mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity

utils: fix apparmor.vim rlimits support

Browse Source 
The rlimits syntax checking support in apparmor.vim was broken in
various unhelpful ways:

  - lacked support for the 'infinity' keyword (aka RLIM_INFINITY)
  - lacked support for the 'ofile' rlimit, an alias for the nofile
    rlimit
  - lacked support for the 'cpu' rlimit (aka RLIMIT_CPU)
  - incorrect syntax for nofile|nproc|rtprio rlimits (didn't include
    required '<=' between the limit name and value)
  - incorrect syntax for specifying optional SI units for size based
    rlimits (e.g. 'MB' is required, but syntax only allowed incorrect
    'M'; that said, one could argue the parser is overly strict here,
    and the pattern should be '[KMG]B?')

(See the setrelimit(2) man page for more details on the specifics of the
rlimit definitions.)

This patch fixes the above issues.

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This commit is contained in:
Steve Beattie
2014-01-17 11:14:27 -08:00
parent f9d1005b9d
commit cb7e717a7e
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
utils/vim/apparmor.vim.in
View File

@@ -155,10 +155,12 @@ syn match sdEntryChangeProfile /\v^\s*change_profile\s+-\>\s+\S+@@EOL@@/ co
" TODO: audit and deny support will be added (JJ, 2011-01-11)
"
"syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|ofile|nproc|rtprio)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment
syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
" link rules
syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob