Merge pull request #5627 from kmk3/build-autogen-syntax

build: auto-generate syntax files

16 files changed, 991 insertions, 130 deletions

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index c1c240922..a7b7c8a3e 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -5,9 +5,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -27,9 +27,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e9daff6de..9cf216492 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,9 +10,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
@@ -32,9 +32,9 @@ on:
     branches: [ master ]
     paths-ignore:
       - '.github/ISSUE_TEMPLATE/*'
-      - 'etc/**'
-      - 'contrib/gtksourceview-5/**'
+      - 'contrib/syntax/**'
       - 'contrib/vim/**'
+      - 'etc/**'
       - 'src/man/*.txt'
       - .git-blame-ignore-revs
       - .github/dependabot.yml
diff --git a/.gitignore b/.gitignore
index 7333b1c8d..db3b16893 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,9 @@ config.log
 config.mk
 config.sh
 config.status
+contrib/syntax/files/example
+contrib/syntax/files/firejail-profile.lang
+contrib/syntax/files/firejail.vim
 firejail-*.tar.xz
 firejail-login.5
 firejail-profile.5
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9a5f19b54..97730e533 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -38,8 +38,7 @@ If you add a new command, here's the checklist:
 
  - [ ] Update manpages: firejail(1) and firejail-profile(5)
  - [ ] Update shell completions
- - [ ] Update vim syntax files
- - [ ] Update gtksourceview language specs
+ - [ ] Update syntax files (run `make syntax` or just `make`)
  - [ ] Update --help
 
 # Editing the wiki
diff --git a/Makefile b/Makefile
index 119bf6b4b..443c3183f 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,10 @@ MAN_TARGET = man
 MAN_SRC = src/man
 endif
 
+ifneq ($(HAVE_CONTRIB_INSTALL),no)
+CONTRIB_TARGET = contrib
+endif
+
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailcheck/jailcheck
@@ -17,16 +21,32 @@ SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+
+SYSCALL_HEADERS := $(sort $(wildcard src/include/syscall*.h))
+
+# Lists of keywords used in profiles; used for generating syntax files.
+SYNTAX_LISTS = \
+        contrib/syntax/lists/profile_commands_arg0.list \
+        contrib/syntax/lists/profile_commands_arg1.list \
+        contrib/syntax/lists/profile_conditionals.list \
+        contrib/syntax/lists/profile_macros.list \
+        contrib/syntax/lists/syscall_groups.list \
+        contrib/syntax/lists/syscalls.list \
+        contrib/syntax/lists/system_errnos.list
+
+SYNTAX_FILES_IN := $(sort $(wildcard contrib/syntax/files/*.in))
+SYNTAX_FILES := $(SYNTAX_FILES_IN:.in=)
+
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all
-all: all_items mydirs $(MAN_TARGET) filters
+all: all_items mydirs filters $(MAN_TARGET) $(CONTRIB_TARGET)
 
 config.mk config.sh:
-        printf 'run ./configure to generate %s\n' "$@" >&2
-        false
+        @printf 'error: run ./configure to generate %s\n' "$@" >&2
+        @false
 
 .PHONY: all_items $(ALL_ITEMS)
 all_items: $(ALL_ITEMS)
@@ -38,11 +58,6 @@ mydirs: $(MYDIRS)
 $(MYDIRS):
         $(MAKE) -C $@
 
-$(MANPAGES): src/man config.mk
-        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
-
-man: $(MANPAGES)
-
 filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp
@@ -65,14 +80,83 @@ seccomp.mdwx: src/fseccomp/fseccomp
 seccomp.mdwx.32: src/fseccomp/fseccomp
         src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 
+$(MANPAGES): src/man config.mk
+        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
+
+man: $(MANPAGES)
+
+# Makes all targets in contrib/
+.PHONY: contrib
+contrib: syntax
+
+.PHONY: syntax
+syntax: $(SYNTAX_FILES)
+
+# TODO: include/rlimit are false positives
+contrib/syntax/lists/profile_commands_arg0.list: src/firejail/profile.c
+        @sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' $< | \
+        grep -Ev '^(include|rlimit)$$' | sed 's/\./\\./' | LC_ALL=C sort -u >$@
+
+# TODO: private-lib is special-cased in the code and doesn't match the regex
+contrib/syntax/lists/profile_commands_arg1.list: src/firejail/profile.c
+        @{ sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' $<; echo private-lib; } | \
+        LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/profile_conditionals.list: src/firejail/profile.c
+        @awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$$/ {process=1;} \
+                /\t*\{"[^"]+".*/ \
+                { if (process) {print gensub(/^\t*\{"([^"]+)".*$$/, "\\1", 1);} } \
+                /^\t\{ NULL, NULL \}$$/ {process=0;}' \
+                $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/profile_macros.list: src/firejail/macros.c
+        @sed -En 's/.*\$$\{([^}]+)\}.*/\1/p' $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/syscall_groups.list: src/lib/syscall.c
+        @sed -En 's/.*"@([^",]+).*/\1/p' $< | LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/syscalls.list: $(SYSCALL_HEADERS)
+        @sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' $(SYSCALL_HEADERS) | \
+        LC_ALL=C sort -u >$@
+
+contrib/syntax/lists/system_errnos.list: src/lib/errno.c
+        @sed -En 's/.*"(E[^"]+).*/\1/p' $< | LC_ALL=C sort -u >$@
+
+pipe_fromlf = { tr '\n' '|' | sed 's/|$$//'; }
+space_fromlf = { tr '\n' ' ' | sed 's/ $$//'; }
+edit_syntax_file = sed \
+        -e "s/@make_input@/$$(basename $@).  Generated from $$(basename $<) by make./" \
+        -e "s/@FJ_PROFILE_COMMANDS_ARG0@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg0.list)/" \
+        -e "s/@FJ_PROFILE_COMMANDS_ARG1@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_commands_arg1.list)/" \
+        -e "s/@FJ_PROFILE_CONDITIONALS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_conditionals.list)/" \
+        -e "s/@FJ_PROFILE_MACROS@/$$($(pipe_fromlf) <contrib/syntax/lists/profile_macros.list)/" \
+        -e "s/@FJ_SYSCALLS@/$$($(space_fromlf) <contrib/syntax/lists/syscalls.list)/" \
+        -e "s/@FJ_SYSCALL_GROUPS@/$$($(pipe_fromlf) <contrib/syntax/lists/syscall_groups.list)/" \
+        -e "s/@FJ_SYSTEM_ERRNOS@/$$($(pipe_fromlf) <contrib/syntax/lists/system_errnos.list)/"
+
+contrib/syntax/files/example: contrib/syntax/files/example.in $(SYNTAX_LISTS)
+        @printf 'Generating %s from %s\n' $@ $<
+        @$(edit_syntax_file) $< >$@
+
+# gtksourceview language-specs
+contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in $(SYNTAX_LISTS)
+        @printf 'Generating %s from %s\n' $@ $<
+        @$(edit_syntax_file) $< >$@
+
+# vim syntax files
+contrib/syntax/files/%.vim: contrib/syntax/files/%.vim.in $(SYNTAX_LISTS)
+        @printf 'Generating %s from %s\n' $@ $<
+        @$(edit_syntax_file) $< >$@
+
 .PHONY: clean
 clean:
         for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir clean; \
         done
         $(MAKE) -C test clean
-        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
         rm -f $(SECCOMP_FILTERS)
+        rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+        rm -f $(SYNTAX_FILES)
         rm -f test/utils/index.html*
         rm -f test/utils/wget-log
         rm -f test/utils/firejail-test-file*
@@ -124,10 +208,10 @@ ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
         install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
         install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
-        install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
-        # gtksourceview-5 language-specs
+        install -m 0644 contrib/syntax/files/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        # gtksourceview language-specs
         install -m 0755 -d $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
-        install -m 0644 contrib/gtksourceview-5/language-specs/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
+        install -m 0644 contrib/syntax/files/firejail-profile.lang $(DESTDIR)$(datarootdir)/gtksourceview-5/language-specs
 endif
         # documents
         install -m 0755 -d $(DESTDIR)$(docdir)
diff --git a/contrib/syntax/files/example.in b/contrib/syntax/files/example.in
new file mode 100644
index 000000000..74bcdc079
--- /dev/null
+++ b/contrib/syntax/files/example.in
@@ -0,0 +1,16 @@
+# @make_input@
+# Example file to check the values of input variables.
+
+FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
+
+FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
+
+FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
+
+FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
+
+FJ_SYSCALLS = @FJ_SYSCALLS@
+
+FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
+
+FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@
diff --git a/contrib/gtksourceview-5/language-specs/firejail-profile.lang b/contrib/syntax/files/firejail-profile.lang.in
index 61c37f98f..acd5c86ce 100644
--- a/contrib/gtksourceview-5/language-specs/firejail-profile.lang
+++ b/contrib/syntax/files/firejail-profile.lang.in
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!-- @make_input@ -->
 <!-- vim: set ts=2 sts=2 sw=2 et: -->
 <!--
   https://gitlab.gnome.org/GNOME/gtksourceview/-/blob/master/docs/lang-tutorial.md
@@ -20,15 +21,15 @@
 
   <definitions>
     <define-regex id="commands-with-arguments" extended="true">
-      (apparmor|bind|blacklist-nolog|blacklist|caps.drop|caps.keep|cpu|dbus-system.broadcast|dbus-system.call|dbus-system.own|dbus-system.see|dbus-system.talk|dbus-system|dbus-user.broadcast|dbus-user.call|dbus-user.own|dbus-user.see|dbus-user.talk|dbus-user|defaultgw|dns|env|hostname|hosts-file|ignore|include|ip6|ip|iprange|join-or-start|keep-fd|mac|mkdir|mkfile|mtu|name|net|netfilter6|netfilter|netmask|netns|nice|noblacklist|noexec|nowhitelist|overlay-named|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|private|protocol|read-only|read-write|restrict-namespaces|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|rlimit|rmenv|seccomp-error-action|seccomp.32.drop|seccomp.32.keep|seccomp.32|seccomp.drop|seccomp.keep|seccomp|shell|timeout|tmpfs|veth-name|whitelist-ro|whitelist|x11|xephyr-screen)
+      (@FJ_PROFILE_COMMANDS_ARG1@)
     </define-regex>
 
     <define-regex id="commands-without-arguments" extended="true">
-      (allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay-tmpfs|overlay|private-cache|private-cwd|private-dev|private-lib|private-tmp|private|quiet|restrict-namespaces|seccomp.32|seccomp.block-secondary|seccomp|tab|tracelog|writable-etc|writable-run-user|writable-var-log|writable-var|x11)
+      (@FJ_PROFILE_COMMANDS_ARG0@)
     </define-regex>
 
     <define-regex id="conditions" extended="true">
-      (ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11)
+      (@FJ_PROFILE_CONDITIONALS@)
     </define-regex>
 
     <context id="conditional-line">
diff --git a/contrib/syntax/files/firejail.vim.in b/contrib/syntax/files/firejail.vim.in
new file mode 100644
index 000000000..ec6b29e4f
--- /dev/null
+++ b/contrib/syntax/files/firejail.vim.in
@@ -0,0 +1,99 @@
+" @make_input@
+" Vim syntax file
+" Language: Firejail security sandbox profile
+" URL: https://github.com/netblue30/firejail
+
+if exists("b:current_syntax")
+  finish
+endif
+
+
+syn iskeyword @,48-57,_,.,-
+
+
+syn keyword fjTodo TODO FIXME XXX NOTE contained
+syn match fjComment "#.*$" contains=fjTodo
+
+"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
+syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
+syn match fjCapabilityList /,/ nextgroup=fjCapability contained
+
+syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
+syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
+
+syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
+syn match fjProtocolList /,/ nextgroup=fjProtocol contained
+
+" Syscalls (auto-generated)
+syn keyword fjSyscall @FJ_SYSCALLS@ nextgroup=fjSyscallErrno contained
+" Syscall groups (auto-generated)
+syn match fjSyscall /\v\@(@FJ_SYSCALL_GROUPS@)>/ nextgroup=fjSyscallErrno contained
+syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
+" Errnos (auto-generated)
+syn match fjSyscallErrno /\v(:(@FJ_SYSTEM_ERRNOS@)>)?/ nextgroup=fjSyscallList contained
+syn match fjSyscallList /,/ nextgroup=fjSyscall contained
+
+syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
+
+syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
+syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
+
+syn keyword fjAll all contained
+syn keyword fjNone none contained
+syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
+
+" Variable names (auto-generated)
+syn match fjVar /\v\$\{(@FJ_PROFILE_MACROS@)}/
+
+" Profile commands with 1 argument (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG1@) / skipwhite contained
+" Profile commands with 0 arguments (auto-generated)
+syn match fjCommand /\v(@FJ_PROFILE_COMMANDS_ARG0@)$/ contained
+syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
+syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
+syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
+syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
+syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
+syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
+syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
+syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
+syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
+syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
+" Commands that can't be inside a ?CONDITIONAL: statement
+syn match fjCommandNoCond /include / skipwhite contained
+syn match fjCommandNoCond /quiet$/ contained
+
+" Conditionals (auto-generated)
+syn match fjConditional /\v\?(@FJ_PROFILE_CONDITIONALS@) ?:/ nextgroup=fjCommand skipwhite contained
+
+" A line is either a command, a conditional or a comment
+syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
+
+hi def link fjTodo Todo
+hi def link fjComment Comment
+hi def link fjCommand Statement
+hi def link fjCommandNoCond Statement
+hi def link fjConditional Macro
+hi def link fjVar Identifier
+hi def link fjCapability Type
+hi def link fjProtocol Type
+hi def link fjSyscall Type
+hi def link fjSyscallErrno Constant
+hi def link fjX11Sandbox Type
+hi def link fjEnvVar Type
+hi def link fjRmenvVar Type
+hi def link fjAll Type
+hi def link fjNone Type
+hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
+
+
+let b:current_syntax = "firejail"
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
new file mode 100644
index 000000000..a402671a6
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -0,0 +1,50 @@
+allow-debuggers
+allusers
+apparmor
+apparmor-replace
+apparmor-stack
+caps
+deterministic-exit-code
+deterministic-shutdown
+disable-mnt
+ipc-namespace
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+machine-id
+memory-deny-write-execute
+netfilter
+netlock
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+overlay
+overlay-tmpfs
+private
+private-cache
+private-cwd
+private-dev
+private-etc
+private-lib
+private-tmp
+quiet
+restrict-namespaces
+seccomp
+seccomp\.block-secondary
+tab
+tracelog
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
+x11
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
new file mode 100644
index 000000000..c703f2257
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -0,0 +1,76 @@
+apparmor
+bind
+blacklist
+blacklist-nolog
+caps.drop
+caps.keep
+cpu
+dbus-system.broadcast
+dbus-system.call
+dbus-system.own
+dbus-system.see
+dbus-system.talk
+dbus-user.broadcast
+dbus-user.call
+dbus-user.own
+dbus-user.see
+dbus-user.talk
+defaultgw
+dns
+env
+hostname
+hosts-file
+ignore
+include
+ip
+ip6
+iprange
+join-or-start
+keep-fd
+mac
+mkdir
+mkfile
+mtu
+name
+net
+netfilter
+netfilter6
+netmask
+netns
+nice
+noblacklist
+noexec
+nowhitelist
+overlay-named
+private
+private-bin
+private-cwd
+private-etc
+private-home
+private-lib
+private-opt
+private-srv
+protocol
+read-only
+read-write
+restrict-namespaces
+rlimit-as
+rlimit-cpu
+rlimit-fsize
+rlimit-nofile
+rlimit-nproc
+rlimit-sigpending
+rmenv
+seccomp
+seccomp-error-action
+seccomp.32
+seccomp.32.drop
+seccomp.32.keep
+seccomp.drop
+seccomp.keep
+timeout
+tmpfs
+veth-name
+whitelist
+whitelist-ro
+xephyr-screen
diff --git a/contrib/syntax/lists/profile_conditionals.list b/contrib/syntax/lists/profile_conditionals.list
new file mode 100644
index 000000000..2cae76c96
--- /dev/null
+++ b/contrib/syntax/lists/profile_conditionals.list
@@ -0,0 +1,9 @@
+ALLOW_TRAY
+BROWSER_ALLOW_DRM
+BROWSER_DISABLE_U2F
+HAS_APPIMAGE
+HAS_NET
+HAS_NODBUS
+HAS_NOSOUND
+HAS_PRIVATE
+HAS_X11
diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list
new file mode 100644
index 000000000..4ba780f11
--- /dev/null
+++ b/contrib/syntax/lists/profile_macros.list
@@ -0,0 +1,10 @@
+CFG
+DESKTOP
+DOCUMENTS
+DOWNLOADS
+HOME
+MUSIC
+PATH
+PICTURES
+RUNUSER
+VIDEOS
diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list
new file mode 100644
index 000000000..fb42ae5f7
--- /dev/null
+++ b/contrib/syntax/lists/syscall_groups.list
@@ -0,0 +1,29 @@
+aio
+basic-io
+chown
+clock
+cpu-emulation
+debug
+default
+default-keep
+default-nodebuggers
+file-system
+io-event
+ipc
+keyring
+memlock
+module
+mount
+network-io
+obsolete
+privileged
+process
+raw-io
+reboot
+resources
+setuid
+signal
+swap
+sync
+system-service
+timer
diff --git a/contrib/syntax/lists/syscalls.list b/contrib/syntax/lists/syscalls.list
new file mode 100644
index 000000000..abb740b24
--- /dev/null
+++ b/contrib/syntax/lists/syscalls.list
@@ -0,0 +1,454 @@
+_llseek
+_newselect
+_sysctl
+accept
+accept4
+access
+acct
+add_key
+adjtimex
+afs_syscall
+alarm
+arch_prctl
+arm_fadvise64_64
+arm_sync_file_range
+bdflush
+bind
+bpf
+break
+brk
+capget
+capset
+chdir
+chmod
+chown
+chown32
+chroot
+clock_adjtime
+clock_adjtime64
+clock_getres
+clock_getres_time64
+clock_gettime
+clock_gettime64
+clock_nanosleep
+clock_nanosleep_time64
+clock_settime
+clock_settime64
+clone
+clone3
+close
+close_range
+connect
+copy_file_range
+creat
+create_module
+delete_module
+dup
+dup2
+dup3
+epoll_create
+epoll_create1
+epoll_ctl
+epoll_ctl_old
+epoll_pwait
+epoll_pwait2
+epoll_wait
+epoll_wait_old
+eventfd
+eventfd2
+execve
+execveat
+exit
+exit_group
+faccessat
+faccessat2
+fadvise64
+fadvise64_64
+fallocate
+fanotify_init
+fanotify_mark
+fchdir
+fchmod
+fchmodat
+fchown
+fchown32
+fchownat
+fcntl
+fcntl64
+fdatasync
+fgetxattr
+finit_module
+flistxattr
+flock
+fork
+fremovexattr
+fsconfig
+fsetxattr
+fsmount
+fsopen
+fspick
+fstat
+fstat64
+fstatat64
+fstatfs
+fstatfs64
+fsync
+ftime
+ftruncate
+ftruncate64
+futex
+futex_time64
+futex_waitv
+futimesat
+get_kernel_syms
+get_mempolicy
+get_robust_list
+get_thread_area
+getcpu
+getcwd
+getdents
+getdents64
+getegid
+getegid32
+geteuid
+geteuid32
+getgid
+getgid32
+getgroups
+getgroups32
+getitimer
+getpeername
+getpgid
+getpgrp
+getpid
+getpmsg
+getppid
+getpriority
+getrandom
+getresgid
+getresgid32
+getresuid
+getresuid32
+getrlimit
+getrusage
+getsid
+getsockname
+getsockopt
+gettid
+gettimeofday
+getuid
+getuid32
+getxattr
+gtty
+idle
+init_module
+inotify_add_watch
+inotify_init
+inotify_init1
+inotify_rm_watch
+io_cancel
+io_destroy
+io_getevents
+io_pgetevents
+io_pgetevents_time64
+io_setup
+io_submit
+io_uring_enter
+io_uring_register
+io_uring_setup
+ioctl
+ioperm
+iopl
+ioprio_get
+ioprio_set
+ipc
+kcmp
+kexec_file_load
+kexec_load
+keyctl
+kill
+landlock_add_rule
+landlock_create_ruleset
+landlock_restrict_self
+lchown
+lchown32
+lgetxattr
+link
+linkat
+listen
+listxattr
+llistxattr
+lock
+lookup_dcookie
+lremovexattr
+lseek
+lsetxattr
+lstat
+lstat64
+madvise
+mbind
+membarrier
+memfd_create
+migrate_pages
+mincore
+mkdir
+mkdirat
+mknod
+mknodat
+mlock
+mlock2
+mlockall
+mmap
+mmap2
+modify_ldt
+mount
+mount_setattr
+move_mount
+move_pages
+mprotect
+mpx
+mq_getsetattr
+mq_notify
+mq_open
+mq_timedreceive
+mq_timedreceive_time64
+mq_timedsend
+mq_timedsend_time64
+mq_unlink
+mremap
+msgctl
+msgget
+msgrcv
+msgsnd
+msync
+munlock
+munlockall
+munmap
+name_to_handle_at
+nanosleep
+newfstatat
+nfsservctl
+nice
+oldfstat
+oldlstat
+oldolduname
+oldstat
+olduname
+open
+open_by_handle_at
+open_tree
+openat
+openat2
+pause
+pciconfig_iobase
+pciconfig_read
+pciconfig_write
+perf_event_open
+personality
+pidfd_getfd
+pidfd_open
+pidfd_send_signal
+pipe
+pipe2
+pivot_root
+pkey_alloc
+pkey_free
+pkey_mprotect
+poll
+ppoll
+ppoll_time64
+prctl
+pread64
+preadv
+preadv2
+prlimit64
+process_madvise
+process_mrelease
+process_vm_readv
+process_vm_writev
+prof
+profil
+pselect6
+pselect6_time64
+ptrace
+putpmsg
+pwrite64
+pwritev
+pwritev2
+query_module
+quotactl
+quotactl_fd
+read
+readahead
+readdir
+readlink
+readlinkat
+readv
+reboot
+recv
+recvfrom
+recvmmsg
+recvmmsg_time64
+recvmsg
+remap_file_pages
+removexattr
+rename
+renameat
+renameat2
+request_key
+restart_syscall
+rmdir
+rseq
+rt_sigaction
+rt_sigpending
+rt_sigprocmask
+rt_sigqueueinfo
+rt_sigreturn
+rt_sigsuspend
+rt_sigtimedwait
+rt_sigtimedwait_time64
+rt_tgsigqueueinfo
+sched_get_priority_max
+sched_get_priority_min
+sched_getaffinity
+sched_getattr
+sched_getparam
+sched_getscheduler
+sched_rr_get_interval
+sched_rr_get_interval_time64
+sched_setaffinity
+sched_setattr
+sched_setparam
+sched_setscheduler
+sched_yield
+seccomp
+security
+select
+semctl
+semget
+semop
+semtimedop
+semtimedop_time64
+send
+sendfile
+sendfile64
+sendmmsg
+sendmsg
+sendto
+set_mempolicy
+set_robust_list
+set_thread_area
+set_tid_address
+setdomainname
+setfsgid
+setfsgid32
+setfsuid
+setfsuid32
+setgid
+setgid32
+setgroups
+setgroups32
+sethostname
+setitimer
+setns
+setpgid
+setpriority
+setregid
+setregid32
+setresgid
+setresgid32
+setresuid
+setresuid32
+setreuid
+setreuid32
+setrlimit
+setsid
+setsockopt
+settimeofday
+setuid
+setuid32
+setxattr
+sgetmask
+shmat
+shmctl
+shmdt
+shmget
+shutdown
+sigaction
+sigaltstack
+signal
+signalfd
+signalfd4
+sigpending
+sigprocmask
+sigreturn
+sigsuspend
+socket
+socketcall
+socketpair
+splice
+ssetmask
+stat
+stat64
+statfs
+statfs64
+statx
+stime
+stty
+swapoff
+swapon
+symlink
+symlinkat
+sync
+sync_file_range
+syncfs
+sysfs
+sysinfo
+syslog
+tee
+tgkill
+time
+timer_create
+timer_delete
+timer_getoverrun
+timer_gettime
+timer_gettime64
+timer_settime
+timer_settime64
+timerfd_create
+timerfd_gettime
+timerfd_gettime64
+timerfd_settime
+timerfd_settime64
+times
+tkill
+truncate
+truncate64
+tuxcall
+ugetrlimit
+ulimit
+umask
+umount
+umount2
+uname
+unlink
+unlinkat
+unshare
+uselib
+userfaultfd
+ustat
+utime
+utimensat
+utimensat_time64
+utimes
+vfork
+vhangup
+vm86
+vm86old
+vmsplice
+vserver
+wait4
+waitid
+waitpid
+write
+writev
diff --git a/contrib/syntax/lists/system_errnos.list b/contrib/syntax/lists/system_errnos.list
new file mode 100644
index 000000000..f0f816943
--- /dev/null
+++ b/contrib/syntax/lists/system_errnos.list
@@ -0,0 +1,135 @@
+E2BIG
+EACCES
+EADDRINUSE
+EADDRNOTAVAIL
+EADV
+EAFNOSUPPORT
+EAGAIN
+EALREADY
+EBADE
+EBADF
+EBADFD
+EBADMSG
+EBADR
+EBADRQC
+EBADSLT
+EBFONT
+EBUSY
+ECANCELED
+ECHILD
+ECHRNG
+ECOMM
+ECONNABORTED
+ECONNREFUSED
+ECONNRESET
+EDEADLK
+EDEADLOCK
+EDESTADDRREQ
+EDOM
+EDOTDOT
+EDQUOT
+EEXIST
+EFAULT
+EFBIG
+EHOSTDOWN
+EHOSTUNREACH
+EHWPOISON
+EIDRM
+EILSEQ
+EINPROGRESS
+EINTR
+EINVAL
+EIO
+EISCONN
+EISDIR
+EISNAM
+EKEYEXPIRED
+EKEYREJECTED
+EKEYREVOKED
+EL2HLT
+EL2NSYNC
+EL3HLT
+EL3RST
+ELIBACC
+ELIBBAD
+ELIBEXEC
+ELIBMAX
+ELIBSCN
+ELNRNG
+ELOOP
+EMEDIUMTYPE
+EMFILE
+EMLINK
+EMSGSIZE
+EMULTIHOP
+ENAMETOOLONG
+ENAVAIL
+ENETDOWN
+ENETRESET
+ENETUNREACH
+ENFILE
+ENOANO
+ENOATTR
+ENOBUFS
+ENOCSI
+ENODATA
+ENODEV
+ENOENT
+ENOEXEC
+ENOKEY
+ENOLCK
+ENOLINK
+ENOMEDIUM
+ENOMEM
+ENOMSG
+ENONET
+ENOPKG
+ENOPROTOOPT
+ENOSPC
+ENOSR
+ENOSTR
+ENOSYS
+ENOTBLK
+ENOTCONN
+ENOTDIR
+ENOTEMPTY
+ENOTNAM
+ENOTRECOVERABLE
+ENOTSOCK
+ENOTSUP
+ENOTTY
+ENOTUNIQ
+ENXIO
+EOPNOTSUPP
+EOVERFLOW
+EOWNERDEAD
+EPERM
+EPFNOSUPPORT
+EPIPE
+EPROTO
+EPROTONOSUPPORT
+EPROTOTYPE
+ERANGE
+EREMCHG
+EREMOTE
+EREMOTEIO
+ERESTART
+ERFKILL
+EROFS
+ESHUTDOWN
+ESOCKTNOSUPPORT
+ESPIPE
+ESRCH
+ESRMNT
+ESTALE
+ESTRPIPE
+ETIME
+ETIMEDOUT
+ETOOMANYREFS
+ETXTBSY
+EUCLEAN
+EUNATCH
+EUSERS
+EWOULDBLOCK
+EXDEV
+EXFULL
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
deleted file mode 100644
index c844350d8..000000000
--- a/contrib/vim/syntax/firejail.vim
+++ /dev/null
@@ -1,104 +0,0 @@
-" Vim syntax file
-" Language: Firejail security sandbox profile
-" URL: https://github.com/netblue30/firejail
-
-if exists("b:current_syntax")
-  finish
-endif
-
-
-syn iskeyword @,48-57,_,.,-
-
-
-syn keyword fjTodo TODO FIXME XXX NOTE contained
-syn match fjComment "#.*$" contains=fjTodo
-
-"TODO: highlight "dangerous" capabilities differently, as is done in apparmor.vim?
-syn keyword fjCapability audit_control audit_read audit_write block_suspend chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mac_admin mac_override mknod net_admin net_bind_service net_broadcast net_raw setgid setfcap setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog wake_alarm nextgroup=fjCapabilityList contained
-syn match fjCapabilityList /,/ nextgroup=fjCapability contained
-
-syn keyword fjNamespaces cgroup ipc net mnt pid time user uts nextgroup=fjNamespacesList contained
-syn match fjNamespacesList /,/ nextgroup=fjNamespaces contained
-
-syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
-syn match fjProtocolList /,/ nextgroup=fjProtocol contained
-
-" Syscalls grabbed from: src/include/syscall*.h
-" Generate list with: sed -n 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr '\n' ' '
-syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
-" Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: sed -En 's/.*"@([^",]+).*/\1/p' src/lib/syscall.c | sort -u | tr '\n' '|'
-syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
-syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
-" Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: sed -En 's/.*"(E[^"]+).*/\1/p' src/lib/errno.c | sort -u | tr '\n' '|'
-syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
-syn match fjSyscallList /,/ nextgroup=fjSyscall contained
-
-syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
-syn keyword fjSeccompAction kill log ERRNO contained
-
-syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
-syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
-
-syn keyword fjAll all contained
-syn keyword fjNone none contained
-syn keyword fjLo lo contained
-syn keyword fjFilter filter contained
-
-" Variable names grabbed from: src/firejail/macros.c
-" Generate list with: sed -En 's/.*\$\{([^}]+)\}.*/\1/p' src/firejail/macros.c | sort -u | tr '\n' '|'
-syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES|RUNUSER|VIDEOS)}/
-
-" Commands grabbed from: src/firejail/profile.c
-" Generate list with: { sed -En 's/.*strn?cmp\(ptr, "([^"]+) ".*/\1/p' src/firejail/profile.c; echo private-lib; } | grep -Ev '^(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)$' | sort -u | tr '\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
-" Generate list with: sed -En 's/.*strn?cmp\(ptr, "([^ "]*[^ ])".*/\1/p' src/firejail/profile.c | grep -Ev '^(include|rlimit|quiet)$' | sed 's/\./\\./' | sort -u | tr '\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
-syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
-syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
-syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
-syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
-syn match fjCommand /restrict-namespaces / nextgroup=fjNamespaces skipwhite contained
-syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
-syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
-syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
-syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
-syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
-syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
-syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
-syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
-syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
-syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
-" Commands that can't be inside a ?CONDITIONAL: statement
-syn match fjCommandNoCond /include / skipwhite contained
-syn match fjCommandNoCond /quiet$/ contained
-
-" Conditionals grabbed from: src/firejail/profile.c
-" Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr '\n' '|'
-syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
-
-" A line is either a command, a conditional or a comment
-syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
-
-hi def link fjTodo Todo
-hi def link fjComment Comment
-hi def link fjCommand Statement
-hi def link fjCommandNoCond Statement
-hi def link fjConditional Macro
-hi def link fjVar Identifier
-hi def link fjCapability Type
-hi def link fjProtocol Type
-hi def link fjSyscall Type
-hi def link fjSyscallErrno Constant
-hi def link fjX11Sandbox Type
-hi def link fjEnvVar Type
-hi def link fjRmenvVar Type
-hi def link fjAll Type
-hi def link fjNone Type
-hi def link fjLo Type
-hi def link fjFilter Type
-hi def link fjSeccompAction Type
-
-
-let b:current_syntax = "firejail"