Merge pull request #5627 from kmk3/build-autogen-syntax

build: auto-generate syntax files

.github/workflows/build-extra.yml

@@ -5,9 +5,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -27,9 +27,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml

.github/workflows/codeql-analysis.yml

@@ -10,9 +10,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -32,9 +32,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml

.gitignore

@@ -16,6 +16,9 @@ config.log
 config.mk
 config.sh
 config.status
+contrib/syntax/files/example
+contrib/syntax/files/firejail-profile.lang
+contrib/syntax/files/firejail.vim
 firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5

CONTRIBUTING.md

@@ -38,8 +38,7 @@ If you add a new command, here's the checklist:
 
  - [ ] Update manpages: firejail(1) and firejail-profile(5)
  - [ ] Update shell completions
- - [ ] Update vim syntax files
- - [ ] Update gtksourceview language specs
+ - [ ] Update syntax files (run `make syntax` or just `make`)
  - [ ] Update --help
 
 # Editing the wiki

Makefile

@@ -6,6 +6,10 @@ MAN_TARGET = man
 MAN_SRC = src/man
 endif
 
+ifneq ($(HAVE_CONTRIB_INSTALL),no)
+CONTRIB_TARGET = contrib
+endif
+
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
@@ -17,16 +21,32 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+
+SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
+
+# Lists of keywords used in profiles; used for generating syntax files.
+SYNTAX_LISTS = \
+	contrib/syntax/lists/profile_commands_arg0.list \
+	contrib/syntax/lists/profile_commands_arg1.list \
+	contrib/syntax/lists/profile_conditionals.list \
+	contrib/syntax/lists/profile_macros.list \
+	contrib/syntax/lists/syscall_groups.list \
+	contrib/syntax/lists/syscalls.list \
+	contrib/syntax/lists/system_errnos.list
+
+SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in))
+SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
+
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all
-all: all_items mydirs $(MAN_TARGET) filters
+all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
 
 config.mk config.sh:
-	printf 'run ./configure to generate %s\n' "$@" >&2
-	false
+	@printf 'error: run ./configure to generate %s\n' "$@" >&2
+	@false
 
 .PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)
@@ -38,11 +58,6 @@ mydirs: $(MYDIRS)
 $(MYDIRS):
 	$(MAKE) -C $@
 
-$(MANPAGES): src/man config.mk
-	./mkman.sh $(VERSION) src/man/$(basename $@).man $@
-
-man: $(MANPAGES)
-
 filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
 	src/fseccomp/fseccomp default seccomp
@@ -65,14 +80,83 @@ seccomp.mdwx: src/fseccomp/fseccomp
 seccomp.mdwx.32: src/fseccomp/fseccomp
 	src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 
+$(MANPAGES): src/man config.mk
+	./mkman.sh $(VERSION) src/man/$(basename $@).man $@
+
+man: $(MANPAGES)
+
+# Makes all targets in contrib/
+.PHONY: contrib
+contrib: syntax
+
+.PHONY: syntax
+syntax: $(SYNTAX_FILES)
+
+# TODO: include/rlimit are false positives
+contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
+	@sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
+	grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
+
+# TODO: private-lib is special-cased in the code and doesn't match the regex
+contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
+	@{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
+	LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
+	@awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
+		/\t*\{"[^"]+".*/ \
+		{ if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
+		/^\t\{ NULL, NULL \}$$/ {process=0;}' \
+		$< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
+	@sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
+	@sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
+	@sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
+	LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/system_errnos.list: src/lib/errno.c
+	@sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
+
+pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
+space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
+edit_syntax_file = sed \
+	-e "s/@make_input@/$$(basename $@).  Generated from $$(basename $<) by make./" \
+	-e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
+	-e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
+	-e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
+	-e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
+	-e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
+	-e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
+	-e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
+
+contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
+# gtksourceview language-specs
+contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
+# vim syntax files
+contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
+	@printf 'Generating %s from %s\n' $@ $<
+	@$(edit_syntax_file) $< >$@
+
 .PHONY: clean
 clean:
 	for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
 		$(MAKE) -C $$dir clean; \
 	done
 	$(MAKE) -C test clean
-	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
 	rm -f $(SECCOMP_FILTERS)
+	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+	rm -f $(SYNTAX_FILES)
 	rm -f test/utils/index.html*
 	rm -f test/utils/wget-log
 	rm -f test/utils/firejail-test-file*
@@ -124,10 +208,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
 	install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-	install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-	# gtksourceview-5 language-specs
+	install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+	# gtksourceview language-specs
 	install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
-	install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+	install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
 endif
 	# documents
 	install -m 0755 -d $(DESTDIR)$(docdir)

contrib/syntax/files/example.in

@@ -0,0 +1,16 @@
+# @make_input@
+# Example file to check the values of input variables.
+
+FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
+
+FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
+
+FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
+
+FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
+
+FJ_SYSCALLS = @FJ_SYSCALLS@
+
+FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
+
+FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@

contrib/gtksourceview-5/language-specs/firejail-profile.lang → contrib/syntax/files/firejail-profile.lang.in

@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- @make_input@ -->
 <!-- vim: set ts=2 sts=2 sw=2 et: -->
 <!--
   https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
@@ -20,15 +21,15 @@
 
   <definitions>
     <define-regex id="commands-with-arguments" extended="true">
-      (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen)
+      (@FJ_PROFILE_COMMANDS_ARG1@)
     </define-regex>
 
     <define-regex id="commands-without-arguments" extended="true">
-      (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11)
+      (@FJ_PROFILE_COMMANDS_ARG0@)
     </define-regex>
 
     <define-regex id="conditions" extended="true">
-      (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11)
+      (@FJ_PROFILE_CONDITIONALS@)
     </define-regex>
 
     <context id="conditional-line">

contrib/syntax/files/firejail.vim.in

@@ -0,0 +1,99 @@
+" @make_input@
+" Vim syntax file
+" Language: Firejail security sandbox profile
+" URL: https://github.com/netblue30/firejail
+
+if exists("b:current_syntax")
+  finish
+endif
+
+
+syn iskeyword @,48-57,_,.,-
+
+
+syn keyword fjTodo TODO FIXME XXX NOTE contained
+syn match fjComment "#.*$" contains=fjTodo
+
+"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
+syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
+syn match fjCapabilityList /,/ nextgroup=fjCapability contained
+
+syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
+syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
+
+syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
+syn match fjProtocolList /,/ nextgroup=fjProtocol contained
+
+" Syscalls (auto-generated)
+syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained
+" Syscall groups (auto-generated)
+syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained
+syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
+" Errnos (auto-generated)
+syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained
+syn match fjSyscallList /,/ nextgroup=fjSyscall contained
+
+syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
+
+syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
+syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
+
+syn keyword fjAll all contained
+syn keyword fjNone none contained
+syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
+
+" Variable names (auto-generated)
+syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/
+
+" Profile commands with 1 argument (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained
+" Profile commands with 0 arguments (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained
+syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
+syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
+syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
+syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
+syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
+syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
+syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
+syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
+syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
+syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
+" Commands that can't be inside a ?CONDITIONAL: statement
+syn match fjCommandNoCond /include / skipwhite contained
+syn match fjCommandNoCond /quiet$/ contained
+
+" Conditionals (auto-generated)
+syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained
+
+" A line is either a command, a conditional or a comment
+syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
+
+hi def link fjTodo Todo
+hi def link fjComment Comment
+hi def link fjCommand Statement
+hi def link fjCommandNoCond Statement
+hi def link fjConditional Macro
+hi def link fjVar Identifier
+hi def link fjCapability Type
+hi def link fjProtocol Type
+hi def link fjSyscall Type
+hi def link fjSyscallErrno Constant
+hi def link fjX11Sandbox Type
+hi def link fjEnvVar Type
+hi def link fjRmenvVar Type
+hi def link fjAll Type
+hi def link fjNone Type
+hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
+
+
+let b:current_syntax = "firejail"