Loading pkgs/by-name/sh/shh/fix_run_checks.patch +6 −128 Original line number Diff line number Diff line commit b13576b678280ebaff56010ceb67b2ca83ddd7e8 commit ec60c5de54b7d8500e02f78d6d8ade1b26bb2876 Author: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Tue Jan 27 12:19:11 2026 +0100 Date: Tue Mar 31 20:39:34 2026 +0200 fix(tests): add support for nix-build-system for tests Co-authored-by: 06kellyjac <dev@j-k.io> diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs index 901ebf3..aa51708 100644 index 729dab7..44939d2 100644 --- a/src/systemd/resolver.rs +++ b/src/systemd/resolver.rs @@ -651,17 +651,14 @@ mod tests { @@ -610,15 +610,12 @@ mod tests { let OptionValue::List(opt_list) = &candidates[0].value else { panic!(); }; - assert!(opt_list.values.contains(&"/boot".to_owned())); + // information gathering + // eprint!("{}\n", &candidates[0].to_string()); assert!(opt_list.values.contains(&"/dev".to_owned())); assert!(opt_list.values.contains(&"/etc".to_owned())); - assert!(opt_list.values.contains(&"/home".to_owned())); Loading @@ -28,124 +24,6 @@ index 901ebf3..aa51708 100644 assert!(opt_list.values.contains(&"/tmp".to_owned())); - assert!(opt_list.values.contains(&"/usr".to_owned())); - assert!(opt_list.values.contains(&"/var".to_owned())); - assert!(!opt_list.values.contains(&"/proc".to_owned())); - assert!(!opt_list.values.contains(&"/run".to_owned())); let actions = vec![ProgramAction::Read("/var/data".into())]; let candidates = resolve(&opts, &actions, &hardening_opts); diff --git a/tests/options.rs b/tests/options.rs index 815b413..00bf21e 100644 --- a/tests/options.rs +++ b/tests/options.rs @@ -23,7 +23,7 @@ fn run_true() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -49,7 +49,7 @@ fn run_true() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } @@ -94,7 +94,7 @@ fn run_ls_dev() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -126,12 +126,12 @@ fn run_ls_dev() { #[test] fn run_ls_proc() { cargo_bin_cmd!("shh") - .args(["run", "--", "busybox", "ls", "/proc/1/"]) + .args(["run", "--", "ls", "/proc/1/"]) .unwrap() .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -161,7 +161,7 @@ fn run_ls_proc() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -183,7 +183,7 @@ fn run_ls_proc() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } @@ -195,7 +195,7 @@ fn run_read_kallsyms() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -221,7 +221,7 @@ fn run_read_kallsyms() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } @@ -338,6 +338,7 @@ fn run_systemctl() { .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } +// patched due to nix build isolation #[test] fn run_ss() { cargo_bin_cmd!("shh") @@ -346,7 +347,7 @@ fn run_ss() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -362,7 +363,6 @@ fn run_ss() { .stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1)) .stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1)) .stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1)) - .stdout(predicate::str::contains("ProtectProc=").not()) .stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1)) .stdout(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK AF_UNIX\n").count(1).or(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK\n").count(1))) .stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1)) @@ -372,7 +372,7 @@ fn run_ss() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } assert!(!opt_list.values.contains(&"/proc".to_owned())); assert!(!opt_list.values.contains(&"/run".to_owned())); pkgs/by-name/sh/shh/package.nix +10 −33 Original line number Diff line number Diff line Loading @@ -4,10 +4,8 @@ fetchFromGitHub, nix-update-script, installShellFiles, python3, strace, systemd, iproute2, stdenv, enableDocumentationFeature ? true, enableDocumentationGeneration ? true, Loading @@ -18,16 +16,16 @@ let in rustPlatform.buildRustPackage (finalAttrs: { pname = "shh"; version = "2026.1.27"; version = "2026.3.8"; src = fetchFromGitHub { owner = "desbma"; repo = "shh"; tag = "v${finalAttrs.version}"; hash = "sha256-RGxxpAr8E2KriwheWXcsxRRBhZST27Xp6LSdgzxsuUM="; hash = "sha256-PWbPyhn103eLHelhf+m1iIIaKDCooiIRMzrn9xPTzoA="; }; cargoHash = "sha256-GjUu7QDLMs/E4l3tjMBqmfoGkdQJMzdM/Ovg04pIctU="; cargoHash = "sha256-zE4qRXrQHqppTmZ9rHeqt4mvMgoRIzX73/CPf4IRgYo="; patches = [ ./fix_run_checks.patch Loading @@ -35,35 +33,16 @@ rustPlatform.buildRustPackage (finalAttrs: { env = { SHH_STRACE_BIN_PATH = lib.getExe strace; # RUST_BACKTRACE = 1; }; buildFeatures = lib.optional enableDocumentationFeature "generate-extra"; checkFlags = [ # no access to system modules in build env "--skip=run_ls_modules" # missing systemd daemon in build env "--skip=run_systemctl" # no raw socket cap in nix build "--skip=run_ping_4" "--skip=run_ping_6" ]; buildInputs = [ strace systemd ]; buildFeatures = lib.optional enableDocumentationFeature "generate-extras"; nativeBuildInputs = [ installShellFiles systemd strace ]; nativeCheckInputs = [ python3 iproute2 ]; ] ++ (lib.optional (!isNativeDocgen) strace); # todo elvish postInstall = lib.optionalString enableDocumentationGeneration '' Loading @@ -73,13 +52,13 @@ rustPlatform.buildRustPackage (finalAttrs: { if isNativeDocgen then '' $out/bin/shh gen-man-pages target/mangen $out/bin/shh gen-shell-complete target/shellcomplete $out/bin/shh gen-shell-completions target/shellcomplete '' else '' unset SHH_STRACE_BIN_PATH cargo run --features generate-extra -- gen-man-pages target/mangen cargo run --features generate-extra -- gen-shell-complete target/shellcomplete cargo run --features generate-extras -- gen-man-pages target/mangen cargo run --features generate-extras -- gen-shell-completions target/shellcomplete '' } Loading @@ -90,8 +69,6 @@ rustPlatform.buildRustPackage (finalAttrs: { --zsh target/shellcomplete/_${finalAttrs.meta.mainProgram} ''; # RUST_BACKTRACE = 1; passthru.updateScript = nix-update-script { }; meta = { Loading Loading
pkgs/by-name/sh/shh/fix_run_checks.patch +6 −128 Original line number Diff line number Diff line commit b13576b678280ebaff56010ceb67b2ca83ddd7e8 commit ec60c5de54b7d8500e02f78d6d8ade1b26bb2876 Author: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Tue Jan 27 12:19:11 2026 +0100 Date: Tue Mar 31 20:39:34 2026 +0200 fix(tests): add support for nix-build-system for tests Co-authored-by: 06kellyjac <dev@j-k.io> diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs index 901ebf3..aa51708 100644 index 729dab7..44939d2 100644 --- a/src/systemd/resolver.rs +++ b/src/systemd/resolver.rs @@ -651,17 +651,14 @@ mod tests { @@ -610,15 +610,12 @@ mod tests { let OptionValue::List(opt_list) = &candidates[0].value else { panic!(); }; - assert!(opt_list.values.contains(&"/boot".to_owned())); + // information gathering + // eprint!("{}\n", &candidates[0].to_string()); assert!(opt_list.values.contains(&"/dev".to_owned())); assert!(opt_list.values.contains(&"/etc".to_owned())); - assert!(opt_list.values.contains(&"/home".to_owned())); Loading @@ -28,124 +24,6 @@ index 901ebf3..aa51708 100644 assert!(opt_list.values.contains(&"/tmp".to_owned())); - assert!(opt_list.values.contains(&"/usr".to_owned())); - assert!(opt_list.values.contains(&"/var".to_owned())); - assert!(!opt_list.values.contains(&"/proc".to_owned())); - assert!(!opt_list.values.contains(&"/run".to_owned())); let actions = vec![ProgramAction::Read("/var/data".into())]; let candidates = resolve(&opts, &actions, &hardening_opts); diff --git a/tests/options.rs b/tests/options.rs index 815b413..00bf21e 100644 --- a/tests/options.rs +++ b/tests/options.rs @@ -23,7 +23,7 @@ fn run_true() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if Uid::effective().is_root() || !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -49,7 +49,7 @@ fn run_true() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } @@ -94,7 +94,7 @@ fn run_ls_dev() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -126,12 +126,12 @@ fn run_ls_dev() { #[test] fn run_ls_proc() { cargo_bin_cmd!("shh") - .args(["run", "--", "busybox", "ls", "/proc/1/"]) + .args(["run", "--", "ls", "/proc/1/"]) .unwrap() .