diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html
--- a/autotests/html/usr.bin.apparmor-profile-test.html
+++ b/autotests/html/usr.bin.apparmor-profile-test.html
@@ -136,7 +136,7 @@
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit rss <= infinity,
# Change Profile rules
change_profile unsafe /** -> [^u/]**,
diff --git a/autotests/reference/test.cil.ref b/autotests/reference/test.cil.ref
--- a/autotests/reference/test.cil.ref
+++ b/autotests/reference/test.cil.ref
@@ -43,13 +43,13 @@
; filecon
(filecon "/system/bin/run-as" file runas_exec_context)
-(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
+(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())
(classcommon file any dir)
(file any dir)
; portcon
-(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
-(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
+(portcon tcp 3333 (unconfined.user object_r unconfined.object levelrange_1))
+(portcon udp 4444 (unconfined.user object_r unconfined.object ((s0) level_2)))
(defaultrole tcp udp)
(tcp udp)
; fsuse
@@ -63,9 +63,9 @@
(allow process httpd.object (file (read write)))
; Paths
-"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
-"/pa\12th.*a+b?"
-/usr/hi\"esc\032esc\*3es{2,2}ds
+"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
+"/pa\12th.*a+b?"
+/usr/hi\"esc\032esc\*3es{2,2}ds
"/data/(open "
"/data/[open "
diff --git a/autotests/reference/test.fc.ref b/autotests/reference/test.fc.ref
--- a/autotests/reference/test.fc.ref
+++ b/autotests/reference/test.fc.ref
@@ -2,46 +2,46 @@
# Syntax of 'file_contexts' file and other SELinux configuration files:
-/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
+/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
/.* system_u:object_r:default_t:s0
/sys(/.*)? system_u:object_r:sysfs_t:s0
/xen(/.*)? system_u:object_r:xen_image_t:s1
-/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
-/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
+/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
+/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
/tmp/.* <>
/root(/.*)? system_u:object_r:admin_home_t:s0
-/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
-/run/.*\.*pid <>
-/mnt/[^/]*/.* <>
+/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
+/run/.*\.*pid <>
+/mnt/[^/]*/.* <>
/etc/[mg]dm(/.*)? system_u:object_r:xdm_etc_t:s5-s6:c0
/dev/(misc/)?psaux -c system_u:object_r:mouse_device_t:s0-s3:c0.c5
HOME_DIR/.+ system_u:object_r:user_home_t:s0
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
-HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
+HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0
-/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
-/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
-/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
+/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
+/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
+/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
/etc/ppp(/.*)? -- system_u:object_r:pppd_etc_rw_t:s0
/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/usr/lib(.*/)?bin(/.*)? system_u:object_r:bin_t:s0
/dev/shm/.* <>
-/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
+/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0.s3
/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0
-/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
-/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0
+/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
+/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0
# Syntax of *.fc files, from the SELinux reference policy:
/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0,c0)
-/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
-HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,c1)
HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
@@ -53,7 +53,7 @@
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`init_systemd',`
- /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+ /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
')
# Tests
@@ -67,11 +67,11 @@
/hello(world
/hello[wo
-/path[^0-8]+
-/path(hello|bye)
+/path[^0-8]+
+/path(hello|bye)
/path.*a+b?
-/path\wa\Wa\sa\da\ba\Ba\(a
-/usr/hi\"esc\sesc\032esc\*3esds
+/path\wa\Wa\sa\da\ba\Ba\(a
+/usr/hi\"esc\sesc\032esc\*3esds
# Security contexts
user:role
diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref
--- a/autotests/reference/usr.bin.apparmor-profile-test.ref
+++ b/autotests/reference/usr.bin.apparmor-profile-test.ref
@@ -5,59 +5,59 @@
include
# Variable assignment
-@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop
@{USER_DIR} += @{HOME}/Hello
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected, enforce) {
+/usr/bin/foo (attach_disconnected, enforce) {
include
include
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
- /{,**/} r,# Read only directories
+ /{,**/} r,# Read only directories
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/** rw,
- audit deny owner /**/* mx,
- /**.[tT][xX][tT] r, # txt
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt
- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/foo/{,**} rwk,
- owner @{HOME}/.config/* rw,
- owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
- owner @{HOME}/.cache/foo/{,**} rwk,
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/foo/{,**} rwk,
