diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold
--- a/autotests/folding/usr.bin.apparmor-profile-test.fold
+++ b/autotests/folding/usr.bin.apparmor-profile-test.fold
@@ -15,256 +15,256 @@
${BOOL} = true
# Alias
-alias /usr/ -> /mnt/usr/,
+alias /usr/ -> /mnt/usr/,
# Profile for /usr/bin/foo
-profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
+profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
include if exists
include #include
- /some/file mr, #include /bin/true Px,
+ /some/file mr, #include /bin/true Px,
# File rules
- /{,**/} r,
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/** rw,
- audit deny owner /**/* mx,
- /**.[tT][xX][tT] r, # txt
+ /{,**/} r,
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt
- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
- string,hello}/a[^ a]a/**" r,
+ string,hello}/a[^ a]a/**" r,
- allow file /etc/nsswitch.conf r,
- allow /etc/fstab r,
- deny /etc/xdg/{autostart,systemd}/** r,
- deny /boot/** rwlkmx,
+ allow file /etc/nsswitch.conf r,
+ allow /etc/fstab r,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,
- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
- @{FOO_LIB}/{@{multiarch},64}/** mr,
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,
- /usr/bin/foo ixr,
- /usr/bin/dolphin pUx,
- /usr/bin/* Pixr,
- /usr/bin/khelpcenter Cx -> sanitized_helper,
+ /usr/bin/foo ixr,
+ /usr/bin/dolphin pUx,
+ /usr/bin/* Pixr,
+ /usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
- hello_world,
+ hello_world,
# Dbus rules
- dbus (send) #No-Comment
+ dbus (send) #No-Comment
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
- peer=(name=org.freedesktop.NetworkManager label=unconfined),
- dbus (send receive)
+ peer=(name=org.freedesktop.NetworkManager label=unconfined),
+ dbus (send receive)
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={Introspect,state}
- peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
- dbus (send)
+ peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
- member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
- dbus (bind)
+ member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ dbus (bind)
bus=system
- name=org.bluez,
+ name=org.bluez,
# Signal rules
- signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
- signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
+ signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
+ signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
# Link rules (two ways)
- l /foo1 -> /bar,
- link /foo2 -> bar,
- link /foo3 to bar,
- link subset /link* -> /**,
+ l /foo1 -> /bar,
+ link /foo2 -> bar,
+ link /foo3 to bar,
+ link subset /link* -> /**,
# Network rules
- network inet6 tcp,
- network netlink dgram,
- network bluetooth,
- network unspec dgram,
+ network inet6 tcp,
+ network netlink dgram,
+ network bluetooth,
+ network unspec dgram,
# Capability rules
- capability dac_override,
- capability sys_admin,
- capability sys_chroot,
+ capability dac_override,
+ capability sys_admin,
+ capability sys_chroot,
# Mount rules
- mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
- mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
- umount /home/*/helloworld/,
+ mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,
# Pivot Root rules
- pivot_root oldroot=/mnt/root/old/ /mnt/root/,
- pivot_root /mnt/root/,
+ pivot_root oldroot=/mnt/root/old/ /mnt/root/,
+ pivot_root /mnt/root/,
# Ptrace rules
- ptrace (trace) peer=unconfined,
- ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
+ ptrace (trace) peer=unconfined,
+ ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
# Unix rules
- unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
- unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
- unix peer=(label=@{profile_name},addr=@helloworld),
+ unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
+ unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
+ unix peer=(label=@{profile_name},addr=@helloworld),
# Rlimit rule
- set rlimit data <= 100M,
- set rlimit nproc <= 10,
- set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit data <= 100M,
+ set rlimit nproc <= 10,
+ set rlimit memlock <= 2GB,
+ set rlimit rss <= infinity,
# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash ->
- new_profile//hat,
- }
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile /bin/bash ->
+ new_profile//hat,
+ }
# Hat
- ^foo-helper\/ {
- network unix stream,
- unix stream,
+ ^foo-helper\/ {
+ network unix stream,
+ unix stream,
- /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
+ /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
# Text after a variable is highlighted as path
- file /my/path r,
- @{FOO_LIB}file r,
- @{FOO_LIB}#my/path r, #Comment
- @{FOO_LIB}ñ* r,
- unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
- }
-}
+ file /my/path r,
+ @{FOO_LIB}file r,
+ @{FOO_LIB}#my/path r, #Comment
+ @{FOO_LIB}ñ* r,
+ unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
+ }
+}
# Syntax Error
-/usr/bin/error (complain, audit) {
- file #include /hello r,
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
# Error: Variable open or with characters not allowed
- @{var
- @{sdf&s}
+ @{var
+ @{sdf&s}
# Error: Open brackets
- /{hello{ab,cd}world kr,
- /{abc{abc kr,
- /[abc kr,
- /(abc kr,
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
# Error: Empty brackets
- /hello[]hello{}hello()he kr,
+ /hello[]hello{}hello()he kr,
# Comments not allowed
- dbus (send) #No comment
+ dbus (send) #No comment
path=/org/hello
#No comment
interface=org.hello #No comment
peer=(name=org.hello #No comment
- label=unconfined), #Comment
+ label=unconfined), #Comment
@{VARIABLE} = val1 val2 val3 #No comment
# Error: Open rule
/home/*/file rw
- capability dac_override
- deny file /etc/fstab w
- audit network ieee802154,
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
- dbus (receive
- unix stream,
- unix stream,
-}
+ dbus (receive
+ unix stream,
+ unix stream,
+}
-profile other_tests {
+profile other_tests {
# set rlimit
- set rlimit nice <= 3,
- rlimit nice <= 3, # Without "set"
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
set #comment
- rlimit
- nice <= 3,
+ rlimit
+ nice <= 3,
# "remount" keyword
- mount remount
- remount,
- remount remount
- remount,
- dbus remount
- remount,
- unix remount
- remount,
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,
+ unix remount
+ remount,
# "unix" keyword
- network unix
- unix,
- ptrace unix
- unix,
- unix unix
- unix,
+ network unix
+ unix,
+ ptrace unix
+ unix,
+ unix unix
+ unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
/hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
- /hello/lib/foo rrwrwwrwrw,
- /hello/lib/foo ixixix,
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
# Incompatible exec permissions
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
# Test valid permissions
- r w a k l m l x ix ux Ux px Px cx Cx ,
- pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
- rwklmx raklmx,
- r rw rwk rwkl rwklm,
- rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
- rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
- rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
# Profile name
- profile holas { ... }
- profile { ... }
- profile /path { ... }
- profile holas/abc { ... }
- profile holas\/abc { ... }
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
profile
- #holas { ... }
+ #holas { ... }
- profile flags=(complain)#asd { ... }
- profile flags flags=(complain) { ... }
- profile flags(complain) { ... }
-}
+ profile flags=(complain)#asd { ... }
+ profile flags flags=(complain) { ... }
+ profile flags(complain) { ... }
+}
diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html
--- a/autotests/html/usr.bin.apparmor-profile-test.html
+++ b/autotests/html/usr.bin.apparmor-profile-test.html
@@ -185,7 +185,7 @@
interface=org.hello #No comment
peer=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+ @{VARIABLE} = val1 val2 val3 #No comment
# Error: Open rule
/home/*/file rw
@@ -224,21 +224,21 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test
--- a/autotests/input/usr.bin.apparmor-profile-test
+++ b/autotests/input/usr.bin.apparmor-profile-test
@@ -218,21 +218,21 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref
--- a/autotests/reference/usr.bin.apparmor-profile-test.ref
+++ b/autotests/reference/usr.bin.apparmor-profile-test.ref
@@ -179,7 +179,7 @@
=org.hello #No comment
=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+ @{VARIABLE} = val1 val2 val3 #No comment
# Error: Open rule
/home/*/file rw
@@ -218,21 +218,21 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml
--- a/data/syntax/apparmor.xml
+++ b/data/syntax/apparmor.xml
@@ -16,7 +16,7 @@
==========================================================================================
This file is part of the KDE's KSyntaxHighlighting framework.
- Copyright (c) 2017-2018 Nibaldo González S. (nibgonz@gmail.com)
+ Copyright (c) 2017-2019 Nibaldo González S. (nibgonz@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
@@ -36,1520 +36,1563 @@
==========================================================================================
Last update:
- Syntax highlighting based in AppArmor 2.13.0
+ Syntax highlighting based on AppArmor 2.13.2
For more details about the syntax of AppArmor profiles, visit:
https://gitlab.com/apparmor/apparmor/wikis/Documentation
http://manpages.ubuntu.com/manpages/cosmic/en/man5/apparmor.d.5.html
Change log:
- * Version 7 [15-Sep-2018]:
- - Update itemData's style for the new Solarized color schemes.
- - Fixes in "_end_rule_irnc".
- * Version 6 [24-Jul-2018, by Nibaldo G.]: (AppArmor 2.13.0)
- - Fixes for Include rules, add 'if exists'. Fix escapes & globbing in text quoted.
- - Improvements in paths that start with variables, hats, comments and variable
- assignments and others. Add some abstractions & filesystems.
- * Version 4 [25-Jan-2018, by Nibaldo G.]: (AppArmor 2.12.0)
- - New keywords: network and mount rules, default abstractions, variables and others.
- - Multiple improvements and fixes.
- - Do not allow comments within rules and in variable assignment lines.
- * Version 3 [24-Sep-2017, by Nibaldo G.]:
- - Fix incorrect highlighting of the DBus rule 'name' keyword.
- * Version 2 [29-Aug-2017, by Nibaldo G.]:
- - Improvements in highlighting and bug fixes.
- - Each rule has its own context.
- - The profile name is highlighted in the profile header and profile transition rules.
- * Version 1 [22-Feb-2017, by Nibaldo González]:
- - Initial version. Support for profile syntax of Apparmor 2.11.
+ * Version 8 [02-Apr-2019]: (AppArmor 2.13.2)
+ - Do not highlight variable assignments and alias rules within profiles.
+ - Add keywords of "tunables/share" variables.
+ - Change style of "Other Option" attribute and remove one indentation.
+ * Version 7 [15-Sep-2018]:
+ - Update itemData's style for the new Solarized color schemes.
+ - Fixes in "_end_rule_irnc".
+ * Version 6 [24-Jul-2018, by Nibaldo G.]: (AppArmor 2.13.0)
+ - Fixes for Include rules, add 'if exists'. Fix escapes & globbing in text quoted.
