build: auto-generate syntax lists

Changes:

* Use the commands from contrib/vim/syntax/firejail.vim to create
  makefile targets to generate syntax lists in contrib/syntax/lists
* Add contrib/syntax/files/example.in as an example of how to generate
  syntax files
* Generate and add the syntax lists, to make it easier to spot if they
  are properly updated when a new command is added or if their recipes
  also need changes
* Add "syntax" and "contrib" makefile targets

Note: The generation commands are executed mostly silently to avoid
generating too much noise when also making other targets.

Note2: In some generation commands, a `$$` escape is used to pass `$` to
the shell, to avoid being interpreted by make as the start of a macro.

Note3: `@make_input@` is used in example.in to make it clear that the
file is generated (and that it is generated by make rather than
configure), similarly to how `@configure_input@` is used in configure
input files.  See also apparmor.vim:

    $ head -n 2 /usr/share/vim/vimfiles/syntax/apparmor.vim
    " generated from apparmor.vim.in by create-apparmor.vim.py
    " do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead

Environment: apparmor 3.1.2-1 on Artix Linux.

Relates to #2679 #5502 #5577 #5612.

8 files changed, 779 insertions, 0 deletions

diff --git a/contrib/syntax/files/example.in b/contrib/syntax/files/example.in
new file mode 100644
index 000000000..74bcdc079
--- /dev/null
+++ b/contrib/syntax/files/example.in
@@ -0,0 +1,16 @@
+# @make_input@
+# Example file to check the values of input variables.
+
+FJ_PROFILE_COMMANDS_ARG0 = @FJ_PROFILE_COMMANDS_ARG0@
+
+FJ_PROFILE_COMMANDS_ARG1 = @FJ_PROFILE_COMMANDS_ARG1@
+
+FJ_PROFILE_CONDITIONALS = @FJ_PROFILE_CONDITIONALS@
+
+FJ_PROFILE_MACROS = @FJ_PROFILE_MACROS@
+
+FJ_SYSCALLS = @FJ_SYSCALLS@
+
+FJ_SYSCALL_GROUPS = @FJ_SYSCALL_GROUPS@
+
+FJ_SYSTEM_ERRNOS = @FJ_SYSTEM_ERRNOS@
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
new file mode 100644
index 000000000..a402671a6
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -0,0 +1,50 @@
+allow-debuggers
+allusers
+apparmor
+apparmor-replace
+apparmor-stack
+caps
+deterministic-exit-code
+deterministic-shutdown
+disable-mnt
+ipc-namespace
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+machine-id
+memory-deny-write-execute
+netfilter
+netlock
+no3d
+noautopulse
+nodbus
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+overlay
+overlay-tmpfs
+private
+private-cache
+private-cwd
+private-dev
+private-etc
+private-lib
+private-tmp
+quiet
+restrict-namespaces
+seccomp
+seccomp\.block-secondary
+tab
+tracelog
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
+x11
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
new file mode 100644
index 000000000..c703f2257
--- /dev/null
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -0,0 +1,76 @@
+apparmor
+bind
+blacklist
+blacklist-nolog
+caps.drop
+caps.keep
+cpu