+ owner @{HOME}/.config/* rw,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+ owner @{HOME}/.cache/foo/{,**} rwk,
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
- "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
+ "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
/etc/udev/udev.conf r,
- /etc/xdg/** r,
+ /etc/xdg/** r,
/etc/xdg/Trolltech.conf k,
- deny /etc/xdg/{autostart,systemd}/** r,
- deny /boot/** rwlkmx,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,
- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
/usr/bin/foo ixr,
/usr/bin/dolphin PUx,
- /usr/bin/* Pixr,
+ /usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld Cxr ->
hello_world,
- /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
- @{FOO_LIB}/{,**} mr,
+ /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
+ @{FOO_LIB}/{,**} mr,
- audit deny /dev/{audio,video}* rwlkmx,
+ audit deny /dev/{audio,video}* rwlkmx,
# Dbus rules
dbus (send)
@@ -69,12 +69,12 @@
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.NetworkManager
- ={Introspect,state}
- =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ ={Introspect,state}
+ =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
=session
- =/org/gnome/GConf/Database/*
- ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ =/org/gnome/GConf/Database/*
+ ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
=system
=org.bluez,
@@ -84,17 +84,17 @@
signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,
# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
# Link rules (two ways)
l /foo1 -> /bar,
link /foo2 -> bar,
link /foo3 to bar,
- link subset /link* -> /**,
+ link subset /link* -> /**,
# Network rules
network inet6 tcp, #Allow access to tcp only for inet6 addresses
@@ -108,10 +108,10 @@
capability sys_chroot,
# Mount rules
- mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount in (rw, bind) / -> /run/hellowordd/*.mnt,
- mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
- umount /home/*/helloworld/,
+ mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,
# Pivot Root rules
pivot_root =/mnt/root/old/ /mnt/root/,
@@ -122,36 +122,36 @@
ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,
# Unix rules
- unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
+ unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
unix (send,receive) =(stream) =0 =(addr=none),
unix =(label=@{profile_name},addr=@helloworld),
# Rlimit rule
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit rss <= infinity,
# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile,
# Alias
alias /usr/ -> /mnt/usr/,
- }
+ }
# Hat
- ^foo-helper {
+ ^foo-helper {
network unix stream,
unix stream,
- /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
+ /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
# Text after a variable is highlighted as path
file /my/path r,
@{FOO_LIB}file r,
@{FOO_LIB}#my/path r, #Comment
- }
-}
+ }
+}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml
--- a/data/syntax/apparmor.xml
+++ b/data/syntax/apparmor.xml
@@ -1,10 +1,14 @@
-
-
-
+
+
+
+
+
+
+
]>
- flags
+ - xattrs
- audit
@@ -99,7 +105,7 @@
- audit
-
+
@@ -562,6 +573,8 @@
- dbus-strict
- dconf
- dovecot-common
+ - dri-common
+ - dri-enumerate
- enchant
- fcitx
- fcitx-strict
@@ -670,6 +683,9 @@
- True
- False
+
+ - infinity
+
- unspec
- none
@@ -717,15 +733,15 @@
-
+
+
-
-
-
+
+
-
-
+
+
@@ -749,10 +765,9 @@
+
-
-
@@ -762,16 +777,24 @@
-
-
+
+
+
+
+
+
+
+
+
+
@@ -801,18 +824,19 @@
-
-
+
+
+
+
+
-
+
-
-
+
-
@@ -822,100 +846,111 @@
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
-
-
+
-
-
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
+
+
-
+
@@ -927,10 +962,19 @@
-
+
+
+
+
+
+
+
+
+
+
@@ -1054,9 +1098,9 @@
-
+
-
+
@@ -1106,38 +1150,40 @@
-
-
-
+
+
+
-
+
+
+
-
+
-
-
+
+
+
+
-
-
-
-
-
-
+
+
+
+
@@ -1148,6 +1194,18 @@
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1167,46 +1225,47 @@
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
-
-
-
+
-
+
+
+
-
-
-
@@ -1221,18 +1280,19 @@
-
+
-
-
+
+
-
+
+
@@ -1242,56 +1302,42 @@
-
+
-
-
+
+
-
+
-
+
-
-
+
+
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
@@ -1308,47 +1354,47 @@
-
-
+
+
-
+
-
-
+
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
-
+
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
diff --git a/data/syntax/selinux-cil.xml b/data/syntax/selinux-cil.xml
--- a/data/syntax/selinux-cil.xml
+++ b/data/syntax/selinux-cil.xml
@@ -3,7 +3,7 @@
[
-
+
]>
nfs
- nfs4
- ntfs-3g
+ - ntfs
- qnx4
- qnx6
- reiser4
@@ -659,39 +662,41 @@
-
-
+
-
-
+
+
+
-
+
+
-
+
+
@@ -768,6 +773,7 @@
+
@@ -871,54 +877,63 @@
-
+
-
+
-
-
-
+
+
+
+
+
-
+
-
+
-
+
+
+
+
-
+
+
-
+
+
+
+
@@ -943,23 +958,25 @@
-
+
+
-
+
+
-
-
-
-
-
-
+
+
+
+
+
+
diff --git a/data/syntax/selinux-fc.xml b/data/syntax/selinux-fc.xml
--- a/data/syntax/selinux-fc.xml
+++ b/data/syntax/selinux-fc.xml
@@ -28,12 +28,14 @@
==========================================================================================
Change log:
+ * Version 2 [15-Mar-2018, by Nibaldo G.]:
+ - Small optimizations. Improvements in paths & PCRE Regex highlighting.
* Version 1 [26-Jan-2018, by Nibaldo González]:
- Initial version.
-->
-
-
-
-
+
-
+
-
-
+
-
+
+
+
+
+
-
+
-
-
-
+
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
+
@@ -136,54 +139,62 @@
-
-
-
+
+
+
+
-
-
-
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
+
+
+
-
+
-
-
+
+
-
+
-
+
+
+
+
@@ -203,12 +214,12 @@
-
-
-
-
-
-
+
+
+
+
+
+