Index: vim71/runtime/filetype.vim =================================================================== --- vim71.orig/runtime/filetype.vim +++ vim71/runtime/filetype.vim @@ -110,6 +110,10 @@ au BufNewFile,BufRead proftpd.conf* cal au BufNewFile,BufRead .htaccess setf apache au BufNewFile,BufRead httpd.conf*,srm.conf*,access.conf*,apache.conf*,apache2.conf*,/etc/apache2/*.conf* call s:StarSetf('apache') +" AppArmor +au BufNewFile,BufRead */etc/apparmor.d/* setf apparmor +au BufNewFile,BufRead */etc/apparmor/profiles/* setf apparmor + " XA65 MOS6510 cross assembler au BufNewFile,BufRead *.a65 setf a65 Index: vim71/runtime/syntax/apparmor.vim =================================================================== --- /dev/null +++ vim71/runtime/syntax/apparmor.vim @@ -0,0 +1,170 @@ +" $Id$ +" +" ---------------------------------------------------------------------- +" Copyright (c) 2005 Novell, Inc. All Rights Reserved. +" Copyright (c) 2006 Christian Boltz. All Rights Reserved. +" +" This program is free software; you can redistribute it and/or +" modify it under the terms of version 2 of the GNU General Public +" License as published by the Free Software Foundation. +" +" This program is distributed in the hope that it will be useful, +" but WITHOUT ANY WARRANTY; without even the implied warranty of +" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +" GNU General Public License for more details. +" +" You should have received a copy of the GNU General Public License +" along with this program; if not, contact Novell, Inc. +" +" To contact Novell about this file by physical or electronic mail, +" you may find current contact information at www.novell.com. +" +" To contact Christian Boltz about this file by physical or electronic +" mail, you may find current contact information at www.cboltz.de. +" ---------------------------------------------------------------------- +" +" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc +" to have vim automagically use this syntax file for these directories: +" +" autocmd BufNewFile,BufRead /etc/apparmor.d/* set syntax=apparmor +" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor + + +" color setup... + +" adjust colors according to the background + +" switching colors depending on the background color doesn't work +" unfortunately, so we use colors that work with light and dark background. +" Patches welcome ;-) + +"if &background == "light" +" light background + hi sdProfileName ctermfg=lightblue + hi sdHatName ctermfg=darkblue + hi sdGlob ctermfg=darkmagenta + hi sdEntryWriteExec ctermfg=black ctermbg=yellow + hi sdEntryUX ctermfg=darkred cterm=underline + hi sdEntryCUX ctermfg=darkred + hi sdEntryIX ctermfg=darkcyan + hi sdEntryM ctermfg=darkcyan + hi sdEntryPX ctermfg=darkgreen cterm=underline + hi sdEntryCPX ctermfg=darkgreen + hi sdEntryW ctermfg=darkyellow + hi sdCap ctermfg=lightblue + hi sdNetwork ctermfg=lightblue + hi sdNetworkDanger ctermfg=darkred + hi sdCapKey cterm=underline ctermfg=lightblue + hi sdCapDanger ctermfg=darkred + hi def link sdEntryR Normal + hi def link sdEntryK Normal + hi def link sdFlags Normal + hi sdEntryChangeProfile ctermfg=darkgreen cterm=underline +"else +" dark background +" hi sdProfileName ctermfg=white +" hi sdHatName ctermfg=white +" hi sdGlob ctermfg=magenta +" hi sdEntryWriteExec ctermfg=black ctermbg=yellow +" hi sdEntryUX ctermfg=red cterm=underline +" hi sdEntryCUX ctermfg=red +" hi sdEntryIX ctermfg=cyan +" hi sdEntryM ctermfg=cyan +" hi sdEntryPX ctermfg=green cterm=underline +" hi sdEntryCPX ctermfg=green +" hi sdEntryW ctermfg=yellow +" hi sdCap ctermfg=lightblue +" hi sdCapKey cterm=underline ctermfg=lightblue +" hi def link sdEntryR Normal +" hi def link sdFlags Normal +" hi sdCapDanger ctermfg=red +"endif + +hi def link sdInclude Include +high def link sdComment Comment +high def link sdFlagKey TODO +high def link sdError ErrorMsg + + +" always sync from the start. should be relatively quick since we don't have +" that many rules and profiles shouldn't be _extremely_ large... + syn sync fromstart + +syn keyword sdFlagKey complain audit debug + +" highlight some invalid syntax +"syn match sdError /\v.+$/ " causes false positives on '}' :-( +syn match sdError /{/ contained +syn match sdError /}/ +syn match sdError /^.