+dbus-system.broadcast
+dbus-system.call
+dbus-system.own
+dbus-system.see
+dbus-system.talk
+dbus-user.broadcast
+dbus-user.call
+dbus-user.own
+dbus-user.see
+dbus-user.talk
+defaultgw
+dns
+env
+hostname
+hosts-file
+ignore
+include
+ip
+ip6
+iprange
+join-or-start
+keep-fd
+mac
+mkdir
+mkfile
+mtu
+name
+net
+netfilter
+netfilter6
+netmask
+netns
+nice
+noblacklist
+noexec
+nowhitelist
+overlay-named
+private
+private-bin
+private-cwd
+private-etc
+private-home
+private-lib
+private-opt
+private-srv
+protocol
+read-only
+read-write
+restrict-namespaces
+rlimit-as
+rlimit-cpu
+rlimit-fsize
+rlimit-nofile
+rlimit-nproc
+rlimit-sigpending
+rmenv
+seccomp
+seccomp-error-action
+seccomp.32
+seccomp.32.drop
+seccomp.32.keep
+seccomp.drop
+seccomp.keep
+timeout
+tmpfs
+veth-name
+whitelist
+whitelist-ro
+xephyr-screen
diff --git a/contrib/syntax/lists/profile_conditionals.list b/contrib/syntax/lists/profile_conditionals.list
new file mode 100644
index 000000000..2cae76c96
--- /dev/null
+++ b/contrib/syntax/lists/profile_conditionals.list
@@ -0,0 +1,9 @@
+ALLOW_TRAY
+BROWSER_ALLOW_DRM
+BROWSER_DISABLE_U2F
+HAS_APPIMAGE
+HAS_NET
+HAS_NODBUS
+HAS_NOSOUND
+HAS_PRIVATE
+HAS_X11
diff --git a/contrib/syntax/lists/profile_macros.list b/contrib/syntax/lists/profile_macros.list
new file mode 100644
index 000000000..4ba780f11
--- /dev/null
+++ b/contrib/syntax/lists/profile_macros.list
@@ -0,0 +1,10 @@
+CFG
+DESKTOP
+DOCUMENTS
+DOWNLOADS
+HOME
+MUSIC
+PATH
+PICTURES
+RUNUSER
+VIDEOS
diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list
new file mode 100644
index 000000000..fb42ae5f7
--- /dev/null
+++ b/contrib/syntax/lists/syscall_groups.list
@@ -0,0 +1,29 @@
+aio
+basic-io
+chown
+clock
+cpu-emulation
+debug
+default
+default-keep
+default-nodebuggers
+file-system
+io-event
+ipc
+keyring
+memlock
+module
+mount
+network-io
+obsolete
+privileged
+process
+raw-io
+reboot
+resources
+setuid
+signal
+swap
+sync
+system-service
+timer
diff --git a/contrib/syntax/lists/syscalls.list b/contrib/syntax/lists/syscalls.list
new file mode 100644
index 000000000..abb740b24
--- /dev/null
+++ b/contrib/syntax/lists/syscalls.list
@@ -0,0 +1,454 @@
+_llseek
+_newselect
+_sysctl
+accept
+accept4
+access
+acct
+add_key
+adjtimex
+afs_syscall
+alarm
+arch_prctl
+arm_fadvise64_64
+arm_sync_file_range
+bdflush
+bind
+bpf
+break
+brk
+capget
+capset
+chdir
+chmod
+chown
+chown32
+chroot
+clock_adjtime
+clock_adjtime64
+clock_getres
+clock_getres_time64
+clock_gettime
+clock_gettime64
+clock_nanosleep
+clock_nanosleep_time64
+clock_settime
+clock_settime64
+clone
+clone3
+close
+close_range
+connect
+copy_file_range
+creat
+create_module
+delete_module
+dup
+dup2
+dup3
+epoll_create
+epoll_create1
+epoll_ctl
+epoll_ctl_old
+epoll_pwait
+epoll_pwait2
+epoll_wait
+epoll_wait_old
+eventfd
+eventfd2
+execve
+execveat
+exit
+exit_group
+faccessat
+faccessat2
+fadvise64
+fadvise64_64
+fallocate
+fanotify_init
+fanotify_mark
+fchdir
+fchmod
+fchmodat
+fchown
+fchown32
+fchownat
+fcntl
+fcntl64
+fdatasync
+fgetxattr
+finit_module
+flistxattr
+flock
+fork
+fremovexattr
+fsconfig
+fsetxattr
+fsmount
+fsopen
+fspick
+fstat
+fstat64
+fstatat64
+fstatfs
+fstatfs64
+fsync
+ftime
+ftruncate
+ftruncate64
+futex
+futex_time64
+futex_waitv
+futimesat
+get_kernel_syms
+get_mempolicy
+get_robust_list
+get_thread_area
+getcpu
+getcwd
+getdents
+getdents64
+getegid
+getegid32
+geteuid
+geteuid32
+getgid
+getgid32
+getgroups
+getgroups32
+getitimer
+getpeername
+getpgid
+getpgrp
+getpid
+getpmsg
+getppid
+getpriority
+getrandom
+getresgid
+getresgid32
+getresuid
+getresuid32
+getrlimit
+getrusage
+getsid
+getsockname
+getsockopt
+gettid
+gettimeofday
+getuid
+getuid32
+getxattr
+gtty
+idle
+init_module
+inotify_add_watch
+inotify_init
+inotify_init1
+inotify_rm_watch
+io_cancel
+io_destroy
+io_getevents
+io_pgetevents
+io_pgetevents_time64
+io_setup
+io_submit
+io_uring_enter
+io_uring_register
+io_uring_setup
+ioctl
+ioperm
+iopl
+ioprio_get
+ioprio_set
+ipc
+kcmp
+kexec_file_load
+kexec_load
+keyctl
+kill
+landlock_add_rule
+landlock_create_ruleset
+landlock_restrict_self
+lchown
+lchown32
+lgetxattr
+link
+linkat
+listen
+listxattr
+llistxattr
+lock
+lookup_dcookie
+lremovexattr
+lseek
+lsetxattr
+lstat
+lstat64
+madvise
+mbind
+membarrier
+memfd_create
+migrate_pages
+mincore
+mkdir
+mkdirat
+mknod
+mknodat
+mlock
+mlock2
+mlockall
+mmap
+mmap2
+modify_ldt
+mount
+mount_setattr
+move_mount
+move_pages
+mprotect
+mpx
+mq_getsetattr
+mq_notify
+mq_open
+mq_timedreceive
+mq_timedreceive_time64
+mq_timedsend
+mq_timedsend_time64
+mq_unlink
+mremap
+msgctl
+msgget
+msgrcv
+msgsnd
+msync
+munlock
+munlockall
+munmap
+name_to_handle_at
+nanosleep
+newfstatat
+nfsservctl
+nice
+oldfstat
+oldlstat
+oldolduname
+oldstat
+olduname
+open
+open_by_handle_at
+open_tree
+openat
+openat2
+pause
+pciconfig_iobase
+pciconfig_read
+pciconfig_write
+perf_event_open
+personality
+pidfd_getfd
+pidfd_open
+pidfd_send_signal
+pipe
+pipe2
+pivot_root
+pkey_alloc
+pkey_free
+pkey_mprotect
+poll
+ppoll
+ppoll_time64
+prctl
+pread64
+preadv
+preadv2
+prlimit64
+process_madvise
+process_mrelease
+process_vm_readv
+process_vm_writev
+prof
+profil
+pselect6
+pselect6_time64
+ptrace
+putpmsg
+pwrite64
+pwritev
+pwritev2
+query_module
+quotactl
+quotactl_fd
+read
+readahead
+readdir
+readlink
+readlinkat
+readv
+reboot
+recv
+recvfrom
+recvmmsg
+recvmmsg_time64
+recvmsg
+remap_file_pages
+removexattr
+rename
+renameat
+renameat2
+request_key
+restart_syscall
+rmdir
+rseq
+rt_sigaction
+rt_sigpending
+rt_sigprocmask
+rt_sigqueueinfo
+rt_sigreturn
+rt_sigsuspend
+rt_sigtimedwait
+rt_sigtimedwait_time64
+rt_tgsigqueueinfo
+sched_get_priority_max
+sched_get_priority_min
+sched_getaffinity
+sched_getattr
+sched_getparam
+sched_getscheduler
+sched_rr_get_interval
+sched_rr_get_interval_time64
+sched_setaffinity
+sched_setattr
