[apparmor] [patch] utils: fix apparmor.vim rlimits support (was Re: [patch 13/18] parser: add rttime rlimit support)

Steve Beattie steve at nxnw.org
Fri Jan 17 07:43:34 UTC 2014 

On Fri, Jan 17, 2014 at 12:45:27AM +0100, Christian Boltz wrote:
> (and BTW, did you test if apparmor.vim displays all tests from 12/18 
> correctly?)

Apparently I missed all the incorrect highlighting vim gave me while
creating those test cases, because no, apparmor.vim does not display
many of them correctly. The following is a patch to address the
shortcomings I found:

Subject: utils: fix apparmor.vim rlimits support

The rlimits syntax checking support in apparmor.vim was broken in
various unhelpful ways:

  - lacked support for the 'infinity' keyword (aka RLIM_INFINITY)
  - lacked support for the 'ofile' rlimit, an alias for the nofile rlimit
  - lacked support for the 'cpu' rlimit (aka RLIMIT_CPU)
  - incorrect syntax for nofile|nproc|rtprio rlimits (didn't include
    required '<=' between the limit name and value)
  - incorrect syntax for specifying optional SI units for size based
    rlimits (e.g. 'MB' is required, but syntax only allowed incorrect
    'M'; that said, one could argue the parser is overly strict here,
    and the pattern should be '[KMG]B?')

(See the setrelimit(2) man page for more details on the specifics of the
rlimit definitions.)

This patch fixes the above issues.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 utils/vim/apparmor.vim.in |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Index: b/utils/vim/apparmor.vim.in
===================================================================
--- a/utils/vim/apparmor.vim.in
+++ b/utils/vim/apparmor.vim.in
@@ -155,10 +155,12 @@ syn match   sdEntryChangeProfile    /\v^
 " TODO: audit and deny support will be added (JJ, 2011-01-11)
 "
 "syn match sdRLimit /\v^\s*rlimit\s+()@@EOL@@/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|ofile|nproc|rtprio)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+@@EOL@@/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG]B)?@@EOL@@/ contains=sdComment
 syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+cpu\s+\<\=\s+[0-9]+(seconds|minutes|hours|days)?@@EOL@@/ contains=sdComment
+syn match sdRLimit /\v^\s*set\s+rlimit\s+(cpu|nofile|nproc|rtprio|locks|sigpending|fsize|data|stack|core|rss|as|memlock|msgqueue|nice)\s+\<\=\s+infinity@@EOL@@/ contains=sdComment
 
 " link rules
 syn match sdEntryW /\v^\s+@@auditdenyowner@@link\s+(subset\s+)?@@FILENAME@@\s+-\>\s+@@FILENAME@@@@EOL@@/ contains=sdGlob

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140116/fa63930d/attachment.pgp>

More information about the AppArmor mailing list