that many rules and profiles shouldn't be _extremely_ large... syn sync fromstart syn keyword sdFlagKey complain debug " highlight invalid syntax syn match sdError /{/ contained syn match sdError /}/ syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error " TODO: do not mark lines containing only whitespace as error " TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.* " This allows incorrect lines also and should be checked better. " This also (accidentally ;-) includes variable definitions (@{FOO}=/bar) " TODO: make a separate pattern for variable definitions, then mark sdGlob as contained syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/ syn match sdAlias /\v^\s*alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment " syn match sdComment /#.*/ " List of all (supported) rules inside a profile. " XXX When adding support for a new rule type, also add it here. XXX " XXX Otherwise it will be highlighted as an error. XXX syn cluster sdEntry contains=sdAll,sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile " TODO: support audit and deny keywords for all rules (not only for files) " TODO: highlight audit and deny keywords everywhere " 'all' rule syn match sdAll /\v^\s*@@auditdeny@@all@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " Capability line " normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining) syn keyword sdCapKey @@sdKapKey@@ " dangerous capabilities - highlighted separately syn keyword sdCapDanger @@sdKapKeyDanger@@ " full line. Keywords are from sdCapKey + sdCapDanger syn match sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " all capabilities ('capability' without any keyword) syn match sdCapDanger /\v^\s*@@auditdeny@@capability@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " Network line " Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...) " TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11) syn match sdNetwork /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(stream|dgram|seqpacket|rdm|packet))?(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " network rules containing 'raw' syn match sdNetworkDanger /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(raw))(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " 'all networking' includes raw -> mark as dangerous syn match sdNetworkDanger /\v^\s*@@auditdeny@@network@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " Change Profile syn match sdEntryChangeProfile /\v^\s*@@auditdeny@@change_profile\s+(safe\s+[/@]\S+|unsafe\s+[/@]\S+|[/@]\S+)?\s*(-\>\s*\S+)?@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " bare change_profile rule syn match sdEntryChangeProfile /\v^\s*@@auditdeny@@change_profile@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " rlimit " TODO: audit and deny support will be added (JJ, 2011-01-11) " "syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|ofile|nproc|rtprio)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment " link rules syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment syn match sdExtHat /\v^\s+(\^|hat\s+|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...} syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+@@flags@@=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob syn match sdProfileStart /{/ contained syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end= " TODO: Removing the $ mark from end= will allow non-comments also :-( syn match sdHatName /\v^\s+(\^|hat\s+|profile\s+)\S+\s+@@flags@@=\{/ contains=sdProfileStart,sdFlags,sdComment syn match sdHatStart /{/ contained syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd] syn match sdFlags /\v@@flags@@/ contained contains=sdFlagKey syn match sdComment /\s*#.*$/ " NOTE: contains=sdComment changes #include highlighting to comment color. " NOTE: Comment highlighting still works without contains=sdComment. syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $ syn match sdInclude /\s*include\s<\S*>/ " TODO: doesn't check until $ syn match sdInclude /\s*#include\sif\sexists\s<\S*>/ " TODO: doesn't check until $ syn match sdInclude /\s*include\sif\sexists\s<\S*>/ " TODO: doesn't check until $ syn match sdInclude /\s*abi\s<\S*>\s*,/ contains=sdComment " TODO: doesn't check until $ " basic profile block... " \s+ does not work in end=, therefore using \s\s* syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude syn region Hat start=/\v^\s+(\^|hat\s+|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude " file permissions