commit e483f4e91ccecb11d1167e6ac0075b5941fbe85a

pyrox.dev / nixpkgs

lol

fork atom

shh: 2025.7.13 -> 2025.9.22 (#445216)

authored by

Franz Pletz and committed by

GitHub 4 months ago e483f4e9 000a3975

+24 -21

2 changed files

expand all

unified split

pkgs

by-name

shh

fix_run_checks.patch

package.nix

+13 -11

pkgs/by-name/sh/shh/fix_run_checks.patch

··· 1 - commit 58bdfa7ef92ba07dc41a07aeef6d790ecd8f888c 2 - Author: kuflierl <41301536+kuflierl@users.noreply.github.com> 3 - Date: Sat May 3 21:02:26 2025 +0200 4 5 fix(tests): add support for nix-build-system for tests 6 7 diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs 8 - index e2abbb7..1151592 100644 9 --- a/src/systemd/resolver.rs 10 +++ b/src/systemd/resolver.rs 11 - @@ -637,17 +637,14 @@ mod tests { 12 let OptionValue::List(opt_list) = &candidates[0].value else { 13 panic!(); 14 }; ··· 32 let actions = vec![ProgramAction::Read("/var/data".into())]; 33 let candidates = resolve(&opts, &actions, &hardening_opts); 34 diff --git a/tests/options.rs b/tests/options.rs 35 - index 835ee14..a9c9973 100644 36 --- a/tests/options.rs 37 +++ b/tests/options.rs 38 @@ -24,7 +24,7 @@ fn run_true() { ··· 50 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 51 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 52 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 53 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 54 } 55 56 @@ -97,7 +97,7 @@ fn run_ls_dev() { ··· 92 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 93 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 94 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 95 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 96 } 97 98 @@ -201,7 +201,7 @@ fn run_read_kallsyms() { ··· 110 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 111 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 112 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 113 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 114 } 115 116 @@ -344,6 +344,7 @@ fn run_systemctl() { 117 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 118 } 119 120 +// patched due to nix build isolation ··· 145 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 146 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 147 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 148 - .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 149 } 150

··· 1 + commit 3052c2c8be6a44aab2d4c5fa0d560a8109c5ed5e 2 + Author: 06kellyjac <dev@j-k.io> 3 + Date: Mon Sep 22 13:17:14 2025 +0100 4 5 fix(tests): add support for nix-build-system for tests 6 7 + Co-authored-by: kuflierl <41301536+kuflierl@users.noreply.github.com> 8 + 9 diff --git a/src/systemd/resolver.rs b/src/systemd/resolver.rs 10 + index 989f378..0629fb5 100644 11 --- a/src/systemd/resolver.rs 12 +++ b/src/systemd/resolver.rs 13 + @@ -650,17 +650,14 @@ mod tests { 14 let OptionValue::List(opt_list) = &candidates[0].value else { 15 panic!(); 16 }; ··· 34 let actions = vec![ProgramAction::Read("/var/data".into())]; 35 let candidates = resolve(&opts, &actions, &hardening_opts); 36 diff --git a/tests/options.rs b/tests/options.rs 37 + index cf20ea0..ab9f389 100644 38 --- a/tests/options.rs 39 +++ b/tests/options.rs 40 @@ -24,7 +24,7 @@ fn run_true() { ··· 52 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 53 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 54 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 55 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 56 } 57 58 @@ -97,7 +97,7 @@ fn run_ls_dev() { ··· 94 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 95 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 96 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 97 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 98 } 99 100 @@ -201,7 +201,7 @@ fn run_read_kallsyms() { ··· 112 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 113 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 114 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @network-io:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 115 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 116 } 117 118 @@ -344,6 +344,7 @@ fn run_systemctl() { 119 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 120 } 121 122 +// patched due to nix build isolation ··· 147 .stdout(predicate::str::contains("ProtectClock=true\n").count(1)) 148 - .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 149 + .stdout(predicate::str::contains("SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @io-event:EPERM @ipc:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @privileged:EPERM @process:EPERM @raw-io:EPERM @reboot:EPERM @resources:EPERM @sandbox:EPERM @setuid:EPERM @signal:EPERM @swap:EPERM @sync:EPERM @timer:EPERM\n").count(1)) 150 + .stdout(predicate::str::contains("CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_BPF CAP_CHOWN CAP_IPC_LOCK CAP_KILL CAP_MKNOD CAP_NET_RAW CAP_PERFMON CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_SYSLOG CAP_WAKE_ALARM\n").count(1)); 151 } 152

+11 -10

pkgs/by-name/sh/shh/package.nix

··· 16 isNativeDocgen = 17 (stdenv.buildPlatform.canExecute stdenv.hostPlatform) && enableDocumentationFeature; 18 in 19 - rustPlatform.buildRustPackage rec { 20 pname = "shh"; 21 - version = "2025.7.13"; 22 23 src = fetchFromGitHub { 24 owner = "desbma"; 25 repo = "shh"; 26 - tag = "v${version}"; 27 - hash = "sha256-mTBA+NPkeGF1sSnXpOz9xBsKDAihRe+TVcBAlvbBQPc="; 28 }; 29 30 - cargoHash = "sha256-JrtXDercjkPA5WVaq+LyhFmGqMAxQ/sVZQlmtJUTrms="; 31 32 patches = [ 33 ./fix_run_checks.patch ··· 85 86 installManPage target/mangen/* 87 88 - installShellCompletion --cmd ${pname} \ 89 - target/shellcomplete/${pname}.{bash,fish} \ 90 - --zsh target/shellcomplete/_${pname} 91 ''; 92 93 # RUST_BACKTRACE = 1; ··· 99 homepage = "https://github.com/desbma/shh"; 100 license = lib.licenses.gpl3Only; 101 platforms = lib.platforms.linux; 102 - changelog = "https://github.com/desbma/shh/blob/v${version}/CHANGELOG.md"; 103 mainProgram = "shh"; 104 maintainers = with lib.maintainers; [ 105 erdnaxe 106 kuflierl 107 ]; 108 }; 109 - }

··· 16 isNativeDocgen = 17 (stdenv.buildPlatform.canExecute stdenv.hostPlatform) && enableDocumentationFeature; 18 in 19 + rustPlatform.buildRustPackage (finalAttrs: { 20 pname = "shh"; 21 + version = "2025.9.22"; 22 23 src = fetchFromGitHub { 24 owner = "desbma"; 25 repo = "shh"; 26 + tag = "v${finalAttrs.version}"; 27 + hash = "sha256-Esb6IR49YtGWvLmGLtviAyMLjoWZLQka2igC6yKJ3A0="; 28 }; 29 30 + cargoHash = "sha256-CB0jhVDR40lZaYqNq43V/af1v3Ph+6Z9swSrrsNgA8k="; 31 32 patches = [ 33 ./fix_run_checks.patch ··· 85 86 installManPage target/mangen/* 87 88 + installShellCompletion --cmd ${finalAttrs.pname} \ 89 + target/shellcomplete/${finalAttrs.pname}.{bash,fish} \ 90 + --zsh target/shellcomplete/_${finalAttrs.pname} 91 ''; 92 93 # RUST_BACKTRACE = 1; ··· 99 homepage = "https://github.com/desbma/shh"; 100 license = lib.licenses.gpl3Only; 101 platforms = lib.platforms.linux; 102 + changelog = "https://github.com/desbma/shh/blob/v${finalAttrs.version}/CHANGELOG.md"; 103 mainProgram = "shh"; 104 maintainers = with lib.maintainers; [ 105 erdnaxe 106 kuflierl 107 + jk 108 ]; 109 }; 110 + })