*$/ "highlight all non-valid lines as error + +syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z]*\}/ + +syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryCPX,sdEntryUX,sdEntryCUX,sdEntryM,sdCap + + +" Capability line +syn keyword sdCapKey chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease +syn keyword sdCapDanger sys_admin + +syn match sdCap /\v^\s*capability\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" Network line +" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...) +syn keyword sdNetworkDanger raw +syn match sdNetwork /\v^\s*network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(stream|dgram|seqpacket|raw|rdm|packet))?(\s+(tcp|udp|icmp))?,(\s*$|(\s*#.*$)\@=)/ contains=sdNetworkDanger nextgroup=@sdEntry,sdComment,sdError,sdInclude +"syn match sdNetworkDanger /\v^\s*network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(raw))?(\s+(tcp|udp|icmp))?,(\s*$|(\s*#.*$)\@=)/ + +syn match sdEntryChangeProfile /\v^\s*change_profile\s+(\/|\@\{\S*\})\S*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" file permissions +" +" write + exec/mmap - danger! +" known bug: accepts 'aw' to keep things simple +syn match sdEntryWriteExec /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|w|a|m|k|[iuUpP]x)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" ux(mr) - unconstrained entry, flag the line red +syn match sdEntryUX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|k|ux)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude +" Ux(mr) - like ux + clean environment +syn match sdEntryCUX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|k|Ux)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude +" px(mr) - standard exec entry, flag the line blue +syn match sdEntryPX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|k|px)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude +" Px(mr) - like px + clean environment +syn match sdEntryCPX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|k|Px)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude +" ix(mr) - standard exec entry, flag the line green +syn match sdEntryIX /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|k|ix)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude +" mr - mmap with PROT_EXEC +syn match sdEntryM /\v^\s*(\/|\@\{\S*\})\S*\s+(r|m|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" if we've got u or i without x, it's an error +syn match sdError /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|w|k|u|p|i)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" write + append is an error also +syn match sdError /\v^\s*(\/|\@\{\S*\})\S*\s+([lrkupi]*w[lrkupi]*a[lrkupi]*|[lrkupi]*a[lrkupi]*w[lrkupi]*)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" write entry, flag the line yellow +syn match sdEntryW /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|w|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude +" append entry, flag the line yellow +syn match sdEntryW /\v^\s*(\/|\@\{\S*\})\S*\s+(l|r|k|a)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError,sdInclude + +" read entry + locking, currently no highlighting +syn match sdEntryK /\v^\s*(\/|\@\{\S*\})\S*\s+[rlk]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError +" read entry, no highlighting +syn match sdEntryR /\v^\s*(\/|\@\{\S*\})\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob nextgroup=@sdEntry,sdComment,sdError + +syn match sdProfileName /\v^\/\S+\s+(flags\=\(\S+\)\s+)=\{/ contains=sdProfileStart,sdHatName,sdFlags +syn match sdProfileStart /{/ contained +syn match sdProfileEnd /}/ " contained +syn match sdHatName /\v^\s+\^\S+\s+(flags\=\(\S+\)\s+)=\{/ contains=sdProfileStart,sdFlags +syn match sdHatStart /{/ contained +syn match sdHatEnd /}/ contained +syn match sdFlags /\vflags\=\(\S+\)/ contained contains=sdFlagKey + +syn match sdComment /\s*#.*$/ +syn match sdInclude /\s*#include.*$/ + +" basic profile block... +" \s+ does not work in end=, therefore using \s\s* +syn region Normal start=/\v^\s*\^\S+\s+(flags\=\(\S+\)\s+)=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude +syn region Hat start=/\v^\s+\^\S+\s+(flags\=\(\S+\)\s+)=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contained contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude +