Releases: desbma/shh
Releases · desbma/shh
v2025.3.13
v2025.3.12
Changelog
v2025.3.12
💡 Features
- ProcSubset systemd option (365f76d by desbma)
🐛 Bug fixes
- Non leaf symlinks not being canonicalized (6e90c41 by desbma)
📗 Documentation
- README: Update shh run example output (7ba62e3 by desbma)
- README: Split crates.io installation instructions + minor tweaks (7312ae4 by desbma)
- FAQ: Minor typo fix (9176a6d by desbma)
🧪 Testing
- Add ProcSubset integration test (4ca7a12 by desbma)
🚜 Refactor
- Rename 'cl' integration tests to 'options' (b7e6478 by desbma)
v2025.2.7
Changelog
v2025.2.7
💡 Features
- Track IPv4 addresses (b4dc2c1 by desbma)
- IpAddressDeny (WIP) (8df9a0c by desbma)
- Improve network activity coverage (d8aa8b5 by desbma)
- Dynamic IpAddressAllow (4928a4c by desbma)
- Reorder options (2f94302 by desbma)
- Greatly simplify SocketBindDeny handling (25c9bf7 by desbma)
- IPv6 support for IPAddressAllow (9dc0376 by desbma)
- Make service reset block (d95f533 by desbma)
- Add option to edit fragment before applying it (a83c7ab by desbma)
📗 Documentation
- FAQ: Fix typos + mention --merge-paths-threshold option (9fc6412 by desbma)
🧪 Testing
🚜 Refactor
- Mark unreachable code paths as such (827e88c by desbma)
- Remove now unneeded CountableSetSpecifier (975a9af by desbma)
- Update panic macro usage (4cc7328 by desbma)
v2025.2.6
Changelog
v2025.2.6
💡 Features
- Mkdir syscall (f25364d by desbma)
- Track current dir (1d0080b by desbma)
- Use current directory to resolve relative paths (b486593 by desbma)
- Log whole syscall when handling fails (f8402d8 by desbma)
- File system deny all + white list (502ca9d by desbma)
- Filesystem exception whitelist merging (2263ab4 by desbma)
- InaccessiblePaths systemd option (WIP) (aa76500 by desbma)
- InaccessiblePaths dynamic whitelisting + auto merge options (53a3c10 by desbma)
- Handle exec syscalls (31814d2 by desbma)
- Support NoExecPaths systemd option + ExecPath whitelisting (dbf32a4 by desbma)
- Handle PROT_EXEC memory mappings (16345ae by desbma)
- Handle intermediate symlinks in all paths (3015caf by desbma)
- Parse ELF header to get dynamic linker interpreter (6cef0c0 by desbma)
- Parse shebang to handle exec'd scripts (1175415 by desbma)
- Disable XxxPaths options if an exception for / makes them useless (4c97afb by desbma)
- Auto remove .service suffix (1355caf by desbma)
- Check for unsupported unit types (dd09b00 by desbma)
- Losslessly simplify paths lists when length is below threshold (4307ef9 by desbma)
- Prevent InaccessiblePaths/TemporaryFilesystem to be too easily disabled when / is read (WIP) (407876f by desbma)
- Improve & re-enable InaccessiblePaths second option (cdba2f5 by desbma)
- Improve null effect removal (f08380d by desbma)
- Split option effects EmptyPath/RemovePath (5c6814c by desbma)
- TemporaryFileSystem=xxx:ro & BindReadOnlyPaths=yyy support (191fb61 by desbma)
- Go deeper when whitelisting with TemporaryFileSystem (d8b6ac5 by desbma)
- Add systemd option whitelist for testing (1bd3d49 by desbma)
- Prevent duplicate BindPaths/BindReadOnlyPaths exceptions + add tests for InaccessiblePaths (9c952b1 by desbma)
- Log 'systemd-analyze security' "exposure level" (60d6309 by desbma)
- More explicit error reporting (9d79ae3 by desbma)
- Improve markdown option list output (f4f4c88 by desbma)
- Detect another case of nullified option effect (5bd0532 by desbma)
