diff --git a/autotests/folding/usr.bin.apparmor-profile-test.fold b/autotests/folding/usr.bin.apparmor-profile-test.fold
--- a/autotests/folding/usr.bin.apparmor-profile-test.fold
+++ b/autotests/folding/usr.bin.apparmor-profile-test.fold
@@ -15,256 +15,256 @@
${BOOL} = true
# Alias
-alias /usr/ -> /mnt/usr/,
+alias /usr/ -> /mnt/usr/,
# Profile for /usr/bin/foo
-profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
+profile foo /usr/bin/foo flags=(attach_disconnected enforce) {
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
include if exists
include #include
- /some/file mr, #include /bin/true Px,
+ /some/file mr, #include /bin/true Px,
# File rules
- /{,**/} r,
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/** rw,
- audit deny owner /**/* mx,
- /**.[tT][xX][tT] r, # txt
+ /{,**/} r,
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt
- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
"/var/lib/{spaces in
- string,hello}/a[^ a]a/**" r,
+ string,hello}/a[^ a]a/**" r,
- allow file /etc/nsswitch.conf r,
- allow /etc/fstab r,
- deny /etc/xdg/{autostart,systemd}/** r,
- deny /boot/** rwlkmx,
+ allow file /etc/nsswitch.conf r,
+ allow /etc/fstab r,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,
- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
- @{FOO_LIB}/{@{multiarch},64}/** mr,
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
+ @{FOO_LIB}/{@{multiarch},64}/** mr,
- /usr/bin/foo ixr,
- /usr/bin/dolphin pUx,
- /usr/bin/* Pixr,
- /usr/bin/khelpcenter Cx -> sanitized_helper,
+ /usr/bin/foo ixr,
+ /usr/bin/dolphin pUx,
+ /usr/bin/* Pixr,
+ /usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld cxr ->
- hello_world,
+ hello_world,
# Dbus rules
- dbus (send) #No-Comment
+ dbus (send) #No-Comment
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Introspectable
- peer=(name=org.freedesktop.NetworkManager label=unconfined),
- dbus (send receive)
+ peer=(name=org.freedesktop.NetworkManager label=unconfined),
+ dbus (send receive)
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member={Introspect,state}
- peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
- dbus (send)
+ peer=(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
- member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
- dbus (bind)
+ member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ dbus (bind)
bus=system
- name=org.bluez,
+ name=org.bluez,
# Signal rules
- signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
- signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
+ signal (send) set=(term) peer="/usr/lib/hello/world// foo helper",
+ signal (send, receive) set=(int exists rtmin+8) peer=/usr/lib/hello/world//foo-helper,
# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
# Link rules (two ways)
- l /foo1 -> /bar,
- link /foo2 -> bar,
- link /foo3 to bar,
- link subset /link* -> /**,
+ l /foo1 -> /bar,
+ link /foo2 -> bar,
+ link /foo3 to bar,
+ link subset /link* -> /**,
# Network rules
- network inet6 tcp,
- network netlink dgram,
- network bluetooth,
- network unspec dgram,
+ network inet6 tcp,
+ network netlink dgram,
+ network bluetooth,
+ network unspec dgram,
# Capability rules
- capability dac_override,
- capability sys_admin,
- capability sys_chroot,
+ capability dac_override,
+ capability sys_admin,
+ capability sys_chroot,
# Mount rules
- mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
- mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
- umount /home/*/helloworld/,
+ mount options=(rw bind remount nodev noexec) vfstype=ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount options in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount option=read-only fstype=btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,
# Pivot Root rules
- pivot_root oldroot=/mnt/root/old/ /mnt/root/,
- pivot_root /mnt/root/,
+ pivot_root oldroot=/mnt/root/old/ /mnt/root/,
+ pivot_root /mnt/root/,