+ - Improvements in paths that start with variables, hats, comments and variable
+ assignments and others. Add some abstractions & filesystems.
+ * Version 4 [25-Jan-2018, by Nibaldo G.]: (AppArmor 2.12.0)
+ - New keywords: network and mount rules, default abstractions, variables and others.
+ - Multiple improvements and fixes.
+ - Do not allow comments within rules and in variable assignment lines.
+ * Version 3 [24-Sep-2017, by Nibaldo G.]:
+ - Fix incorrect highlighting of the DBus rule 'name' keyword.
+ * Version 2 [29-Aug-2017, by Nibaldo G.]:
+ - Improvements in highlighting and bug fixes.
+ - Each rule has its own context.
+ - The profile name is highlighted in the profile header and profile transition rules.
+ * Version 1 [22-Feb-2017, by Nibaldo González]:
+ - Initial version. Support for profile syntax of Apparmor 2.11.
-->
-
-
-
-
- - profile
- - hat
-
-
- - flags
- - xattrs
-
-
- - audit
- - complain
- - enforce
- - mediate_deleted
- - attach_disconnected
- - chroot_relative
- - chroot_attach
- - chroot_no_attach
- - delegate_deleted
- - no_attach_disconnected
- - namespace_relative
-
-
-
-
- - allow
- - deny
-
-
- - owner
-
-
-
- - audit
-
-
-
-
-
-
- - audit_control
- - audit_read
- - audit_write
- - block_suspend
- - chown
- - dac_override
- - dac_read_search
- - fowner
- - fsetid
- - ipc_lock
- - ipc_owner
- - kill
- - lease
- - linux_immutable
- - mac_admin
- - mac_override
- - mknod
- - net_admin
- - net_bind_service
- - net_broadcast
- - net_raw
- - setgid
- - setfcap
- - setpcap
- - setuid
- - sys_admin
- - sys_boot
- - sys_chroot
- - sys_module
- - sys_nice
- - sys_pacct
- - sys_ptrace
- - sys_rawio
- - sys_resource
- - sys_time
- - sys_tty_config
- - syslog
- - wake_alarm
-
+
+
+
+
+ - profile
+ - hat
+
+
+ - flags
+ - xattrs
+
+
+ - audit
+ - complain
+ - enforce
+ - mediate_deleted
+ - attach_disconnected
+ - chroot_relative
+ - chroot_attach
+ - chroot_no_attach
+ - delegate_deleted
+ - no_attach_disconnected
+ - namespace_relative
+
+
+
+
+ - allow
+ - deny
+
+
+ - owner
+
+
+
+ - audit
+
+
+
+
+
+
+ - audit_control
+ - audit_read
+ - audit_write
+ - block_suspend
+ - chown
+ - dac_override
+ - dac_read_search
+ - fowner
+ - fsetid
+ - ipc_lock
+ - ipc_owner
+ - kill
+ - lease
+ - linux_immutable
+ - mac_admin
+ - mac_override
+ - mknod
+ - net_admin
+ - net_bind_service
+ - net_broadcast
+ - net_raw
+ - setgid
+ - setfcap
+ - setpcap
+ - setuid
+ - sys_admin
+ - sys_boot
+ - sys_chroot
+ - sys_module
+ - sys_nice
+ - sys_pacct
+ - sys_ptrace
+ - sys_rawio
+ - sys_resource
+ - sys_time
+ - sys_tty_config
+ - syslog
+ - wake_alarm
+
+
+
+
+
+ - inet
+ - ax25
+ - ipx
+ - appletalk
+ - netrom
+ - bridge
+ - atmpvc
+ - x25
+ - inet6
+ - rose
+ - netbeui
+ - security
+ - key
+ - packet
+ - ash
+ - econet
+ - atmsvc
+ - sna
+ - irda
+ - pppox
+ - wanpipe
+ - bluetooth
+ - netlink
+ - rds
+ - llc
+ - can
+ - tipc
+ - iucv
+ - rxrpc
+ - isdn
+ - phonet
+ - ieee802154
+ - caif
+ - alg
+ - nfc
+ - vsock
+ - mpls
+ - ib
+ - kcm
+ - smc
+
+
+ - stream
+ - dgram
+ - seqpacket
+ - rdm
+ - raw
+
+
+ - tcp
+ - udp
+ - icmp
+
+
+
+ - unix
+
+
+
+
+ - fstype
+ - vfstype
+ - options
+ - option
+
+
+ - r
+ - w
+ - rw
+ - ro
+ - read-only
+ - suid
+ - nosuid
+ - dev
+ - nodev
+ - exec
+ - noexec
+ - sync
+ - async
+ - remount
+ - mand
+ - nomand
+ - dirsync
+ - atime
+ - noatime
+ - diratime
+ - nodiratime
+ - bind
+ - B
+ - move
+ - M
+ - rbind
+ - R
+ - verbose
+ - silent
+ - loud
+ - acl
+ - noacl
+ - unbindable
+ - make-unbindable
+ - runbindable
+ - make-runbindable
+ - private
+ - make-private
+ - rprivate
+ - make-rprivate
+ - slave
+ - make-slave
+ - rslave
+ - make-rslave
+ - shared
+ - make-shared
+ - rshared
+ - make-rshared
+ - relatime
+ - norelatime
+ - iversion
+ - noiversion
+ - strictatime
+ - user
+ - nouser
+
+
+ - ecryptfs
+ - overlayfs
+ - unionfs
+ - shm
+
+ - cryfs
