Changelog

v2025.7.13

💡 Features

• Try to use RUNTIME_DIRECTORY first for strace pipe location (8f3ce35 by desbma)
• Consider errored syscalls to catch cases like EINPROGRESS (3e8e4ad by desbma)
• Identify more successful sycalls returning -1 (1d971d4 by desbma)

📗 Documentation

• README: Mention nixpkgs repo (53f37ce by kuflierl)

🧰 Miscellaneous tasks

• Ignore verbose clippy lints (2e96cb3 by desbma)
• Update .gitignore (e741484 by desbma)
• Update dependencies (5a398fa by desbma)
• Update clippy template (ee68b02 by desbma)

Changelog

v2025.6.5

🐛 Bug fixes

• Support kernels without /proc/sys/kernel/unprivileged_userns_clone (f103b06 by desbma)

🏗 Build

• Fix empty commit created by release script when using jujutsu (4c3e73e by desbma)

Changelog

v2025.6.4

💡 Features

• Static strace path support at compile time (da62cee by kuflierl)
• Add support for shell auto-complete generation with clap_complete (74914dc by kuflierl)
• Initial experimental support for systemd user instances (8114943 by desbma)
• Improve timeout logic when waiting for profiling result (2b0e5ec by desbma)
• strace: Parse mac addresses (8da117a by desbma)
• strace: Handle in/out struct members (40354fa by desbma)
• strace: Array index substraction & comments (b66f934 by desbma)
• strace: Output macro expressions (b7b2d8b by desbma)
• Remove duplicate options (eb1b51b by desbma)
• strace: More debugging macros (cec9289 by desbma)
• Support jujutsu in release script (00a5f8e by desbma)

🐛 Bug fixes

• Use journalctl cursors and a retry loop to fix unreliability/fuzzyness (c91a967 by desbma)
• Improve journald cursor handling logic (ce02c5c by desbma)
• Only set NotifyAccess=all in profiling fragment for notify services (815d0cb by desbma)

🏃 Performance

• Box some large enum members (57c91bb by desbma)

🧪 Testing

• Update for user instance (06dacaf by desbma)

🚜 Refactor

• Man page generation command (849b9a6 by desbma)
• strace: Macro as integer expression (9bb8c28 by desbma)
• NamedConst -> NamedSymbol (4dcebed by desbma)
• strace: Remove unused buffer format handling (ad8866a by desbma)

🧰 Miscellaneous tasks

• Fix rust 1.87 clipp::unnecessary_debug_formatting spam (3ce85c4 by desbma)

Changelog

v2025.4.12

💡 Features

• Model disabled mount propagation to host (70637d4 by desbma)
• Support PrivateMounts systemd option (ca293da by desbma)

🐛 Bug fixes

• Handle namespace pseudo files (6f75bd9 by desbma)

🧪 Testing

• Add netns systemd-run test (7162280 by desbma)
• options: Remove checks of options that vary too much between environments (1f18b17 by desbma)

🏗 Build

• Generate systemd syscall classes at build time from systemd-analyze output (c52a860 by desbma)

🧰 Miscellaneous tasks

• Update dependencies (70d2142 by desbma)
• Update lints, update to 2024 edition (a625d11 by desbma)

Changelog

v2025.3.13

🧰 Miscellaneous tasks

• Lint (5bf6fd2 by desbma)

Changelog

v2025.3.12

💡 Features

• ProcSubset systemd option (365f76d by desbma)

🐛 Bug fixes

• Non leaf symlinks not being canonicalized (6e90c41 by desbma)

📗 Documentation

• README: Update shh run example output (7ba62e3 by desbma)
• README: Split crates.io installation instructions + minor tweaks (7312ae4 by desbma)
• FAQ: Minor typo fix (9176a6d by desbma)

🧪 Testing

• Add ProcSubset integration test (4ca7a12 by desbma)

🚜 Refactor

• Rename 'cl' integration tests to 'options' (b7e6478 by desbma)

Changelog

v2025.2.7

💡 Features

• Track IPv4 addresses (b4dc2c1 by desbma)
• IpAddressDeny (WIP) (8df9a0c by desbma)
• Improve network activity coverage (d8aa8b5 by desbma)
• Dynamic IpAddressAllow (4928a4c by desbma)
• Reorder options (2f94302 by desbma)
• Greatly simplify SocketBindDeny handling (25c9bf7 by desbma)
• IPv6 support for IPAddressAllow (9dc0376 by desbma)
• Make service reset block (d95f533 by desbma)
• Add option to edit fragment before applying it (a83c7ab by desbma)

📗 Documentation

• FAQ: Fix typos + mention --merge-paths-threshold option (9fc6412 by desbma)

🧪 Testing

• systemd-run: Add curl test (8cecf59 by desbma)
• Add ping IPv4 & IPv6 tests (2c96a3f by desbma)

🚜 Refactor

• Mark unreachable code paths as such (827e88c by desbma)
• Remove now unneeded CountableSetSpecifier (975a9af by desbma)
• Update panic macro usage (4cc7328 by desbma)