# Ptrace rules
- ptrace (trace) peer=unconfined,
- ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
+ ptrace (trace) peer=unconfined,
+ ptrace (read, trace, tracedby) peer=/usr/lib/hello/helloword,
# Unix rules
- unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
- unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
- unix peer=(label=@{profile_name},addr=@helloworld),
+ unix (connect receive send) type=(stream) peer=(addr=@/tmp/ibus/dbus-*,label=unconfined),
+ unix (send,receive) type=(stream) protocol=0 peer=(addr=none),
+ unix peer=(label=@{profile_name},addr=@helloworld),
# Rlimit rule
- set rlimit data <= 100M,
- set rlimit nproc <= 10,
- set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit data <= 100M,
+ set rlimit nproc <= 10,
+ set rlimit memlock <= 2GB,
+ set rlimit rss <= infinity,
# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
- change_profile /bin/bash ->
- new_profile//hat,
- }
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile /bin/bash ->
+ new_profile//hat,
+ }
# Hat
- ^foo-helper\/ {
- network unix stream,
- unix stream,
+ ^foo-helper\/ {
+ network unix stream,
+ unix stream,
- /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
+ /usr/hi\"esc\x23esc\032es\477esc\*es\{esc\ rw r, # Escape expressions
# Text after a variable is highlighted as path
- file /my/path r,
- @{FOO_LIB}file r,
- @{FOO_LIB}#my/path r, #Comment
- @{FOO_LIB}ñ* r,
- unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
- }
-}
+ file /my/path r,
+ @{FOO_LIB}file r,
+ @{FOO_LIB}#my/path r, #Comment
+ @{FOO_LIB}ñ* r,
+ unix (/path\t{aa}*,*a @{var}*path,* @{var},*),
+ }
+}
# Syntax Error
-/usr/bin/error (complain, audit) {
- file #include /hello r,
+/usr/bin/error (complain, audit) {
+ file #include /hello r,
# Error: Variable open or with characters not allowed
- @{var
- @{sdf&s}
+ @{var
+ @{sdf&s}
# Error: Open brackets
- /{hello{ab,cd}world kr,
- /{abc{abc kr,
- /[abc kr,
- /(abc kr,
+ /{hello{ab,cd}world kr,
+ /{abc{abc kr,
+ /[abc kr,
+ /(abc kr,
# Error: Empty brackets
- /hello[]hello{}hello()he kr,
+ /hello[]hello{}hello()he kr,
# Comments not allowed
- dbus (send) #No comment
+ dbus (send) #No comment
path=/org/hello
#No comment
interface=org.hello #No comment
peer=(name=org.hello #No comment
- label=unconfined), #Comment
+ label=unconfined), #Comment
@{VARIABLE} = val1 val2 val3 #No comment
# Error: Open rule
/home/*/file rw
- capability dac_override
- deny file /etc/fstab w
- audit network ieee802154,
+ capability dac_override
+ deny file /etc/fstab w
+ audit network ieee802154,
- dbus (receive
- unix stream,
- unix stream,
-}
+ dbus (receive
+ unix stream,
+ unix stream,
+}
-profile other_tests {
+profile other_tests {
# set rlimit
- set rlimit nice <= 3,
- rlimit nice <= 3, # Without "set"
+ set rlimit nice <= 3,
+ rlimit nice <= 3, # Without "set"
set #comment
- rlimit
- nice <= 3,
+ rlimit
+ nice <= 3,
# "remount" keyword
- mount remount
- remount,
- remount remount
- remount,
- dbus remount
- remount,
- unix remount
- remount,
+ mount remount
+ remount,
+ remount remount
+ remount,
+ dbus remount
+ remount,
+ unix remount
+ remount,
# "unix" keyword
- network unix
- unix,
- ptrace unix
- unix,
- unix unix
- unix,
+ network unix
+ unix,
+ ptrace unix
+ unix,
+ unix unix
+ unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
/hello/lib/foo rwmaix, # w & a incompatible
/hello/lib/foo kalmw,
/hello/lib/foo wa,
# OK
- /hello/lib/foo rrwrwwrwrw,
- /hello/lib/foo ixixix,
+ /hello/lib/foo rrwrwwrwrw,
+ /hello/lib/foo ixixix,
# Incompatible exec permissions
ixixux, uxuxUxux, ixixixPixix, ixixpx uxuxuxPuxux, UxUxcUxUx,
pixpixcixix, cxcxcxix, pixpixpux pixpixix xxix xxpux ixixx puxpuxx,
Cuxcux Pixpix, puxpUx puxPUx xxpix xxcx,
# Test valid permissions
- r w a k l m l x ix ux Ux px Px cx Cx ,
- pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
- rwklmx raklmx,
- r rw rwk rwkl rwklm,
- rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
- rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
- rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
+ r w a k l m l x ix ux Ux px Px cx Cx ,
+ pix Pix cix Cix pux Pux cux Cux pUx PUx cUx CUx,
+ rwklmx raklmx,
+ r rw rwk rwkl rwklm,
+ rwlmix rwlmUx rwlmPx rwlmcx rwlmPUx,
+ rwixixixkl rwUxUxUxkl rwuxuxuxk rwpxpxpxk rwPxPxkl rwcxcxlm rwCxCxk,
+ rwpixpixk rwPixPixkl wrpuxpuxk rwpUxpUxk rwcixcixcixml rwCixCixk rwCuxCuxk rwCUxCUxl,
# Profile name
- profile holas { ... }
- profile { ... }
- profile /path { ... }
- profile holas/abc { ... }
- profile holas\/abc { ... }
+ profile holas { ... }
+ profile { ... }
+ profile /path { ... }
+ profile holas/abc { ... }
+ profile holas\/abc { ... }
profile
- #holas { ... }
+ #holas { ... }
- profile flags=(complain)#asd { ... }
- profile flags flags=(complain) { ... }
- profile flags(complain) { ... }
-}
+ profile flags=(complain)#asd { ... }
+ profile flags flags=(complain) { ... }
+ profile flags(complain) { ... }
+}
diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html
--- a/autotests/html/usr.bin.apparmor-profile-test.html
+++ b/autotests/html/usr.bin.apparmor-profile-test.html
@@ -185,7 +185,7 @@
interface=org.hello #No comment
peer=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+ @{VARIABLE} = val1 val2 val3 #No comment
# Error: Open rule
/home/*/file rw
@@ -224,21 +224,21 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
diff --git a/autotests/input/usr.bin.apparmor-profile-test b/autotests/input/usr.bin.apparmor-profile-test
--- a/autotests/input/usr.bin.apparmor-profile-test
+++ b/autotests/input/usr.bin.apparmor-profile-test
@@ -218,21 +218,21 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref
--- a/autotests/reference/usr.bin.apparmor-profile-test.ref
+++ b/autotests/reference/usr.bin.apparmor-profile-test.ref
@@ -179,7 +179,7 @@
=org.hello #No comment
=(name=org.hello #No comment
label=unconfined), #Comment
- @{VARIABLE} = val1 val2 val3 #No comment
+ @{VARIABLE} = val1 val2 val3 #No comment
# Error: Open rule
/home/*/file rw
@@ -218,21 +218,21 @@
unix,
# Transition rules
- /usr/bin/foo cx -> hello*,
- /usr/bin/foo Cx -> path/,
- /usr/bin/foo cx -> ab[ad/]hello,
- /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path,
- /usr/bin/foo Cx -> ab[hello/path,
-
- /usr/bin/foo cx -> "hello*",
- /usr/bin/foo Cx -> "path/",
- /usr/bin/foo cx -> "ab[ad/]hello",
- /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path",
- /usr/bin/foo Cx -> "ab[hello/path",
-
- /usr/bin/foo cx -> holas//hello/sa,
- /usr/bin/foo cx -> df///dd//hat,
- /usr/bin/foo cx -> holas,#sd\323fsdf,
+ /usr/bin/foo cx -> hello*, # profile
+ /usr/bin/foo Cx -> path/, # path
+ /usr/bin/foo cx -> ab[ad/]hello, # profile
+ /usr/bin/foo Cx -> ab[cd/]a[ad/]hello/path, # path
+ /usr/bin/foo Cx -> ab[hello/path, # profile
+
+ /usr/bin/foo cx -> "hello*", # profile
+ /usr/bin/foo Cx -> "path/", # path
+ /usr/bin/foo cx -> "ab[ad/]hello", # profile
+ /usr/bin/foo Cx -> "ab[cd/]a[ad/]hello/path", # path
+ /usr/bin/foo Cx -> "ab[hello/path", # profile
+
+ /usr/bin/foo cx -> holas//hello/sa, # path
+ /usr/bin/foo cx -> df///dd//hat, # path + hat
+ /usr/bin/foo cx -> holas,#sd\323fsdf, # profile
# Access modes
/hello/lib/foo rwklms, # s invalid
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml
--- a/data/syntax/apparmor.xml
+++ b/data/syntax/apparmor.xml
@@ -36,12 +36,16 @@
==========================================================================================
Last update:
- Syntax highlighting based in AppArmor 2.13.0
+ Syntax highlighting based on AppArmor 2.13.2
For more details about the syntax of AppArmor profiles, visit:
https://gitlab.com/apparmor/apparmor/wikis/Documentation
http://manpages.ubuntu.com/manpages/cosmic/en/man5/apparmor.d.5.html
Change log:
+ * Version 8 [02-Apr-2019]: (AppArmor 2.13.2)
+ - Do not highlight variable assignments and alias rules within profiles.
