[apparmor] [PATCH 07/13] Make expressing all capabilities easier
Christian Boltz
apparmor at cboltz.de
Wed Feb 15 11:01:42 UTC 2012
Hello,
Am Dienstag, 14. Februar 2012 schrieb John Johansen:
> Allow the capability rule to be bare to represent all capabilities
> similar to how network, and other rule types work.
>
> capability,
I hope not too many people use this ;-) but nevertheless here's the
patch to update apparmor.vim to support it. Using just "capability" will
be marked in the "dangerous capability" color.
Additionally, the patch removes the (already commented out) code for
"set capability".
=== modified file 'utils/vim/apparmor.vim.in'
--- utils/vim/apparmor.vim.in 2011-08-21 21:49:25 +0000
+++ utils/vim/apparmor.vim.in 2012-02-15 10:57:41 +0000
@@ -135,9 +135,8 @@
" full line. Keywords are from sdCapKey + sdCapDanger
syn match sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" set capability was removed - TODO: remove everywhere in apparmor.vim
-" syn match sdSetCap /\v^\s*set\s+capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
+" all capabilities ('capability' without any keyword)
+syn match sdCapDanger /\v^\s*@@auditdeny@@capability@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
" Network line
" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
Regards,
Christian Boltz
--
wie jeder weiß ist Debian auf ISDN die langsamste bekannte Methode
Selbstmord zu begehen ("Selbstmord durch Erosion")
[http://blog.koehntopp.de/archives/113-Debian-ist-doch-schlecht..html]
More information about the AppArmor
mailing list