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -161,7 +161,7 @@ fn run_ls_proc() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -183,7 +183,7 @@ fn run_ls_proc() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } @@ -195,7 +195,7 @@ fn run_read_kallsyms() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -221,7 +221,7 @@ fn run_read_kallsyms() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } @@ -338,6 +338,7 @@ fn run_systemctl() { .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } +// patched due to nix build isolation #[test] fn run_ss() { cargo_bin_cmd!("shh") @@ -346,7 +347,7 @@ fn run_ss() { .assert() .success() .stdout(predicate::str::contains("ProtectSystem=strict\n").count(1)) - .stdout(if Uid::effective().is_root() { + .stdout(if !env::current_exe().unwrap().starts_with("/home") { BoxPredicate::new(predicate::str::contains("ProtectHome=true\n").count(1)) } else { BoxPredicate::new(predicate::str::contains("ProtectHome=").not()) @@ -362,7 +363,6 @@ fn run_ss() { .stdout(predicate::str::contains("ProtectKernelModules=true\n").count(1)) .stdout(predicate::str::contains("ProtectKernelLogs=true\n").count(1)) .stdout(predicate::str::contains("ProtectControlGroups=true\n").count(1)) - .stdout(predicate::str::contains("ProtectProc=").not()) .stdout(predicate::str::contains("MemoryDenyWriteExecute=true\n").count(1)) .stdout(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK AF_UNIX\n").count(1).or(predicate::str::contains("RestrictAddressFamilies=AF_NETLINK\n").count(1))) .stdout(predicate::str::contains("SocketBindDeny=ipv4:tcp\n").count(1)) @@ -372,7 +372,7 @@ fn run_ss() { .stdout(predicate::str::contains("LockPersonality=true\n").count(1)) .stdout(predicate::str::contains("RestrictRealtime=true\n").count(1)) .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); } assert!(!opt_list.values.contains(&"/proc".to_owned())); assert!(!opt_list.values.contains(&"/run".to_owned()));
pkgs/by-name/sh/shh/package.nix +10 −33 Original line number Diff line number Diff line Loading @@ -4,10 +4,8 @@ fetchFromGitHub, nix-update-script, installShellFiles, python3, strace, systemd, iproute2, stdenv, enableDocumentationFeature ? true, enableDocumentationGeneration ? true, Loading @@ -18,16 +16,16 @@ let in rustPlatform.buildRustPackage (finalAttrs: { pname = "shh"; version = "2026.1.27"; version = "2026.3.8"; src = fetchFromGitHub { owner = "desbma"; repo = "shh"; tag = "v${finalAttrs.version}"; hash = "sha256-RGxxpAr8E2KriwheWXcsxRRBhZST27Xp6LSdgzxsuUM="; hash = "sha256-PWbPyhn103eLHelhf+m1iIIaKDCooiIRMzrn9xPTzoA="; }; cargoHash = "sha256-GjUu7QDLMs/E4l3tjMBqmfoGkdQJMzdM/Ovg04pIctU="; cargoHash = "sha256-zE4qRXrQHqppTmZ9rHeqt4mvMgoRIzX73/CPf4IRgYo="; patches = [ ./fix_run_checks.patch Loading @@ -35,35 +33,16 @@ rustPlatform.buildRustPackage (finalAttrs: { env = { SHH_STRACE_BIN_PATH = lib.getExe strace; # RUST_BACKTRACE = 1; }; buildFeatures = lib.optional enableDocumentationFeature "generate-extra"; checkFlags = [ # no access to system modules in build env "--skip=run_ls_modules" # missing systemd daemon in build env "--skip=run_systemctl" # no raw socket cap in nix build "--skip=run_ping_4" "--skip=run_ping_6" ]; buildInputs = [ strace systemd ]; buildFeatures = lib.optional enableDocumentationFeature "generate-extras"; nativeBuildInputs = [ installShellFiles systemd strace ]; nativeCheckInputs = [ python3 iproute2 ]; ] ++ (lib.optional (!isNativeDocgen) strace); # todo elvish postInstall = lib.optionalString enableDocumentationGeneration '' Loading @@ -73,13 +52,13 @@ rustPlatform.buildRustPackage (finalAttrs: { if isNativeDocgen then '' $out/bin/shh gen-man-pages target/mangen $out/bin/shh gen-shell-complete target/shellcomplete $out/bin/shh gen-shell-completions target/shellcomplete '' else '' unset SHH_STRACE_BIN_PATH cargo run --features generate-extra -- gen-man-pages target/mangen cargo run --features generate-extra -- gen-shell-complete target/shellcomplete cargo run --features generate-extras -- gen-man-pages target/mangen cargo run --features generate-extras -- gen-shell-completions target/shellcomplete '' } Loading @@ -90,8 +69,6 @@ rustPlatform.buildRustPackage (finalAttrs: { --zsh target/shellcomplete/_${finalAttrs.meta.mainProgram} ''; # RUST_BACKTRACE = 1; passthru.updateScript = nix-update-script { }; meta = { Loading
