shh: 2026.1.27 -> 2026.3.8

commit b13576b678280ebaff56010ceb67b2ca83ddd7e8

commit ec60c5de54b7d8500e02f78d6d8ade1b26bb2876

Author: kuflierl <41301536+kuflierl@users.noreply.github.com>

Date:   Tue Jan 27 12:19:11 2026 +0100

Date:   Tue Mar 31 20:39:34 2026 +0200

    fix(tests): add support for nix-build-system for tests

    Co-authored-by: 06kellyjac <dev@j-k.io>

diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs

index 901ebf3..aa51708 100644

index 729dab7..44939d2 100644

--- a/src/systemd/resolver.rs

+++ b/src/systemd/resolver.rs

@@ -651,17 +651,14 @@ mod tests {

@@ -610,15 +610,12 @@ mod tests {

         let OptionValue::List(opt_list) = &candidates[0].value else {

             panic!();

         };

-        assert!(opt_list.values.contains(&"/boot".to_owned()));

+        // information gathering

+        // eprint!("{}\n", &candidates[0].to_string());

         assert!(opt_list.values.contains(&"/dev".to_owned()));

         assert!(opt_list.values.contains(&"/etc".to_owned()));

-        assert!(opt_list.values.contains(&"/home".to_owned()));

         assert!(opt_list.values.contains(&"/tmp".to_owned()));

-        assert!(opt_list.values.contains(&"/usr".to_owned()));

-        assert!(opt_list.values.contains(&"/var".to_owned()));

-        assert!(!opt_list.values.contains(&"/proc".to_owned()));

-        assert!(!opt_list.values.contains(&"/run".to_owned()));

         let actions = vec![ProgramAction::Read("/var/data".into())];

         let candidates = resolve(&opts, &actions, &hardening_opts);

diff --git a/tests/options.rs b/tests/options.rs

index 815b413..00bf21e 100644

--- a/tests/options.rs

+++ b/tests/options.rs

@@ -23,7 +23,7 @@ fn run_true() {

         .assert()

         .success()

         .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))

-        .stdout(if Uid::effective().is_root() {

+        .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") {

             BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1))

         } else {

             BoxPredicate::new(predicate::str::contains("ProtectHome=").not())

@@ -49,7 +49,7 @@ fn run_true() {

         .stdout(predicate::str::contains("LockPersonality=true\n").count(1))

         .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1))

         .stdout(predicate::str::contains("ProtectClock=true\n").count(1))

-        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

+        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

         .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));

 }

@@ -94,7 +94,7 @@ fn run_ls_dev() {

         .assert()

         .success()

         .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))

-        .stdout(if Uid::effective().is_root() {

+        .stdout(if !env::current_exe().unwrap().starts_with("/home") {

             BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1))

         } else {

             BoxPredicate::new(predicate::str::contains("ProtectHome=").not())

@@ -126,12 +126,12 @@ fn run_ls_dev() {

 #[test]

 fn run_ls_proc() {

     cargo_bin_cmd!("shh")

-        .args(["run", "--", "busybox", "ls", "/proc/1/"])

+        .args(["run", "--", "ls", "/proc/1/"])

         .unwrap()

         .assert()

         .success()

         .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))

-        .stdout(if Uid::effective().is_root() {

+        .stdout(if !env::current_exe().unwrap().starts_with("/home") {

             BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1))

         } else {

             BoxPredicate::new(predicate::str::contains("ProtectHome=").not())

@@ -161,7 +161,7 @@ fn run_ls_proc() {

         .assert()

         .success()

         .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))

-        .stdout(if Uid::effective().is_root() {

+        .stdout(if !env::current_exe().unwrap().starts_with("/home") {

             BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1))

         } else {

             BoxPredicate::new(predicate::str::contains("ProtectHome=").not())

@@ -183,7 +183,7 @@ fn run_ls_proc() {

         .stdout(predicate::str::contains("LockPersonality=true\n").count(1))

         .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1))

         .stdout(predicate::str::contains("ProtectClock=true\n").count(1))

-        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

+        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

         .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));

 }

@@ -195,7 +195,7 @@ fn run_read_kallsyms() {

         .assert()

         .success()

         .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))

-        .stdout(if Uid::effective().is_root() {

+        .stdout(if !env::current_exe().unwrap().starts_with("/home") {

             BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1))

         } else {

             BoxPredicate::new(predicate::str::contains("ProtectHome=").not())

