mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
9bb81e1ed3
This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
available since the 2.6.25 kernel, according to the getrlimit(2)
man page; see that man page for more details on this rlimit.
An acceptance test is also added, as well as an update to the
apparmor.vim input template.
While reviewing to see what made sense in apparmor.vim for the rttime
rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
a keyword for microseconds, but I did for milliseconds. I also don't
accept any unit larger than minutes, as it didn't seem appropriate
(and even minutes felt... gratuitous). I would appreciate feedback
on what keywords would be useful here.
Patch History:
v1: initial submission
v2: - add apparmor.vim support for rttime keyword
- adjust RLIMIT_TIME value assignment due to its units being
microseconds, not seconds, and add milliseconds keyword.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
196 lines
9.2 KiB
VimL
196 lines
9.2 KiB
VimL
" ----------------------------------------------------------------------
|
|
" Copyright (c) 2005 Novell, Inc. All Rights Reserved.
|
|
" Copyright (c) 2006-2012 Christian Boltz. All Rights Reserved.
|
|
"
|
|
" This program is free software; you can redistribute it and/or
|
|
" modify it under the terms of version 2 of the GNU General Public
|
|
" License as published by the Free Software Foundation.
|
|
"
|
|
" This program is distributed in the hope that it will be useful,
|
|
" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
" GNU General Public License for more details.
|
|
"
|
|
" You should have received a copy of the GNU General Public License
|
|
" along with this program; if not, contact Novell, Inc.
|
|
"
|
|
" To contact Novell about this file by physical or electronic mail,
|
|
" you may find current contact information at www.novell.com.
|
|
"
|
|
" To contact Christian Boltz about this file by physical or electronic
|
|
" mail, you may find current contact information at www.cboltz.de/en/kontakt.
|
|
"
|
|
" If you want to report a bug via bugzilla.novell.com, please assign it
|
|
" to suse-beta[AT]cboltz.de (replace [AT] with @).
|
|
" ----------------------------------------------------------------------
|
|
"
|
|
" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc
|
|
" to have vim automagically use this syntax file for these directories:
|
|
"
|
|
" autocmd BufNewFile,BufRead /etc/apparmor.d/* set syntax=apparmor
|
|
" autocmd BufNewFile,BufRead /usr/share/apparmor/extra-profiles/* set syntax=apparmor
|
|
|
|
" profiles are case sensitive
|
|
syntax case match
|
|
|
|
" color setup...
|
|
|
|
" adjust colors according to the background
|
|
|
|
" switching colors depending on the background color doesn't work
|
|
" unfortunately, so we use colors that work with light and dark background.
|
|
" Patches welcome ;-)
|
|
|
|
"if &background == "light"
|
|
" light background
|
|
hi sdProfileName ctermfg=lightblue
|
|
hi sdHatName ctermfg=darkblue
|
|
hi sdExtHat ctermfg=darkblue
|
|
" hi sdComment2 ctermfg=darkblue
|
|
hi sdGlob ctermfg=darkmagenta
|
|
hi sdAlias ctermfg=darkmagenta
|
|
hi sdEntryWriteExec ctermfg=black ctermbg=yellow
|
|
hi sdEntryUX ctermfg=darkred cterm=underline
|
|
hi sdEntryUXe ctermfg=darkred
|
|
hi sdEntryIX ctermfg=darkcyan
|
|
hi sdEntryM ctermfg=darkcyan
|
|
hi sdEntryPX ctermfg=darkgreen cterm=underline
|
|
hi sdEntryPXe ctermfg=darkgreen
|
|
hi sdEntryW ctermfg=darkyellow
|
|
hi sdCap ctermfg=lightblue
|
|
hi sdSetCap ctermfg=black ctermbg=yellow
|
|
hi sdNetwork ctermfg=lightblue
|
|
hi sdNetworkDanger ctermfg=darkred
|
|
hi sdCapKey cterm=underline ctermfg=lightblue
|
|
hi sdCapDanger ctermfg=darkred
|
|
hi sdRLimit ctermfg=lightblue
|
|
hi def link sdEntryR Normal
|
|
hi def link sdEntryK Normal
|
|
hi def link sdFlags Normal
|
|
hi sdEntryChangeProfile ctermfg=darkgreen cterm=underline
|
|
"else
|
|
" dark background
|
|
" hi sdProfileName ctermfg=white
|
|
" hi sdHatName ctermfg=white
|
|
" hi sdGlob ctermfg=magenta
|
|
" hi sdEntryWriteExec ctermfg=black ctermbg=yellow
|
|
" hi sdEntryUX ctermfg=red cterm=underline
|
|
" hi sdEntryUXe ctermfg=red
|
|
" hi sdEntryIX ctermfg=cyan
|
|
" hi sdEntryM ctermfg=cyan
|
|
" hi sdEntryPX ctermfg=green cterm=underline
|
|
" hi sdEntryPXe ctermfg=green
|
|
" hi sdEntryW ctermfg=yellow
|
|
" hi sdCap ctermfg=lightblue
|
|
" hi sdCapKey cterm=underline ctermfg=lightblue
|
|
" hi def link sdEntryR Normal
|
|
" hi def link sdFlags Normal
|
|
" hi sdCapDanger ctermfg=red
|
|
"endif
|
|
|
|
hi def link sdInclude Include
|
|
high def link sdComment Comment
|
|
"high def link sdComment2 Comment
|
|
high def link sdFlagKey TODO
|
|
high def link sdError ErrorMsg
|
|
|
|
|
|
" always sync from the start. should be relatively quick since we don't have
|
|
" that many rules and profiles shouldn't be _extremely_ large...
