commit e483f4e91ccecb11d1167e6ac0075b5941fbe85a

pyrox.dev / nixpkgs

lol

fork atom

shh: 2025.7.13 -> 2025.9.22 (#445216)

authored by

Franz Pletz and committed by

GitHub 4 months ago e483f4e9 000a3975

+24 -21

2 changed files

expand all

unified split

pkgs

by-name

shh

fix_run_checks.patch

package.nix

+13 -11

pkgs/by-name/sh/shh/fix_run_checks.patch

··· 1 - commit 58bdfa7ef92ba07dc41a07aeef6d790ecd8f888c 2 - Author: kuflierl <41301536+kuflierl@users.noreply.github.com> 3 - Date: Sat May 3 21:02:26 2025 +0200 1 + commit 3052c2c8be6a44aab2d4c5fa0d560a8109c5ed5e 2 + Author: 06kellyjac <dev@j-k.io> 3 + Date: Mon Sep 22 13:17:14 2025 +0100 4 4 5 5 fix(tests): add support for nix-build-system for tests 6 6 7 + Co-authored-by: kuflierl <41301536+kuflierl@users.noreply.github.com> 8 + 7 9 diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs 8 - index e2abbb7..1151592 100644 10 + index 989f378..0629fb5 100644 9 11 --- a/src/systemd/resolver.rs 10 12 +++ b/src/systemd/resolver.rs 11 - @@ -637,17 +637,14 @@ mod tests { 13 + @@ -650,17 +650,14 @@ mod tests { 12 14 let OptionValue::List(opt_list) = &candidates[0].value else { 13 15 panic!(); 14 16 }; ··· 32 34 let actions = vec![ProgramAction::Read("/var/data".into())]; 33 35 let candidates = resolve(&opts, &actions, &hardening_opts); 34 36 diff --git a/tests/options.rs b/tests/options.rs 35 - index 835ee14..a9c9973 100644 37 + index cf20ea0..ab9f389 100644 36 38 --- a/tests/options.rs 37 39 +++ b/tests/options.rs 38 40 @@ -24,7 +24,7 @@ fn run_true() { ··· 50 52 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 51 53 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 52 54 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 53 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 55 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 54 56 } 55 57 56 58 @@ -97,7 +97,7 @@ fn run_ls_dev() { ··· 92 94 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 93 95 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 94 96 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 95 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 97 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 96 98 } 97 99 98 100 @@ -201,7 +201,7 @@ fn run_read_kallsyms() { ··· 110 112 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 111 113 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 112 114 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 113 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 115 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 114 116 } 115 117 116 118 @@ -344,6 +344,7 @@ fn run_systemctl() { 117 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 119 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 118 120 } 119 121 120 122 +// patched due to nix build isolation ··· 145 147 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 146 148 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 147 149 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 148 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 150 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 149 151 } 150 152

+11 -10

pkgs/by-name/sh/shh/package.nix

··· 16 16 isNativeDocgen = 17 17 (stdenv.buildPlatform.canExecute stdenv.hostPlatform) && enableDocumentationFeature; 18 18 in 19 - rustPlatform.buildRustPackage rec { 19 + rustPlatform.buildRustPackage (finalAttrs: { 20 20 pname = "shh"; 21 - version = "2025.7.13"; 21 + version = "2025.9.22"; 22 22 23 23 src = fetchFromGitHub { 24 24 owner = "desbma"; 25 25 repo = "shh"; 26 - tag = "v${version}"; 27 - hash = "sha256-mTBA+NPkeGF1sSnXpOz9xBsKDAihRe+TVcBAlvbBQPc="; 26 + tag = "v${finalAttrs.version}"; 27 + hash = "sha256-Esb6IR49YtGWvLmGLtviAyMLjoWZLQka2igC6yKJ3A0="; 28 28 }; 29 29 30 - cargoHash = "sha256-JrtXDercjkPA5WVaq+LyhFmGqMAxQ/sVZQlmtJUTrms="; 30 + cargoHash = "sha256-CB0jhVDR40lZaYqNq43V/af1v3Ph+6Z9swSrrsNgA8k="; 31 31 32 32 patches = [ 33 33 ./fix_run_checks.patch ··· 85 85 86 86 installManPage target/mangen/* 87 87 88 - installShellCompletion --cmd ${pname} \ 89 - target/shellcomplete/${pname}.{bash,fish} \ 90 - --zsh target/shellcomplete/_${pname} 88 + installShellCompletion --cmd ${finalAttrs.pname} \ 89 + target/shellcomplete/${finalAttrs.pname}.{bash,fish} \ 90 + --zsh target/shellcomplete/_${finalAttrs.pname} 91 91 ''; 92 92 93 93 # RUST_BACKTRACE = 1; ··· 99 99 homepage = "https://github.com/desbma/shh"; 100 100 license = lib.licenses.gpl3Only; 101 101 platforms = lib.platforms.linux; 102 - changelog = "https://github.com/desbma/shh/blob/v${version}/CHANGELOG.md"; 102 + changelog = "https://github.com/desbma/shh/blob/v${finalAttrs.version}/CHANGELOG.md"; 103 103 mainProgram = "shh"; 104 104 maintainers = with lib.maintainers; [ 105 105 erdnaxe 106 106 kuflierl 107 + jk 107 108 ]; 108 109 }; 109 - } 110 + })