+ - encfs
+ - apparmorfs
+ - autofs
+ - bdev
+ - bpf
+ - cachefs
+ - cgroup
+ - cgroup2
+ - cifs
+ - coherent
+ - configfs
+ - cpuset
+ - cramfs
+ - debugfs
+ - devfs
+ - devpts
+ - devtmpfs
+ - efs
+ - fuse
+ - fuseblk
+ - fusectl
+ - futexfs
+ - hugetlbfs
+ - kernfs
+ - mqueue
+ - pipefs
+ - proc
+ - procfs
+ - pstorefs
+ - pstore
+ - ramfs
+ - romfs
+ - rootfs
+ - sdcardfs
+ - securityfs
+ - selinuxfs
+ - sockfs
+ - specfs
+ - squashfs
+ - swapfs
+ - sysfs
+ - sysv
+ - tmpfs
+ - usbfs
+ - vfat
+ - functionfs
+ - inotifyfs
+ - labeledfs
+ - oemfs
+
+ - adfs
+ - affs
+ - afs
+ - apfs
+ - bfs
+ - btrfs
+ - ceph
+ - coda
+ - exfat
+ - ext2
+ - ext3
+ - ext4
+ - f2fs
+ - fatx
+ - gfs
+ - hfs
+ - hfsplus
+ - hpfs
+ - ifs
+ - iso9660
+ - jffs2
+ - jffs
+ - jfs
+ - lvm2
+ - minix
+ - msdos
+ - ncpfs
+ - nilfs
+ - nilfs2
+ - nfs
+ - nfs4
+ - ntfs-3g
+ - ntfs
+ - ocfs
+ - qnx4
+ - qnx6
+ - reiser4
+ - reiserfs
+ - smbfs
+ - swap
+ - tracefs
+ - ubifs
+ - udf
+ - ufs
+ - umsdos
+ - urefs
+ - xenix
+ - yaffs2
+ - yaffs
+ - xfs
+ - zfs
+
+
+
+
+
+ - oldroot
+
+
+
+
+ - peer
+
+
+
+ - readby
+ - trace
+ - tracedby
+
+
+
+
+ - set
+ - peer
+
+
+
+ - bus
+ - hup
+ - int
+ - quit
+ - ill
+ - trap
+ - abrt
+ - fpe
+ - kill
+ - usr1
+ - segv
+ - usr2
+ - pipe
+ - alrm
+ - term
+ - stkflt
+ - chld
+ - cont
+ - stop
+ - stp
+ - ttin
+ - ttou
+ - urg
+ - xcpu
+ - xfsz
+ - vtalrm
+ - prof
+ - winch
+ - io
+ - pwr
+ - sys
+ - emt
+ - exists
+
+
+
+ - send
+ - receive
+
+
+
+
+ - peer
+ - bus
+ - path
+ - interface
+ - member
+ - name
+
+
+ - name
+ - label
+
+
+
+ - send
+ - receive
+ - bind
+ - eavesdrop
+
+
+ - system
+ - session
+
+
+
+
+ - peer
+ - set
+ - label
+ - type
+ - protocol
+ - addr
+ - attr
+ - opt
+
+
+
+ - send
+ - receive
+ - bind
+ - create
+ - listen
+ - accept
+ - connect
+ - shutdown
+ - getattr
+ - setattr
+ - getopt
+ - setopt
+
+
+
+
+ - cpu
+ - fsize
+ - data
+ - stack
+ - core
+ - rss
+ - nofile
+ - ofile
+ - as
+ - nproc
+ - memlock
+ - locks
+ - sigpending
+ - msgqueue
+ - nice
+ - rtprio
+ - rttime
+
+
+
+
+ - subset
+
+
+
+
+ - safe
+ - unsafe
+
+
+
+
+ - if
+ - exists
+
+
+
+
+ - rw
+ - r
+ - w
+ - read
+ - write
+
+
+
+
+ - profile_name
+
+ - HOME
+ - HOMEDIRS
+ - multiarch
+ - pid
+ - pids
+ - PROC
+ - securityfs
+ - apparmorfs
+ - sys
+ - tid
+ - XDG_DESKTOP_DIR
+ - XDG_DOWNLOAD_DIR
+ - XDG_TEMPLATES_DIR
+ - XDG_PUBLICSHARE_DIR
+ - XDG_DOCUMENTS_DIR
+ - XDG_MUSIC_DIR
+ - XDG_PICTURES_DIR
+ - XDG_VIDEOS_DIR
+ - flatpak_exports_root
+ - system_share_dirs
+ - user_share_dirs
+
+
+ - abstractions/
+ - apache2-common
+ - aspell
+ - audio
+ - authentication
+ - base
+ - bash
+ - consoles
+ - cups-client
+ - dbus
+ - dbus-accessibility
+ - dbus-accessibility-strict
+ - dbus-session
+ - dbus-session-strict
+ - dbus-strict
+ - dconf
+ - dovecot-common
+ - dri-common
+ - dri-enumerate
+ - enchant
+ - fcitx
+ - fcitx-strict
+ - fonts
+ - freedesktop.org
+ - gnome
+ - gnupg
+ - ibus
+ - kde-icon-cache-write
+ - kde-globals-write
+ - kde-language-write
+ - kde
+ - kerberosclient
+ - launchpad-integration
+ - ldapclient
+ - libpam-systemd
+ - likewise
+ - mdns
+ - mesa
+ - mir
+ - mozc
+ - mysql
+ - nameservice
+ - nis
+ - nvidia
+ - opencl
+ - opencl-common
+ - opencl-intel
+ - opencl-mesa
+ - opencl-nvidia
+ - opencl-pocl
+ - openssl
+ - orbit2
+ - p11-kit
+ - perl
+ - php
+ - php5
+ - postfix-common
+ - private-files
+ - private-files-strict
+ - python
+ - qt5-compose-cache-write
+ - qt5-settings-write
+ - qt5
+ - recent-documents-write
+ - ruby
+ - samba
+ - smbpass
+ - ssl_certs
+ - ssl_keys
+ - svn-repositories
+ - ubuntu-bittorrent-clients
+ - ubuntu-browsers
+ - ubuntu-console-browsers
+ - ubuntu-console-email
+ - ubuntu-email
+ - ubuntu-feed-readers
+ - ubuntu-gnome-terminal
+ - ubuntu-helpers
+ - ubuntu-konsole
+ - ubuntu-media-players
+ - ubuntu-unity7-base
+ - ubuntu-unity7-launcher