Changelog

v2025.2.6

💡 Features

• Mkdir syscall (f25364d by desbma)
• Track current dir (1d0080b by desbma)
• Use current directory to resolve relative paths (b486593 by desbma)
• Log whole syscall when handling fails (f8402d8 by desbma)
• File system deny all + white list (502ca9d by desbma)
• Filesystem exception whitelist merging (2263ab4 by desbma)
• InaccessiblePaths systemd option (WIP) (aa76500 by desbma)
• InaccessiblePaths dynamic whitelisting + auto merge options (53a3c10 by desbma)
• Handle exec syscalls (31814d2 by desbma)
• Support NoExecPaths systemd option + ExecPath whitelisting (dbf32a4 by desbma)
• Handle PROT_EXEC memory mappings (16345ae by desbma)
• Handle intermediate symlinks in all paths (3015caf by desbma)
• Parse ELF header to get dynamic linker interpreter (6cef0c0 by desbma)
• Parse shebang to handle exec'd scripts (1175415 by desbma)
• Disable XxxPaths options if an exception for / makes them useless (4c97afb by desbma)
• Auto remove .service suffix (1355caf by desbma)
• Check for unsupported unit types (dd09b00 by desbma)
• Losslessly simplify paths lists when length is below threshold (4307ef9 by desbma)
• Prevent InaccessiblePaths/TemporaryFilesystem to be too easily disabled when / is read (WIP) (407876f by desbma)
• Improve & re-enable InaccessiblePaths second option (cdba2f5 by desbma)
• Improve null effect removal (f08380d by desbma)
• Split option effects EmptyPath/RemovePath (5c6814c by desbma)
• TemporaryFileSystem=xxx:ro & BindReadOnlyPaths=yyy support (191fb61 by desbma)
• Go deeper when whitelisting with TemporaryFileSystem (d8b6ac5 by desbma)
• Add systemd option whitelist for testing (1bd3d49 by desbma)
• Prevent duplicate BindPaths/BindReadOnlyPaths exceptions + add tests for InaccessiblePaths (9c952b1 by desbma)
• Log 'systemd-analyze security' "exposure level" (60d6309 by desbma)
• More explicit error reporting (9d79ae3 by desbma)
• Improve markdown option list output (f4f4c88 by desbma)
• Detect another case of nullified option effect (5bd0532 by desbma)

🐛 Bug fixes

• Absolute path computation (702ca50 by desbma)
• Remove TODO obsolete comment (0b20d4b by desbma)
• Test for char device defensively (65e8c74 by desbma)
• Bind on port 0 handling (d81a660 by desbma)
• InaccessiblePaths handling of Create and Exec action whitelisting (a358de9 by desbma)
• Open with O_RDONLY (8014c66 by desbma)
• Don't follow symlinks when resolving paths (de0d459 by desbma)
• Open on symlink path (096fc4f by desbma)
• Reading /dev/kmsg requires CAP_SYSLOG (2df9689 by desbma)
• ProtectKernelLogs=true denies syslog (39e2aa4 by desbma)
• PrivateDevices=true denies mknod and makes /dev noexec (7f5b3d5 by desbma)
• Per option element '-' prefix (cc6fe8a by desbma)
• Passing of network firewalling option (6d1a361 by desbma)
• Bind port 0 (153531e by desbma)
• tests: Dmesg tests depending on system logs (ed7f5cf by desbma)
• Remove option negated by exception on / (023bb61 by desbma)
• Sort paths (e2b75d5 by desbma)
• Ensure paths in PATH env var are accessible (877f62a by desbma)
• Don't make /proc or /run inaccessible (e66e342 by desbma)
• Hide effect not incompatible with Create action (5cce1b1 by desbma)
• Null effect removal inverted test (4c228df by desbma)
• Debian man page names (4136bed by desbma)

🏃 Performance

• Sort -> sort_unstable (a3bfba5 by desbma)
• More &'static str conversion (5265b90 by desbma)

📗 Documentation

• Add crates.io link & install instructions (8986cfb by desbma)
• Improve description of --network-firewalling and --filesystem-whitelisting options (4f5a867 by desbma)
• Add FAQ (8ab785e by desbma)
• Comment typo (71548b6 by desbma)
• Minor option description improvements (e39c0bc by desbma)
• README: Add shh run examples (defe380 by desbma)

🧪 Testing

• Fix sched_realtime integration test broken with Python 3.13 (4fa9d25 by desbma)
• Add integration tests running systemd-run (b59c63d by desbma)
• systemd-run: Log shh run options (efa12eb by desbma)
• Simplify mmap W+X commands (2c83c5f by desbma)
• Fix passing file via /tmp (b927803 by desbma)

🚜 Refactor

• Simplify OptionValue::List (0e9a7fc by desbma)
• Improve error handling for fd type conversions (db420d3 by desbma)
• Add convenience constructors for PathDescription (f74cf59 by desbma)

🤖 Continuous integration

• Enable systemd-run integration tests ([c3b4d7f](https://github.com/desbma/s...

Changelog

v2025.1.16

💡 Features

• Update options for systemd v257 (2ca1c42 by desbma)
• Add shh version in unit fragment header (81bf6fd by desbma)

🐛 Bug fixes

• strace-parser: Indexed arrays (f3c0c2f by desbma)

📗 Documentation

• Add changelog (01ca7a1 by desbma)
• Add man pages (53ba284 by desbma)
• README: Add portability warning (a9439ae by desbma)
• Update changelog template (e666607 by desbma)

🧪 Testing

• Add mknod integration test (c6284af by desbma-s1n)
• Simplify reference string definitions (6971f54 by desbma)
• Fix integration tests for PrivateTmp=disconnected broken by 2ca1c42 (7a32f7e by desbma)

🚜 Refactor

• Drop peg strace parser (5f1a98c by desbma)
• summary: Split summary into per syscall group functions (83fc818 by desbma)
• Factorize unit fragment header creation (0687e63 by desbma)

🏗 Build

• Release script auto version (6fbca7e by desbma)
• Remove unmaintained prettier pre-commit hook (9c8a960 by desbma)

🧰 Miscellaneous tasks

• Update lints for rust 1.83 (ca2d791 by desbma)
• Add pre-commit hooks (15df8ba by desbma)