🐛 Bug fixes
- Absolute path computation (702ca50 by desbma)
- Remove TODO obsolete comment (0b20d4b by desbma)
- Test for char device defensively (65e8c74 by desbma)
- Bind on port 0 handling (d81a660 by desbma)
- InaccessiblePaths handling of Create and Exec action whitelisting (a358de9 by desbma)
- Open with O_RDONLY (8014c66 by desbma)
- Don't follow symlinks when resolving paths (de0d459 by desbma)
- Open on symlink path (096fc4f by desbma)
- Reading /dev/kmsg requires CAP_SYSLOG (2df9689 by desbma)
- ProtectKernelLogs=true denies syslog (39e2aa4 by desbma)
- PrivateDevices=true denies mknod and makes /dev noexec (7f5b3d5 by desbma)
- Per option element '-' prefix (cc6fe8a by desbma)
- Passing of network firewalling option (6d1a361 by desbma)
- Bind port 0 (153531e by desbma)
- tests: Dmesg tests depending on system logs (ed7f5cf by desbma)
- Remove option negated by exception on / (023bb61 by desbma)
- Sort paths (e2b75d5 by desbma)
- Ensure paths in PATH env var are accessible (877f62a by desbma)
- Don't make /proc or /run inaccessible (e66e342 by desbma)
- Hide effect not incompatible with Create action (5cce1b1 by desbma)
- Null effect removal inverted test (4c228df by desbma)
- Debian man page names (4136bed by desbma)
🏃 Performance
📗 Documentation
- Add crates.io link & install instructions (8986cfb by desbma)
- Improve description of --network-firewalling and --filesystem-whitelisting options (4f5a867 by desbma)
- Add FAQ (8ab785e by desbma)
- Comment typo (71548b6 by desbma)
- Minor option description improvements (e39c0bc by desbma)
- README: Add shh run examples (defe380 by desbma)
🧪 Testing
- Fix sched_realtime integration test broken with Python 3.13 (4fa9d25 by desbma)
- Add integration tests running systemd-run (b59c63d by desbma)
- systemd-run: Log shh run options (efa12eb by desbma)
- Simplify mmap W+X commands (2c83c5f by desbma)
- Fix passing file via /tmp (b927803 by desbma)
🚜 Refactor
- Simplify OptionValue::List (0e9a7fc by desbma)
- Improve error handling for fd type conversions (db420d3 by desbma)
- Add convenience constructors for PathDescription (f74cf59 by desbma)
🤖 Continuous integration
- Enable systemd-run integration tests ([c3b4d7f](https://github.com/desbma/s...
v2025.1.16
Changelog
v2025.1.16
💡 Features
- Update options for systemd v257 (2ca1c42 by desbma)
- Add shh version in unit fragment header (81bf6fd by desbma)
🐛 Bug fixes
- strace-parser: Indexed arrays (f3c0c2f by desbma)
📗 Documentation
- Add changelog (01ca7a1 by desbma)
- Add man pages (53ba284 by desbma)
- README: Add portability warning (a9439ae by desbma)
- Update changelog template (e666607 by desbma)
🧪 Testing
- Add mknod integration test (c6284af by desbma-s1n)
- Simplify reference string definitions (6971f54 by desbma)
- Fix integration tests for PrivateTmp=disconnected broken by 2ca1c42 (7a32f7e by desbma)
🚜 Refactor
- Drop peg strace parser (5f1a98c by desbma)
- summary: Split summary into per syscall group functions (83fc818 by desbma)
- Factorize unit fragment header creation (0687e63 by desbma)
🏗 Build
- Release script auto version (6fbca7e by desbma)
- Remove unmaintained prettier pre-commit hook (9c8a960 by desbma)
🧰 Miscellaneous tasks
v2024.11.23
Version 2024.11.23
v2024.6.4
chore: version 2024.6.4
v2024.4.5
chore: version 2024.4.5
v2023.12.16
chore: version 2023.12.16
v2023.12.9
chore: version 2023.12.9