+sched_setparam
+sched_setscheduler
+sched_yield
+seccomp
+security
+select
+semctl
+semget
+semop
+semtimedop
+semtimedop_time64
+send
+sendfile
+sendfile64
+sendmmsg
+sendmsg
+sendto
+set_mempolicy
+set_robust_list
+set_thread_area
+set_tid_address
+setdomainname
+setfsgid
+setfsgid32
+setfsuid
+setfsuid32
+setgid
+setgid32
+setgroups
+setgroups32
+sethostname
+setitimer
+setns
+setpgid
+setpriority
+setregid
+setregid32
+setresgid
+setresgid32
+setresuid
+setresuid32
+setreuid
+setreuid32
+setrlimit
+setsid
+setsockopt
+settimeofday
+setuid
+setuid32
+setxattr
+sgetmask
+shmat
+shmctl
+shmdt
+shmget
+shutdown
+sigaction
+sigaltstack
+signal
+signalfd
+signalfd4
+sigpending
+sigprocmask
+sigreturn
+sigsuspend
+socket
+socketcall
+socketpair
+splice
+ssetmask
+stat
+stat64
+statfs
+statfs64
+statx
+stime
+stty
+swapoff
+swapon
+symlink
+symlinkat
+sync
+sync_file_range
+syncfs
+sysfs
+sysinfo
+syslog
+tee
+tgkill
+time
+timer_create
+timer_delete
+timer_getoverrun
+timer_gettime
+timer_gettime64
+timer_settime
+timer_settime64
+timerfd_create
+timerfd_gettime
+timerfd_gettime64
+timerfd_settime
+timerfd_settime64
+times
+tkill
+truncate
+truncate64
+tuxcall
+ugetrlimit
+ulimit
+umask
+umount
+umount2
+uname
+unlink
+unlinkat
+unshare
+uselib
+userfaultfd
+ustat
+utime
+utimensat
+utimensat_time64
+utimes
+vfork
+vhangup
+vm86
+vm86old
+vmsplice
+vserver
+wait4
+waitid
+waitpid
+write
+writev
diff --git a/contrib/syntax/lists/system_errnos.list b/contrib/syntax/lists/system_errnos.list
new file mode 100644
index 000000000..f0f816943
--- /dev/null
+++ b/contrib/syntax/lists/system_errnos.list
@@ -0,0 +1,135 @@
+E2BIG
+EACCES
+EADDRINUSE
+EADDRNOTAVAIL
+EADV
+EAFNOSUPPORT
+EAGAIN
+EALREADY
+EBADE
+EBADF
+EBADFD
+EBADMSG
+EBADR
+EBADRQC
+EBADSLT
+EBFONT
+EBUSY
+ECANCELED
+ECHILD
+ECHRNG
+ECOMM
+ECONNABORTED
+ECONNREFUSED
+ECONNRESET
+EDEADLK
+EDEADLOCK
+EDESTADDRREQ
+EDOM
+EDOTDOT
+EDQUOT
+EEXIST
+EFAULT
+EFBIG
+EHOSTDOWN
+EHOSTUNREACH
+EHWPOISON
+EIDRM
+EILSEQ
+EINPROGRESS
+EINTR
+EINVAL
+EIO
+EISCONN
+EISDIR
+EISNAM
+EKEYEXPIRED
+EKEYREJECTED
+EKEYREVOKED
+EL2HLT
+EL2NSYNC
+EL3HLT
+EL3RST
+ELIBACC
+ELIBBAD
+ELIBEXEC
+ELIBMAX
+ELIBSCN
+ELNRNG
+ELOOP
+EMEDIUMTYPE
+EMFILE
+EMLINK
+EMSGSIZE
+EMULTIHOP
+ENAMETOOLONG
+ENAVAIL
+ENETDOWN
+ENETRESET
+ENETUNREACH
+ENFILE
+ENOANO
+ENOATTR
+ENOBUFS
+ENOCSI
+ENODATA
+ENODEV
+ENOENT
+ENOEXEC
+ENOKEY
+ENOLCK
+ENOLINK
+ENOMEDIUM
+ENOMEM
+ENOMSG
+ENONET
+ENOPKG
+ENOPROTOOPT
+ENOSPC
+ENOSR
+ENOSTR
+ENOSYS
+ENOTBLK
+ENOTCONN
+ENOTDIR
+ENOTEMPTY
+ENOTNAM
+ENOTRECOVERABLE
+ENOTSOCK
+ENOTSUP
+ENOTTY
+ENOTUNIQ
+ENXIO
+EOPNOTSUPP
+EOVERFLOW
+EOWNERDEAD
+EPERM
+EPFNOSUPPORT
+EPIPE
+EPROTO
+EPROTONOSUPPORT
+EPROTOTYPE
+ERANGE
+EREMCHG
+EREMOTE
+EREMOTEIO
+ERESTART
+ERFKILL
+EROFS
+ESHUTDOWN
+ESOCKTNOSUPPORT
+ESPIPE
+ESRCH
+ESRMNT
+ESTALE
+ESTRPIPE
+ETIME
+ETIMEDOUT
+ETOOMANYREFS
+ETXTBSY
+EUCLEAN
+EUNATCH
+EUSERS
+EWOULDBLOCK
+EXDEV
+EXFULL