+ - ubuntu-unity7-messaging
+ - ubuntu-xterm
+ - user-download
+ - user-mail
+ - user-manpages
+ - user-tmp
+ - user-write
+ - video
+ - vulkan
+ - wayland
+ - web-data
+ - winbind
+ - wutmp
+ - X
+ - xad
+ - xdg-desktop
+
+ - ubuntu-browsers.d/
+ - java
+ - mailto
+ - multimedia
+ - plugins-common
+ - productivity
+ - text-editors
+ - ubuntu-integration
+ - ubuntu-integration-xul
+ - user-files
+
+ - apparmor_api/
+ - change_profile
+ - examine
+ - find_mountpoint
+ - introspect
+ - is_enabled
+
+ - tunables/
+ - alias
+ - apparmorfs
+ - dovecot
+ - global
+ - home
+ - kernelvars
+ - multiarch
+ - ntpd
+ - proc
+ - securityfs
+ - sys
+ - xdg-user-dirs
+ - home.d/
+ - multiarch.d/
+ - xdg-user-dirs.d/
+ - site.local
+
+ - local/
+
+
+
+ - true
+ - false
+
+
+ - unspec
+ - none
+ - unconfined
+
+
+
+
+ - mount
+ - remount
+ - umount
+
+ - alias
+ - file
+ - capability
+ - network
+ - pivot_root
+ - ptrace
+ - signal
+ - dbus
+ - unix
+ - link
+ - change_profile
+ - rlimit
+ - set
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
- - inet
- - ax25
- - ipx
- - appletalk
- - netrom
- - bridge
- - atmpvc
- - x25
- - inet6
- - rose
- - netbeui
- - security
- - key
- - packet
- - ash
- - econet
- - atmsvc
- - sna
- - irda
- - pppox
- - wanpipe
- - bluetooth
- - netlink
- - rds
- - llc
- - can
- - tipc
- - iucv
- - rxrpc
- - isdn
- - phonet
- - ieee802154
- - caif
- - alg
- - nfc
- - vsock
- - mpls
- - ib
- - kcm
- - smc
-
-
- - stream
- - dgram
- - seqpacket
- - rdm
- - raw
-
-
- - tcp
- - udp
- - icmp
-
-
-
- - unix
-
+
+
+
+
+
+
+
+
+
+
+
-
- - fstype
- - vfstype
- - options
- - option
-
-
- - r
- - w
- - rw
- - ro
- - read-only
- - suid
- - nosuid
- - dev
- - nodev
- - exec
- - noexec
- - sync
- - async
- - remount
- - mand
- - nomand
- - dirsync
- - atime
- - noatime
- - diratime
- - nodiratime
- - bind
- - B
- - move
- - M
- - rbind
- - R
- - verbose
- - silent
- - loud
- - acl
- - noacl
- - unbindable
- - make-unbindable
- - runbindable
- - make-runbindable
- - private
- - make-private
- - rprivate
- - make-rprivate
- - slave
- - make-slave
- - rslave
- - make-rslave
- - shared
- - make-shared
- - rshared
- - make-rshared
- - relatime
- - norelatime
- - iversion
- - noiversion
- - strictatime
- - user
- - nouser
-
-
- - ecryptfs
- - overlayfs
- - unionfs
- - shm
-
- - cryfs
- - encfs
- - apparmorfs
- - autofs
- - bdev
- - bpf
- - cachefs
- - cgroup
- - cgroup2
- - cifs
- - coherent
- - configfs
- - cpuset
- - cramfs
- - debugfs
- - devfs
- - devpts
- - devtmpfs
- - efs
- - fuse
- - fuseblk
- - fusectl
- - futexfs
- - hugetlbfs
- - kernfs
- - mqueue
- - pipefs
- - proc
- - procfs
- - pstorefs
- - pstore
- - ramfs
- - romfs
- - rootfs
- - sdcardfs
- - securityfs
- - selinuxfs
- - sockfs
- - specfs
- - squashfs
- - swapfs
- - sysfs
- - sysv
- - tmpfs
- - usbfs
- - vfat
- - functionfs
- - inotifyfs
- - labeledfs
- - oemfs
-
- - adfs
- - affs
- - afs
- - apfs
- - bfs
- - btrfs
- - ceph
- - coda
- - exfat
- - ext2
- - ext3
- - ext4
- - f2fs
- - fatx
- - gfs
- - hfs
- - hfsplus
- - hpfs
- - ifs
- - iso9660
- - jffs2
- - jffs
- - jfs
- - lvm2
- - minix
- - msdos
- - ncpfs
- - nilfs
- - nilfs2
- - nfs
- - nfs4
- - ntfs-3g
- - ntfs
- - ocfs
- - qnx4
- - qnx6
- - reiser4
- - reiserfs
- - smbfs
- - swap
- - tracefs
- - ubifs
- - udf
- - ufs
- - umsdos
- - urefs
- - xenix
- - yaffs2
- - yaffs
- - xfs
- - zfs
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- - oldroot
-
+
+
+
+
-
- - peer
-
-
-
- - readby
- - trace
- - tracedby
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- - set
- - peer
-
-
-
- - bus
- - hup
- - int
- - quit
- - ill
- - trap
- - abrt
- - fpe
- - kill
- - usr1
- - segv
- - usr2
- - pipe
- - alrm
- - term
- - stkflt
- - chld
- - cont
- - stop
- - stp
- - ttin
- - ttou
- - urg
- - xcpu
- - xfsz
- - vtalrm
- - prof
- - winch
- - io
- - pwr
- - sys
- - emt
- - exists
-
-
-
- - send
