mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

apparmor.vim: add support for userns and the unconfined flag

Browse Source
This commit is contained in:
Christian Boltz 2024-05-25 13:48:00 +02:00
parent 38dfa14c60
commit 4cd39e70a0
No known key found for this signature in database
GPG Key ID: C6A682EA63C82F1C
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
utils/vim/apparmor.vim.in
View File

@ -60,6 +60,7 @@ syntax case match
hi sdCapKey cterm=underline ctermfg=lightblue hi sdCapKey cterm=underline ctermfg=lightblue
hi sdCapDanger ctermfg=darkred hi sdCapDanger ctermfg=darkred
hi sdRLimit ctermfg=lightblue hi sdRLimit ctermfg=lightblue
hi sdUserns ctermfg=darkred
hi def link sdEntryR Normal hi def link sdEntryR Normal
hi def link sdEntryK Normal hi def link sdEntryK Normal
hi def link sdFlags Normal hi def link sdFlags Normal
@ -116,7 +117,7 @@ syn match sdAlias /\v^\s*alias\s+@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ conta
" List of all (supported) rules inside a profile. " List of all (supported) rules inside a profile.
" XXX When adding support for a new rule type, also add it here. XXX " XXX When adding support for a new rule type, also add it here. XXX
" XXX Otherwise it will be highlighted as an error. XXX " XXX Otherwise it will be highlighted as an error. XXX
syn cluster sdEntry contains=sdAll,sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile syn cluster sdEntry contains=sdAll,sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile,sdUserns
" TODO: support audit and deny keywords for all rules (not only for files) " TODO: support audit and deny keywords for all rules (not only for files)
@ -166,6 +167,9 @@ syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hou
syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+rttime\s+\<\=\s+[0-9]+(ms|seconds|minutes)?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|rttime|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
" userns
syn match sdUserns /\v^\s*@@auditdeny@@userns(\s+create)?@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" link rules " link rules
syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob,sdComment

1
utils/vim/create-apparmor.vim.py
View File

@ -77,6 +77,7 @@ for af_pair in af_pairs:
aa_network_types = r'\s+tcp|\s+udp|\s+icmp' aa_network_types = r'\s+tcp|\s+udp|\s+icmp'
aa_flags = ('complain', aa_flags = ('complain',
'unconfined',
'audit', 'audit',
'attach_disconnected', 'attach_disconnected',
'no_attach_disconnected', 'no_attach_disconnected',