+ - Add keywords of "tunables/share" variables.
+ - Change style of "Other Option" attribute and remove one indentation.
* Version 7 [15-Sep-2018]:
- Update itemData's style for the new Solarized color schemes.
- Fixes in "_end_rule_irnc".
@@ -64,7 +68,7 @@
-->
unsafe
+
- if
- exists
@@ -581,6 +586,9 @@
- XDG_MUSIC_DIR
- XDG_PICTURES_DIR
- XDG_VIDEOS_DIR
+ - flatpak_exports_root
+ - system_share_dirs
+ - user_share_dirs
- abstractions/
@@ -737,7 +745,7 @@
has a different context and for a correct delimitation of the words.
- The content of a rule is found in the contexts "_default_rule"
and "_default_rule_with_comments".
- - When adding a new rule, add it also in "_end_rule_irnc". -->
+ - When adding a new rule, add it also in "_end_rule_irnc"! -->
- mount
- remount
@@ -762,50 +770,65 @@
-
-
-
-
-
-
-
-
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
+
+
+
+
-
@@ -818,6 +841,7 @@
+
@@ -837,9 +861,10 @@
+
-
+
@@ -966,6 +991,21 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1198,7 +1238,7 @@
+ Highlight the profile name in File Rules (Execute Mode) and Change Profile Rules. -->
@@ -1258,7 +1298,8 @@
-
+
@@ -1301,7 +1342,6 @@
-
@@ -1315,6 +1355,8 @@
('unix' is also a domain of the network rule; 'remount' is also a flag of the mount rule). -->
+
+
@@ -1324,7 +1366,6 @@
-
@@ -1337,6 +1378,8 @@
+
+
@@ -1511,7 +1554,7 @@
-
+
diff --git a/data/syntax/selinux-cil.xml b/data/syntax/selinux-cil.xml
--- a/data/syntax/selinux-cil.xml
+++ b/data/syntax/selinux-cil.xml
@@ -14,7 +14,7 @@
==========================================================================================
This file is part of the KDE's KSyntaxHighlighting framework.
- Copyright (c) 2018 Nibaldo González S. (nibgonz@gmail.com)
+ Copyright (c) 2018-2019 Nibaldo González S. (nibgonz@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
@@ -41,643 +41,645 @@
https://github.com/SELinuxProject/selinux/tree/master/secilc/docs
Change log:
- * Version 2 [28-Aug-2018]:
- - Implement "selinux.xml": some rules and keywords are moved there. Improve RegExp
- highlighting, add Android permissions and BPF permissions, improve IPv6
- detection and others improvements.
- - Fix permissions list in "ioctl" kind and "call" statements.
- - Add "sctp" protocol keyword and policy capabilities keywords.
- * Version 1 [26-Jan-2018, by Nibaldo González]:
- - Initial version.
+ * Version 3 [02-Apr-2019]: Remove one indentation.
+ * Version 2 [28-Aug-2018]:
+ - Implement "selinux.xml": some rules and keywords are moved there. Improve RegExp
+ highlighting, add Android permissions and BPF permissions, improve IPv6
+ detection and others improvements.
+ - Fix permissions list in "ioctl" kind and "call" statements.