- - receive
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- - peer
- - bus
- - path
- - interface
- - member
- - name
-
-
- - name
- - label
-
-
-
- - send
- - receive
- - bind
- - eavesdrop
-
-
- - system
- - session
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- - peer
- - set
- - label
- - type
- - protocol
- - addr
- - attr
- - opt
-
-
-
- - send
- - receive
- - bind
- - create
- - listen
- - accept
- - connect
- - shutdown
- - getattr
- - setattr
- - getopt
- - setopt
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- - cpu
- - fsize
- - data
- - stack
- - core
- - rss
- - nofile
- - ofile
- - as
- - nproc
- - memlock
- - locks
- - sigpending
- - msgqueue
- - nice
- - rtprio
- - rttime
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- - subset
-
+
+
+
+
-
- - safe
- - unsafe
-
-
-
- - if
- - exists
-
-
-
-
- - rw
- - r
- - w
- - read
- - write
-
-
-
-
- - profile_name
-
- - HOME
- - HOMEDIRS
- - multiarch
- - pid
- - pids
- - PROC
- - securityfs
- - apparmorfs
- - sys
- - tid
- - XDG_DESKTOP_DIR
- - XDG_DOWNLOAD_DIR
- - XDG_TEMPLATES_DIR
- - XDG_PUBLICSHARE_DIR
- - XDG_DOCUMENTS_DIR
- - XDG_MUSIC_DIR
- - XDG_PICTURES_DIR
- - XDG_VIDEOS_DIR
-
-
- - abstractions/
- - apache2-common
- - aspell
- - audio
- - authentication
- - base
- - bash
- - consoles
- - cups-client
- - dbus
- - dbus-accessibility
- - dbus-accessibility-strict
- - dbus-session
- - dbus-session-strict
- - dbus-strict
- - dconf
- - dovecot-common
- - dri-common
- - dri-enumerate
- - enchant
- - fcitx
- - fcitx-strict
- - fonts
- - freedesktop.org
- - gnome
- - gnupg
- - ibus
- - kde-icon-cache-write
- - kde-globals-write
- - kde-language-write
- - kde
- - kerberosclient
- - launchpad-integration
- - ldapclient
- - libpam-systemd
- - likewise
- - mdns
- - mesa
- - mir
- - mozc
- - mysql
- - nameservice
- - nis
- - nvidia
- - opencl
- - opencl-common
- - opencl-intel
- - opencl-mesa
- - opencl-nvidia
- - opencl-pocl
- - openssl
- - orbit2
- - p11-kit
- - perl
- - php
- - php5
- - postfix-common
- - private-files
- - private-files-strict
- - python
- - qt5-compose-cache-write
- - qt5-settings-write
- - qt5
- - recent-documents-write
- - ruby
- - samba
- - smbpass
- - ssl_certs
- - ssl_keys
- - svn-repositories
- - ubuntu-bittorrent-clients
- - ubuntu-browsers
- - ubuntu-console-browsers
- - ubuntu-console-email
- - ubuntu-email
- - ubuntu-feed-readers
- - ubuntu-gnome-terminal
- - ubuntu-helpers
- - ubuntu-konsole
- - ubuntu-media-players
- - ubuntu-unity7-base
- - ubuntu-unity7-launcher
- - ubuntu-unity7-messaging
- - ubuntu-xterm
- - user-download
- - user-mail
- - user-manpages
- - user-tmp
- - user-write
- - video
- - vulkan
- - wayland
- - web-data
- - winbind
- - wutmp
- - X
- - xad
- - xdg-desktop
-
- - ubuntu-browsers.d/
- - java
- - mailto
- - multimedia
- - plugins-common
- - productivity
- - text-editors
- - ubuntu-integration
- - ubuntu-integration-xul
- - user-files
-
- - apparmor_api/
- - change_profile
- - examine
- - find_mountpoint
- - introspect
- - is_enabled
-
- - tunables/
- - alias
- - apparmorfs
- - dovecot
- - global
- - home
- - kernelvars
- - multiarch
- - ntpd
- - proc
- - securityfs
- - sys
- - xdg-user-dirs
- - home.d/
- - multiarch.d/
- - xdg-user-dirs.d/
- - site.local
-
- - local/
-
-
-
- - true
- - false
-
-
- - unspec
- - none
- - unconfined
-
-
-
-
- - mount
- - remount
- - umount
-
- - alias
- - file
- - capability
- - network
- - pivot_root
- - ptrace
- - signal
- - dbus
- - unix
- - link
- - change_profile
- - rlimit
- - set
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/data/syntax/selinux-cil.xml b/data/syntax/selinux-cil.xml
--- a/data/syntax/selinux-cil.xml
+++ b/data/syntax/selinux-cil.xml
@@ -14,7 +14,7 @@
==========================================================================================
This file is part of the KDE's KSyntaxHighlighting framework.
