From 4cd39e70a0883c4088303d8f2db7bb5bb5af4a49 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sat, 25 May 2024 13:48:00 +0200
Subject: [PATCH] apparmor.vim: add support for userns and the unconfined flag

---
 utils/vim/apparmor.vim.in        | 6 +++++-
 utils/vim/create-apparmor.vim.py | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/utils/vim/apparmor.vim.in b/utils/vim/apparmor.vim.in
index 9acc183e1..8276fe3e6 100644
--- a/utils/vim/apparmor.vim.in
+++ b/utils/vim/apparmor.vim.in
@@ -60,6 +60,7 @@ syntax case match
 	hi sdCapKey	cterm=underline ctermfg=lightblue
 	hi sdCapDanger ctermfg=darkred
 	hi sdRLimit ctermfg=lightblue
+	hi sdUserns ctermfg=darkred
 	hi def link sdEntryR Normal
 	hi def link sdEntryK Normal
 	hi def link sdFlags Normal
@@ -116,7 +117,7 @@ syn match sdAlias /\v^\s*alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ conta
 " List of all (supported) rules inside a profile.
 " XXX When adding support for a new rule type, also add it here. XXX
 " XXX Otherwise it will be highlighted as an error.              XXX
-syn cluster sdEntry contains=sdAll,sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile
+syn cluster sdEntry contains=sdAll,sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile,sdUserns
 
 
 " TODO: support audit and deny keywords for all rules (not only for files)
@@ -166,6 +167,9 @@ syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hou
 syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
 
+" userns
+syn match sdUserns /\v^\s*@@auditdeny@@userns(\s+create)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+
 " link rules
 syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment
 
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 2c63e0ea0..b514942f0 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -77,6 +77,7 @@ for af_pair in af_pairs:
 aa_network_types = r'\s+tcp|\s+udp|\s+icmp'
 
 aa_flags = ('complain',
+            'unconfined',
             'audit',
             'attach_disconnected',
             'no_attach_disconnected',