+ - Add "sctp" protocol keyword and policy capabilities keywords.
+ * Version 1 [26-Jan-2018, by Nibaldo González]:
+ - Initial version.
-->
-
-
-
- - and
- - or
- - xor
- - not
- - all
- - eq
- - ne
- - neq
- - dom
- - domby
- - incomp
- - range
-
-
-
-
- - allow
- - auditallow
- - dontaudit
- - neverallow
- - auditdeny
- - allowx
- - auditallowx
- - dontauditx
- - neverallowx
-
-
-
- - true
- - false
-
-
-
- - file
- - dir
- - char
- - block
- - socket
- - pipe
- - symlink
- - any
-
-
- - task
- - trans
- - xattr
-
-
- - tcp
- - udp
- - dccp
- - sctp
-
-
-
- - self
-
-
- - unordered
-
-
- - allow
- - deny
- - reject
-
-
-
- - block
- - optional
- - common
- - class
- - classmap
- - classmapping
- - sid
- - user
- - role
- - roleattribute
- - type
- - classpermission
- - typeattribute
- - typealias
- - tunable
- - sensitivity
- - sensitivityalias
- - category
- - categoryalias
- - categoryset
- - level
- - levelrange
- - context
- - ipaddr
- - macro
- - boolean
-
-
-
- - policycap
- - mls
- - handleunknown
-
-
-
- - blockabstract
- - blockinherit
- - in
- - call
-
-
- - defaultuser
- - defaultrole
- - defaulttype
- - defaultrange
-
-
- - userrole
- - userattribute
- - userattributeset
- - userlevel
- - userrange
- - userbounds
- - userprefix
- - selinuxuser
- - selinuxuserdefault
-
-
- - roletype
- - roleattributeset
- - roleallow
- - roletransition
- - rolebounds
-
-
- - typealiasactual
- - typeattributeset
- - typebounds
- - typechange
- - typemember
- - typetransition
- - typepermissive
- - attributetype
-
- - expandtypeattribute
- - nametypetransition
-
-
- - classcommon
- - classorder
- - permission
- - permissionset
- - classpermissionset
- - permissionx
-
-
- - booleanif
- - tunableif
-
-
- - constrain
- - validatetrans
- - mlsconstrain
- - mlsvalidatetrans
-
-
- - sensitivityaliasactual
- - sensitivityorder
- - categoryaliasactual
- - categoryorder
- - sensitivitycategory
- - rangetransition
- - categoryrange
-
-
-
- - sidorder
- - sidcontext
-
-
- - filecon
- - fsuse
- - genfscon
- - fscon
- - fsusexattr
- - fsusetask
- - fsusetrans
-
-
- - netifcon
- - nodecon
- - portcon
-
-
-
- - iomemcon
- - ioportcon
- - pcidevicecon
- - pirqcon
- - devicetreecon
-
-
- - ibpkeycon
- - ibendportcon
-
-
- - dominance
- - allowxperm
- - auditallowxperm
- - dontauditxperm
- - neverallowxperm
-
-
-
- - string
- - name
- - ioctl
-
-
-
- - source
- - target
- - low
- - high
- - low-high
-
- - perm
- - object_r
- - t1
- - t2
- - t3
- - r1
- - r2
- - r3
- - u1
- - u2
- - u3
- - l1
- - l2
- - h1
- - h2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+ - and
+ - or
+ - xor
+ - not
+ - all
+ - eq
+ - ne
+ - neq
+ - dom
+ - domby
+ - incomp
+ - range
+
+
+
+
+ - allow
+ - auditallow
+ - dontaudit
+ - neverallow
+ - auditdeny
+ - allowx
+ - auditallowx
+ - dontauditx
+ - neverallowx
+
+
+
+ - true
+ - false
+
+
+
+ - file
+ - dir
+ - char
+ - block
+ - socket
+ - pipe
+ - symlink
+ - any
+
+
+ - task
+ - trans
+ - xattr
+
+
+ - tcp
+ - udp
+ - dccp
+ - sctp
+
+
+
+ - self
+
+
+ - unordered
+
+
+ - allow
+ - deny
+ - reject
+
+
+
+ - block
+ - optional
+ - common
+ - class
+ - classmap
+ - classmapping
+ - sid
+ - user
+ - role