- Copyright (c) 2018 Nibaldo González S. (nibgonz@gmail.com)
+ Copyright (c) 2018-2019 Nibaldo González S. (nibgonz@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
@@ -41,643 +41,645 @@
https://github.com/SELinuxProject/selinux/tree/master/secilc/docs
Change log:
- * Version 2 [28-Aug-2018]:
- - Implement "selinux.xml": some rules and keywords are moved there. Improve RegExp
- highlighting, add Android permissions and BPF permissions, improve IPv6
- detection and others improvements.
- - Fix permissions list in "ioctl" kind and "call" statements.
- - Add "sctp" protocol keyword and policy capabilities keywords.
- * Version 1 [26-Jan-2018, by Nibaldo González]:
- - Initial version.
+ * Version 3 [02-Apr-2019]: Remove one indentation.
+ * Version 2 [28-Aug-2018]:
+ - Implement "selinux.xml": some rules and keywords are moved there. Improve RegExp
+ highlighting, add Android permissions and BPF permissions, improve IPv6
+ detection and others improvements.
+ - Fix permissions list in "ioctl" kind and "call" statements.
+ - Add "sctp" protocol keyword and policy capabilities keywords.
+ * Version 1 [26-Jan-2018, by Nibaldo González]:
+ - Initial version.
-->
-
-
-
- - and
- - or
- - xor
- - not
- - all
- - eq
- - ne
- - neq
- - dom
- - domby
- - incomp
- - range
-
-
-
-
- - allow
- - auditallow
- - dontaudit
- - neverallow
- - auditdeny
- - allowx
- - auditallowx
- - dontauditx
- - neverallowx
-
-
-
- - true
- - false
-
-
-
- - file
- - dir
- - char
- - block
- - socket
- - pipe
- - symlink
- - any
-
-
- - task
- - trans
- - xattr
-
-
- - tcp
- - udp
- - dccp
- - sctp
-
-
-
- - self
-
-
- - unordered
-
-
- - allow
- - deny
- - reject
-
-
-
- - block
- - optional
- - common
- - class
- - classmap
- - classmapping
- - sid
- - user
- - role
- - roleattribute
- - type
- - classpermission
- - typeattribute
- - typealias
- - tunable
- - sensitivity
- - sensitivityalias
- - category
- - categoryalias
- - categoryset
- - level
- - levelrange
- - context
- - ipaddr
- - macro
- - boolean
-
-
-
- - policycap
- - mls
- - handleunknown
-
-
-
- - blockabstract
- - blockinherit
- - in
- - call
-
-
- - defaultuser
- - defaultrole
- - defaulttype
- - defaultrange
-
-
- - userrole
- - userattribute
- - userattributeset
- - userlevel
- - userrange
- - userbounds
- - userprefix
- - selinuxuser
- - selinuxuserdefault
-
-
- - roletype
- - roleattributeset
- - roleallow
- - roletransition
- - rolebounds
-
-
- - typealiasactual
- - typeattributeset
- - typebounds
- - typechange
- - typemember
- - typetransition
- - typepermissive
- - attributetype
-
- - expandtypeattribute
- - nametypetransition
-
-
- - classcommon
- - classorder
- - permission
- - permissionset
- - classpermissionset
- - permissionx
-
-
- - booleanif
- - tunableif
-
-
- - constrain
- - validatetrans
- - mlsconstrain
- - mlsvalidatetrans
-
-
- - sensitivityaliasactual
- - sensitivityorder
- - categoryaliasactual
- - categoryorder
- - sensitivitycategory
- - rangetransition
- - categoryrange
-
-
-
- - sidorder
- - sidcontext
-
-
- - filecon
- - fsuse
- - genfscon
- - fscon
- - fsusexattr
- - fsusetask
- - fsusetrans
-
-
- - netifcon
- - nodecon
- - portcon
-
-
-
- - iomemcon
- - ioportcon
- - pcidevicecon
- - pirqcon
- - devicetreecon
-
-
- - ibpkeycon
- - ibendportcon
-
-
- - dominance
- - allowxperm
- - auditallowxperm
- - dontauditxperm
- - neverallowxperm
-
-
-
- - string
- - name
- - ioctl
-
-
-
- - source
- - target
- - low
- - high
- - low-high
-
- - perm
- - object_r
- - t1
- - t2
- - t3
- - r1
- - r2
- - r3
- - u1
- - u2
- - u3
- - l1
- - l2
- - h1
- - h2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ - and
+ - or
+ - xor
+ - not
+ - all
+ - eq
+ - ne
+ - neq