|
|
syn sync fromstart
|
|
|
|
syn keyword sdFlagKey complain debug
|
|
|
|
" highlight invalid syntax
|
|
syn match sdError /{/ contained
|
|
syn match sdError /}/
|
|
syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error
|
|
" TODO: do not mark lines containing only whitespace as error
|
|
|
|
" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*
|
|
" This allows incorrect lines also and should be checked better.
|
|
" This also (accidently ;-) includes variable definitions (@{FOO}=/bar)
|
|
" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
|
|
syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/
|
|
|
|
syn match sdAlias /\v^alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob
|
|
|
|
" syn match sdComment /#.*/
|
|
|
|
syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile
|
|
|
|
|
|
" TODO: support audit and deny keywords for all rules (not only for files)
|
|
" TODO: higlight audit and deny keywords everywhere
|
|
|
|
" Capability line
|
|
|
|
" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)
|
|
syn keyword sdCapKey @@sdKapKey@@
|
|
|
|
" dangerous capabilities - highlighted separately
|
|
syn keyword sdCapDanger @@sdKapKeyDanger@@
|
|
|
|
" full line. Keywords are from sdCapKey + sdCapDanger
|
|
syn match sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
|
" all capabilities ('capability' without any keyword)
|
|
syn match sdCapDanger /\v^\s*@@auditdeny@@capability@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
|
|
|
" Network line
|
|
" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
|
|
" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)
|
|
syn match sdNetwork /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(stream|dgram|seqpacket|rdm|packet))?(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
|
" network rules containing 'raw'
|
|
syn match sdNetworkDanger /\v^\s*@@auditdeny@@network(\s+(@@sdNetworkProto@@))?(\s+(raw))(@@sdNetworkType@@)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
|
" 'all networking' includes raw -> mark as dangerous
|
|
syn match sdNetworkDanger /\v^\s*@@auditdeny@@network@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
|
|
|
|
|
" Change Profile
|
|
" TODO: audit and deny support will be added (JJ, 2011-01-11)
|
|
syn match sdEntryChangeProfile /\v^\s*change_profile\s+-\>\s+\S+@@EOL@@/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
|
|
|
|
|
|
" rlimit
|
|
" TODO: audit and deny support will be added (JJ, 2011-01-11)
|
|
"
|
|
"syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|ofile|nproc|rtprio)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment
|
|
syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
|
|
|
|
" link rules
|
|
syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob
|
|
|
|
|
|
syn match sdExtHat /\v^\s+(\^|profile\s+)\S+@@EOL@@/ contains=sdComment " hat without {...}
|
|
|
|
|
|
|
|
|
|
syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+@@flags@@=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob
|
|
syn match sdProfileStart /{/ contained
|
|
syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=
|
|
" TODO: Removing the $ mark from end= will allow non-comments also :-(
|
|
syn match sdHatName /\v^\s+(\^|profile\s+)\S+\s+@@flags@@=\{/ contains=sdProfileStart,sdFlags,sdComment
|
|
syn match sdHatStart /{/ contained
|
|
syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]
|
|
syn match sdFlags /\v@@flags@@/ contained contains=sdFlagKey
|
|
|
|
syn match sdComment /\s*#.*$/
|
|
" NOTE: contains=sdComment changes #include highlighting to comment color.
|
|
" NOTE: Comment highlighting still works without contains=sdComment.
|
|
syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
|
|
syn match sdInclude /\s*include\s<\S*>/ " TODO: doesn't check until $
|
|
|
|
" basic profile block...
|
|
" \s+ does not work in end=, therefore using \s\s*
|
|
syn region Normal start=/\v^(profile\s+)?\S+\s+@@flags@@=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
|
|
syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+@@flags@@=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
|
|
|
|
" file permissions
|
|
|