@@ -221,7 +221,7 @@ fn run_read_kallsyms() {

         .stdout(predicate::str::contains("LockPersonality=true\n").count(1))

         .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1))

         .stdout(predicate::str::contains("ProtectClock=true\n").count(1))

-        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

+        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

         .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));

 }

@@ -338,6 +338,7 @@ fn run_systemctl() {

         .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));

 }

+// patched due to nix build isolation

 #[test]

 fn run_ss() {

     cargo_bin_cmd!("shh")

@@ -346,7 +347,7 @@ fn run_ss() {

         .assert()

         .success()

         .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1))

-        .stdout(if Uid::effective().is_root() {

+        .stdout(if !env::current_exe().unwrap().starts_with("/home") {

             BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1))

         } else {

             BoxPredicate::new(predicate::str::contains("ProtectHome=").not())

@@ -362,7 +363,6 @@ fn run_ss() {

         .stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1))

         .stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1))

         .stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1))

-        .stdout(predicate::str::contains("ProtectProc=").not())

         .stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1))

         .stdout(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK AF_UNIX\n").count(1).or(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK\n").count(1)))

         .stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1))

@@ -372,7 +372,7 @@ fn run_ss() {

         .stdout(predicate::str::contains("LockPersonality=true\n").count(1))

         .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1))

         .stdout(predicate::str::contains("ProtectClock=true\n").count(1))

-        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

+        .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1))

         .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1));

 }

         assert!(!opt_list.values.contains(&"/proc".to_owned()));

         assert!(!opt_list.values.contains(&"/run".to_owned()));

  fetchFromGitHub,

  nix-update-script,

  installShellFiles,

  python3,

  strace,

  systemd,

  iproute2,

  stdenv,

  enableDocumentationFeature ? true,

  enableDocumentationGeneration ? true,

in

rustPlatform.buildRustPackage (finalAttrs: {

  pname = "shh";

  version = "2026.1.27";

  version = "2026.3.8";

  src = fetchFromGitHub {

    owner = "desbma";

    repo = "shh";

    tag = "v${finalAttrs.version}";

    hash = "sha256-RGxxpAr8E2KriwheWXcsxRRBhZST27Xp6LSdgzxsuUM=";

    hash = "sha256-PWbPyhn103eLHelhf+m1iIIaKDCooiIRMzrn9xPTzoA=";

  };

  cargoHash = "sha256-GjUu7QDLMs/E4l3tjMBqmfoGkdQJMzdM/Ovg04pIctU=";

  cargoHash = "sha256-zE4qRXrQHqppTmZ9rHeqt4mvMgoRIzX73/CPf4IRgYo=";

  patches = [

    ./fix_run_checks.patch

  env = {

    SHH_STRACE_BIN_PATH = lib.getExe strace;

    # RUST_BACKTRACE = 1;

  };

  buildFeatures = lib.optional enableDocumentationFeature "generate-extra";

  checkFlags = [

    # no access to system modules in build env

    "--skip=run_ls_modules"

    # missing systemd daemon in build env

    "--skip=run_systemctl"

    # no raw socket cap in nix build

    "--skip=run_ping_4"

    "--skip=run_ping_6"

  ];

  buildInputs = [

    strace

    systemd

  ];

  buildFeatures = lib.optional enableDocumentationFeature "generate-extras";

  nativeBuildInputs = [

    installShellFiles

    systemd

    strace

  ];

  nativeCheckInputs = [

    python3

    iproute2

  ];

  ]

  ++ (lib.optional (!isNativeDocgen) strace);

  # todo elvish

  postInstall = lib.optionalString enableDocumentationGeneration ''

      if isNativeDocgen then

        ''

          $out/bin/shh gen-man-pages target/mangen

          $out/bin/shh gen-shell-complete target/shellcomplete

          $out/bin/shh gen-shell-completions target/shellcomplete

        ''

      else

        ''

          unset SHH_STRACE_BIN_PATH

          cargo run --features generate-extra -- gen-man-pages target/mangen

          cargo run --features generate-extra -- gen-shell-complete target/shellcomplete

          cargo run --features generate-extras -- gen-man-pages target/mangen

          cargo run --features generate-extras -- gen-shell-completions target/shellcomplete

        ''

    }

      --zsh target/shellcomplete/_${finalAttrs.meta.mainProgram}

  '';

  # RUST_BACKTRACE = 1;

  passthru.updateScript = nix-update-script { };

  meta = {