+ - dom
+ - domby
+ - incomp
+ - range
+
+
+
+
+ - allow
+ - auditallow
+ - dontaudit
+ - neverallow
+ - auditdeny
+ - allowx
+ - auditallowx
+ - dontauditx
+ - neverallowx
+
+
+
+ - true
+ - false
+
+
+
+ - file
+ - dir
+ - char
+ - block
+ - socket
+ - pipe
+ - symlink
+ - any
+
+
+ - task
+ - trans
+ - xattr
+
+
+ - tcp
+ - udp
+ - dccp
+ - sctp
+
+
+
+ - self
+
+
+ - unordered
+
+
+ - allow
+ - deny
+ - reject
+
+
+
+ - block
+ - optional
+ - common
+ - class
+ - classmap
+ - classmapping
+ - sid
+ - user
+ - role
+ - roleattribute
+ - type
+ - classpermission
+ - typeattribute
+ - typealias
+ - tunable
+ - sensitivity
+ - sensitivityalias
+ - category
+ - categoryalias
+ - categoryset
+ - level
+ - levelrange
+ - context
+ - ipaddr
+ - macro
+ - boolean
+
+
+
+ - policycap
+ - mls
+ - handleunknown
+
+
+
+ - blockabstract
+ - blockinherit
+ - in
+ - call
+
+
+ - defaultuser
+ - defaultrole
+ - defaulttype
+ - defaultrange
+
+
+ - userrole
+ - userattribute
+ - userattributeset
+ - userlevel
+ - userrange
+ - userbounds
+ - userprefix
+ - selinuxuser
+ - selinuxuserdefault
+
+
+ - roletype
+ - roleattributeset
+ - roleallow
+ - roletransition
+ - rolebounds
+
+
+ - typealiasactual
+ - typeattributeset
+ - typebounds
+ - typechange
+ - typemember
+ - typetransition
+ - typepermissive
+ - attributetype
+
+ - expandtypeattribute
+ - nametypetransition
+
+
+ - classcommon
+ - classorder
+ - permission
+ - permissionset
+ - classpermissionset
+ - permissionx
+
+
+ - booleanif
+ - tunableif
+
+
+ - constrain
+ - validatetrans
+ - mlsconstrain
+ - mlsvalidatetrans
+
+
+ - sensitivityaliasactual
+ - sensitivityorder
+ - categoryaliasactual
+ - categoryorder
+ - sensitivitycategory
+ - rangetransition
+ - categoryrange
+
+
+
+ - sidorder
+ - sidcontext
+
+
+ - filecon
+ - fsuse
+ - genfscon
+ - fscon
+ - fsusexattr
+ - fsusetask
+ - fsusetrans
+
+
+ - netifcon
+ - nodecon
+ - portcon
+
+
+
+ - iomemcon
+ - ioportcon
+ - pcidevicecon
+ - pirqcon
+ - devicetreecon
+
+
+ - ibpkeycon
+ - ibendportcon
+
+
+ - dominance
+ - allowxperm
+ - auditallowxperm
+ - dontauditxperm
+ - neverallowxperm
+
+
+
+ - string
+ - name
+ - ioctl
+
+
+
+ - source
+ - target
+ - low
+ - high
+ - low-high
+
+ - perm
+ - object_r
+ - t1
+ - t2
+ - t3
+ - r1
+ - r2
+ - r3
+ - u1
+ - u2
+ - u3
+ - l1
+ - l2
+ - h1
+ - h2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/data/syntax/selinux-fc.xml b/data/syntax/selinux-fc.xml
--- a/data/syntax/selinux-fc.xml
+++ b/data/syntax/selinux-fc.xml
@@ -14,7 +14,7 @@
==========================================================================================
This file is part of the KDE's KSyntaxHighlighting framework.
- Copyright (c) 2018 Nibaldo González S. (nibgonz@gmail.com)
+ Copyright (c) 2018-2019 Nibaldo González S. (nibgonz@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
@@ -42,258 +42,259 @@
- Policy Build Files: initial_sid_contexts, genfs_contexts, fs_use
Change log:
- * Version 3 [09-Sep-2018]:
- - Update itemData's style for the new Solarized color schemes.
- * Version 2 [28-Aug-2018]:
- - Some improvements. RegExp and some rules are moved to "selinux.xml".
- - Add statements keywords that use file contexts.
- * Version 1 [26-Jan-2018, by Nibaldo González]:
- - Initial version.
+ * Version 4 [02-Apr-2019]: Remove one indentation.
+ * Version 3 [09-Sep-2018]:
+ - Update itemData's style for the new Solarized color schemes.
+ * Version 2 [28-Aug-2018]:
+ - Some improvements. RegExp and some rules are moved to "selinux.xml".
+ - Add statements keywords that use file contexts.
+ * Version 1 [26-Jan-2018, by Nibaldo González]:
+ - Initial version.
-->
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+