+ - roleattribute
+ - type
+ - classpermission
+ - typeattribute
+ - typealias
+ - tunable
+ - sensitivity
+ - sensitivityalias
+ - category
+ - categoryalias
+ - categoryset
+ - level
+ - levelrange
+ - context
+ - ipaddr
+ - macro
+ - boolean
+
+
+
+ - policycap
+ - mls
+ - handleunknown
+
+
+
+ - blockabstract
+ - blockinherit
+ - in
+ - call
+
+
+ - defaultuser
+ - defaultrole
+ - defaulttype
+ - defaultrange
+
+
+ - userrole
+ - userattribute
+ - userattributeset
+ - userlevel
+ - userrange
+ - userbounds
+ - userprefix
+ - selinuxuser
+ - selinuxuserdefault
+
+
+ - roletype
+ - roleattributeset
+ - roleallow
+ - roletransition
+ - rolebounds
+
+
+ - typealiasactual
+ - typeattributeset
+ - typebounds
+ - typechange
+ - typemember
+ - typetransition
+ - typepermissive
+ - attributetype
+
+ - expandtypeattribute
+ - nametypetransition
+
+
+ - classcommon
+ - classorder
+ - permission
+ - permissionset
+ - classpermissionset
+ - permissionx
+
+
+ - booleanif
+ - tunableif
+
+
+ - constrain
+ - validatetrans
+ - mlsconstrain
+ - mlsvalidatetrans
+
+
+ - sensitivityaliasactual
+ - sensitivityorder
+ - categoryaliasactual
+ - categoryorder
+ - sensitivitycategory
+ - rangetransition
+ - categoryrange
+
+
+
+ - sidorder
+ - sidcontext
+
+
+ - filecon
+ - fsuse
+ - genfscon
+ - fscon
+ - fsusexattr
+ - fsusetask
+ - fsusetrans
+
+
+ - netifcon
+ - nodecon
+ - portcon
+
+
+
+ - iomemcon
+ - ioportcon
+ - pcidevicecon
+ - pirqcon
+ - devicetreecon
+
+
+ - ibpkeycon
+ - ibendportcon
+
+
+ - dominance
+ - allowxperm
+ - auditallowxperm
+ - dontauditxperm
+ - neverallowxperm
+
+
+
+ - string
+ - name
+ - ioctl
+
+
+
+ - source
+ - target
+ - low
+ - high
+ - low-high
+
+ - perm
+ - object_r
+ - t1
+ - t2
+ - t3
+ - r1
+ - r2
+ - r3
+ - u1
+ - u2
+ - u3
+ - l1
+ - l2
+ - h1
+ - h2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/data/syntax/selinux-fc.xml b/data/syntax/selinux-fc.xml
--- a/data/syntax/selinux-fc.xml
+++ b/data/syntax/selinux-fc.xml
@@ -14,7 +14,7 @@
==========================================================================================
This file is part of the KDE's KSyntaxHighlighting framework.
- Copyright (c) 2018 Nibaldo González S. (nibgonz@gmail.com)
+ Copyright (c) 2018-2019 Nibaldo González S. (nibgonz@gmail.com)
Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
@@ -42,258 +42,259 @@
- Policy Build Files: initial_sid_contexts, genfs_contexts, fs_use
Change log:
- * Version 3 [09-Sep-2018]:
- - Update itemData's style for the new Solarized color schemes.
- * Version 2 [28-Aug-2018]:
- - Some improvements. RegExp and some rules are moved to "selinux.xml".
- - Add statements keywords that use file contexts.
- * Version 1 [26-Jan-2018, by Nibaldo González]:
- - Initial version.
+ * Version 4 [02-Apr-2019]: Remove one indentation.
+ * Version 3 [09-Sep-2018]:
+ - Update itemData's style for the new Solarized color schemes.
+ * Version 2 [28-Aug-2018]:
+ - Some improvements. RegExp and some rules are moved to "selinux.xml".
+ - Add statements keywords that use file contexts.
+ * Version 1 [26-Jan-2018, by Nibaldo González]:
+ - Initial version.
-->
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+