" $Id$
"
" ----------------------------------------------------------------------
"    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
"    Copyright (c) 2006 Christian Boltz. All Rights Reserved.
"      
"    This program is free software; you can redistribute it and/or
"    modify it under the terms of version 2 of the GNU General Public
"    License as published by the Free Software Foundation.
"      
"    This program is distributed in the hope that it will be useful,
"    but WITHOUT ANY WARRANTY; without even the implied warranty of
"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
"    GNU General Public License for more details.
"      
"    You should have received a copy of the GNU General Public License
"    along with this program; if not, contact Novell, Inc.
"      
"    To contact Novell about this file by physical or electronic mail, 
"    you may find current contact information at www.novell.com.
"
"    To contact Christian Boltz about this file by physical or electronic
"    mail, you may find current contact information at www.cboltz.de.
" ----------------------------------------------------------------------
"
" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc 
" to have vim automagically use this syntax file for these directories:
"
" autocmd BufNewFile,BufRead /etc/apparmor.d/*        set syntax=apparmor
" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor


" color setup...

" adjust colors according to the background

" switching colors depending on the background color doesn't work
" unfortunately, so we use colors that work with light and dark background.
" Patches welcome ;-)

"if &background == "light"
" light background
	hi sdProfileName ctermfg=lightblue
	hi sdHatName ctermfg=darkblue
	hi sdGlob       ctermfg=darkmagenta
	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
	hi sdEntryUX     ctermfg=darkred cterm=underline
	hi sdEntryCUX     ctermfg=darkred
	hi sdEntryIX     ctermfg=darkcyan
	hi sdEntryM     ctermfg=darkcyan
	hi sdEntryPX     ctermfg=darkgreen cterm=underline
	hi sdEntryCPX     ctermfg=darkgreen
	hi sdEntryW     ctermfg=darkyellow
	hi sdCap	ctermfg=lightblue
	hi sdCapKey	cterm=underline ctermfg=lightblue
	hi def link sdEntryR Normal
	hi def link sdFlags Normal
	hi sdCapDanger ctermfg=darkred
"else 
" dark background
"	hi sdProfileName ctermfg=white
"	hi sdHatName ctermfg=white
"	hi sdGlob       ctermfg=magenta
"	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
"	hi sdEntryUX     ctermfg=red cterm=underline
"	hi sdEntryCUX     ctermfg=red
"	hi sdEntryIX     ctermfg=cyan
"	hi sdEntryM     ctermfg=cyan
"	hi sdEntryPX     ctermfg=green cterm=underline
"	hi sdEntryCPX     ctermfg=green
"	hi sdEntryW     ctermfg=yellow
"	hi sdCap	ctermfg=lightblue
"	hi sdCapKey	cterm=underline ctermfg=lightblue
"	hi def link sdEntryR Normal
"	hi def link sdFlags Normal
"	hi sdCapDanger ctermfg=red
"endif

hi def link sdInclude     Include
high def link sdComment     Comment
high def link sdFlagKey     TODO
high def link sdError      ErrorMsg


" always sync from the start.  should be relatively quick since we don't have
" that many rules and profiles shouldn't be _extremely_ large...
 syn sync fromstart

syn keyword 	sdCapKey	chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
syn keyword sdCapDanger sys_admin

syn keyword	sdFlagKey	complain audit debug

" highlight some invalid syntax
"syn match sdError /\v.+$/  " causes false positives on '}' :-(
syn match sdError /{/ contained
syn match sdError /}/
syn match sdError /^.*$/ "highlight all non-valid lines as error

syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z]*\}/

syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryCPX,sdEntryUX,sdEntryCUX,sdEntryM,sdCap

" write + exec/mmap - danger!
syn match  sdEntryWriteExec /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|w|m|[iuUpP]x)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude

" unconstrained entry, flag the line red
syn match  sdEntryUX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|ux)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude
" Ux - like ux + clean environment
syn match  sdEntryCUX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|Ux)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude
" standard exec entry, flag the line blue
syn match  sdEntryPX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|px)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude
" Px - like px + clean environment
syn match  sdEntryCPX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|Px)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude
" standard exec entry, flag the line green
syn match  sdEntryIX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|ix)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude
" mmap with PROT_EXEC
syn match  sdEntryM /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude

" if we've got u or i without x, it's an error
syn match  sdError /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|w|u|p|i)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude

" write entry, flag the line yellow
syn match  sdEntryW /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|w)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude
" Capability line
syn match  sdCap /\v^\s*capability\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger nextgroup=@sdEntry,sdComment,sdError,sdInclude
" read entry, no highlighting
syn match  sdEntryR /\v^\s*(\/|\@\{\S*\})\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError

syn match sdProfileName /\v^\/\S+\s+(flags\=\(\S+\)\s+)=\{/ contains=sdProfileStart,sdHatName,sdFlags
syn match sdProfileStart /{/ contained 
syn match sdProfileEnd /}/ " contained
syn match sdHatName /\v^\s+\^\S+\s+(flags\=\(\S+\)\s+)=\{/ contains=sdProfileStart,sdFlags
syn match sdHatStart /{/ contained 
syn match sdHatEnd /}/ contained
syn match sdFlags /\vflags\=\(\S+\)/ contained contains=sdFlagKey

syn match sdComment /\s*#.*$/
syn match sdInclude /\s*#include.*$/

" basic profile block...
" \s+ does not work in end=, therefore using \s\s*
syn region Normal start=/\v^\s*\^\S+\s+(flags\=\(\S+\)\s+)=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
syn region Hat start=/\v^\s+\^\S+\s+(flags\=\(\S+\)\s+)=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contained contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude