- Refactor man page & shell completions generation (78f4a85 by desbma)
- Simplify journalctl output parsing (399e226 by desbma)
- Add special handling for syscall classes on divergent code paths (7afe636 by desbma)
- Improve option result parsing from journald, add unique id (7067b61 by desbma)
- Properly handle restarted syscalls (392608e by desbma)
- Revamp per process fd tracking (c2b5820 by desbma)
- Improve dual stack socket handling (3c7d482 by desbma)
- Possible incomplete resolved options output (d00301e by desbma)
- Reset restart count in finish-profile (a04c891 by desbma)
- Dual stack socket bind (20438e4 by desbma)
- Test-env/run breaking terminal (f918910 by desbma)
- Test-env/run breaking terminal, the return (3bd4ba8 by desbma)
- Possible truncated option output for debug builds (4f66e0e by desbma)
- Syscall return code misuse corner cases (4d5446a by desbma)
- Improve handling of bind on unspecified address (4229989 by desbma)
- Possible journacltl log overlap in generated options output (3b4a4ca by desbma)
- Add syscall name bench (e3a1bdc by desbma)
- Use EcoString for syscall name (20-25% faster in micro bench) (358ec2d by desbma)
- Add i128/i64 bench (733eb2d by desbma)
- Get rid of i128 (426640f by desbma)
- Only parse full syscalls if we need to (>35% speedup) (ab8d0d7 by desbma)
- Run integration tests via systemd-vmspawn (ae10a84 by desbma)
- Add CACHEDIR.TAG to default target dir (214ac02 by desbma)
- Fix outdated second snapshots (162c5da by desbma)
- Full hardening workflow for caddy (7d86a22 by desbma)
- Simplify & format test-all script (d4e81dd by desbma)
- Use systemctl wait loop to avoid flakiness (0adaa93 by desbma)
- test-env/setup: Fix machine name clash (76f1c34 by desbma)
- Add stress test script (a12fd98 by desbma)
- Simplify test scripts now that they handle concurrent tests (e47baeb by desbma)
- Refactor logging for e2e test (c5b8e70 by desbma)
- Disable journald rate limit in test VM (b24792a by desbma)
- Auto stop gimp to make test more robust (88e7d85 by desbma)
- Tweak stress test core count (e660e5a by desbma)
- Unit@param.service end to end test (380978c by desbma)
- Reduce syscall handler boilerplate (e639d99 by desbma)
- Factorize fd path resolution + add tests (1b42276 by desbma)
- Untangle resolver (c8f9483 by desbma)
- Add macros to simplify handler code (9288d7a by desbma)
- Remove unneeded permission for cargo audit (a38a1bc by desbma)
- Add msrv check (269d592 by desbma)
- Run clippy on all targets, including tests (d9a84a9 by desbma)
- Update actions versions (e8c2957 by desbma)
- Comment typo (4d8aa8f by desbma)
- Update AGENTS.md (8051c61 by desbma)
- Ignore insta .snap.new files (1ff7180 by desbma)
- Ignore claude files (4532bf4 by desbma)
- Update dependencies (7703123 by desbma)
- Fix const_gen lint (c4a02eb by desbma)
- Update release script (c2b0833 by desbma)
- More accurate handling of ProtectClock (b6c80ad by desbma)
- Support opt-in debug logs for release builds (811ce9e by desbma)
- Experimental support for service generated from .container templates (804a09a by desbma)
- Ignore open*/socket syscall return value when they fail (f4b7997 by desbma)
- Ignore bincode audit warning for now (fd6fbba by desbma)
- Remove reverse log fetching, unneeded now that we use cursors (9133c4c by desbma)
- Hide journalctl output when getting cursor (95e322e by desbma)
- README: Double title (c4e0835 by desbma)
- Add logo (f328d34 by desbma)
- Add preview logo (f582d25 by desbma)
- README: Fix install instructions from crates.io (c81c513 by desbma)
- Add ignore reason (1c8e1c4 by desbma)
- Add opt-in gimp integration test (442fcee by desbma)
- Fix integration tests with Python 3.14 (a8b680f by desbma)
- Simplify path lists only once (75cb380 by desbma)
- Factorize some option exception logic (55da9fe by desbma)
- Simplify option definition (628482f by desbma)
- Make OptionUpdater a trait (01808da by desbma)
- Fix cargo_bin deprecated use (0f7d572 by desbma)
- Replace bincode by postcard (5b9af19 by desbma)
- Add AGENTS.md (e56b8b8 by desbma)
- Update dependencies (68ee2da by desbma)
- Use 'systemctl cat' to get unit config (2ed0c51 by desbma)
- Type=oneshot units triggering strace named pipe collision (41bdaea by desbma)
- Fstat on unknown fd (f3c935e by desbma)
- CapabilityBoundingSet requires unprivileged_userns_clone for user instance (56380e8 by desbma)
- Fix possible panic when updating some effects (182a17a by desbma)
- MemoryDenyWriteExecute=true not compatible with mprotect adding exec bit (48fc222 by desbma)
- Make use of anyhow::ensure (b9ca66e by desbma)
- Add todo lint (ac17c5c by desbma)
- Remove redundant test prefixes (0a77b41 by desbma)
- Fix lint for Rust 1.91 (d4543de by desbma)
- Don't buffer strace log output (506cace by desbma)
- Kill(pid, 0) handling (9885c1a by desbma)
- Curl integration test (2f027f1 by desbma)
- Stop sequence for sshd (b3b3248 by desbma)
- Fix lint (c6f5ac7 by desbma)
- Add EWOULDBLOCK to "maybe successful" errnos (238b20b by desbma)
- Generic hardening mode (closes #15) (455336f by desbma)
- Initial CAP_KILL support (d2edd5b by desbma)
- CAP_IPC_LOCK support (343edb7 by desbma)
- Refresh existing hardening fragment (b991c28 by desbma)
- Initialize current working directory (d2cd3ce by desbma)
- Minor comment typo (a6f5281 by desbma)
- Bit shift parsing error (b004891 by desbma)
- Msrv (2b6411c by desbma)
- Path resolution for special files (fe5f2e5 by desbma)
- Avoid sorting syscall names if we don't show them (4626c67 by desbma)
- Use snapshot testing for verbose unit tests (f737f55 by desbma)
- Sort enum members (76f756d by desbma)
- Add cargo audit workflow (3620abe by desbma)
- Try to use RUNTIME_DIRECTORY first for strace pipe location (8f3ce35 by desbma)
- Consider errored syscalls to catch cases like EINPROGRESS (3e8e4ad by desbma)
- Identify more successful sycalls returning -1 (1d971d4 by desbma)
- README: Mention nixpkgs repo (53f37ce by kuflierl)
- Ignore verbose clippy lints (2e96cb3 by desbma)
- Update .gitignore (e741484 by desbma)
- Update dependencies (5a398fa by desbma)
- Update clippy template (ee68b02 by desbma)
- Support kernels without /proc/sys/kernel/unprivileged_userns_clone (f103b06 by desbma)
- Fix empty commit created by release script when using jujutsu (4c3e73e by desbma)
- Static strace path support at compile time (da62cee by kuflierl)
- Add support for shell auto-complete generation with clap_complete (74914dc by kuflierl)
- Initial experimental support for systemd user instances (8114943 by desbma)
- Improve timeout logic when waiting for profiling result (2b0e5ec by desbma)
- strace: Parse mac addresses (8da117a by desbma)
- strace: Handle in/out struct members (40354fa by desbma)
- strace: Array index substraction & comments (b66f934 by desbma)
- strace: Output macro expressions (b7b2d8b by desbma)
- Remove duplicate options (eb1b51b by desbma)
- strace: More debugging macros (cec9289 by desbma)
- Support jujutsu in release script (00a5f8e by desbma)
- Use journalctl cursors and a retry loop to fix unreliability/fuzzyness (c91a967 by desbma)
- Improve journald cursor handling logic (ce02c5c by desbma)
- Only set NotifyAccess=all in profiling fragment for notify services (815d0cb by desbma)
- Box some large enum members (57c91bb by desbma)
- Update for user instance (06dacaf by desbma)
- Man page generation command (849b9a6 by desbma)
- strace: Macro as integer expression (9bb8c28 by desbma)
- NamedConst -> NamedSymbol (4dcebed by desbma)
- strace: Remove unused buffer format handling (ad8866a by desbma)
- Fix rust 1.87 clipp::unnecessary_debug_formatting spam (3ce85c4 by desbma)
- Model disabled mount propagation to host (70637d4 by desbma)
- Support PrivateMounts systemd option (ca293da by desbma)
- Handle namespace pseudo files (6f75bd9 by desbma)
- Add netns systemd-run test (7162280 by desbma)
- options: Remove checks of options that vary too much between environments (1f18b17 by desbma)
- Generate systemd syscall classes at build time from systemd-analyze output (c52a860 by desbma)
- Lint (5bf6fd2 by desbma)
- ProcSubset systemd option (365f76d by desbma)
- Non leaf symlinks not being canonicalized (6e90c41 by desbma)
- README: Update shh run example output (7ba62e3 by desbma)
- README: Split crates.io installation instructions + minor tweaks (7312ae4 by desbma)
- FAQ: Minor typo fix (9176a6d by desbma)
- Add ProcSubset integration test (4ca7a12 by desbma)
- Rename 'cl' integration tests to 'options' (b7e6478 by desbma)
- Track IPv4 addresses (b4dc2c1 by desbma)
- IpAddressDeny (WIP) (8df9a0c by desbma)
- Improve network activity coverage (d8aa8b5 by desbma)
- Dynamic IpAddressAllow (4928a4c by desbma)
- Reorder options (2f94302 by desbma)
- Greatly simplify SocketBindDeny handling (25c9bf7 by desbma)
- IPv6 support for IPAddressAllow (9dc0376 by desbma)
- Make service reset block (d95f533 by desbma)
- Add option to edit fragment before applying it (a83c7ab by desbma)
- FAQ: Fix typos + mention --merge-paths-threshold option (9fc6412 by desbma)
- Mark unreachable code paths as such (827e88c by desbma)
- Remove now unneeded CountableSetSpecifier (975a9af by desbma)
- Update panic macro usage (4cc7328 by desbma)
- Mkdir syscall (f25364d by desbma)
- Track current dir (1d0080b by desbma)
- Use current directory to resolve relative paths (b486593 by desbma)
- Log whole syscall when handling fails (f8402d8 by desbma)
- File system deny all + white list (502ca9d by desbma)
- Filesystem exception whitelist merging (2263ab4 by desbma)
- InaccessiblePaths systemd option (WIP) (aa76500 by desbma)
- InaccessiblePaths dynamic whitelisting + auto merge options (53a3c10 by desbma)
- Handle exec syscalls (31814d2 by desbma)
- Support NoExecPaths systemd option + ExecPath whitelisting (dbf32a4 by desbma)
- Handle PROT_EXEC memory mappings (16345ae by desbma)
- Handle intermediate symlinks in all paths (3015caf by desbma)
- Parse ELF header to get dynamic linker interpreter (6cef0c0 by desbma)
- Parse shebang to handle exec'd scripts (1175415 by desbma)
- Disable XxxPaths options if an exception for / makes them useless (4c97afb by desbma)
- Auto remove .service suffix (1355caf by desbma)
- Check for unsupported unit types (dd09b00 by desbma)
- Losslessly simplify paths lists when length is below threshold (4307ef9 by desbma)
- Prevent InaccessiblePaths/TemporaryFilesystem to be too easily disabled when / is read (WIP) (407876f by desbma)
- Improve & re-enable InaccessiblePaths second option (cdba2f5 by desbma)
- Improve null effect removal (f08380d by desbma)
- Split option effects EmptyPath/RemovePath (5c6814c by desbma)
- TemporaryFileSystem=xxx:ro & BindReadOnlyPaths=yyy support (191fb61 by desbma)
- Go deeper when whitelisting with TemporaryFileSystem (d8b6ac5 by desbma)
- Add systemd option whitelist for testing (1bd3d49 by desbma)
- Prevent duplicate BindPaths/BindReadOnlyPaths exceptions + add tests for InaccessiblePaths (9c952b1 by desbma)
- Log 'systemd-analyze security' "exposure level" (60d6309 by desbma)
- More explicit error reporting (9d79ae3 by desbma)
- Improve markdown option list output (f4f4c88 by desbma)
- Detect another case of nullified option effect (5bd0532 by desbma)
- Absolute path computation (702ca50 by desbma)
- Remove TODO obsolete comment (0b20d4b by desbma)
- Test for char device defensively (65e8c74 by desbma)
- Bind on port 0 handling (d81a660 by desbma)
- InaccessiblePaths handling of Create and Exec action whitelisting (a358de9 by desbma)
- Open with O_RDONLY (8014c66 by desbma)
- Don't follow symlinks when resolving paths (de0d459 by desbma)
- Open on symlink path (096fc4f by desbma)
- Reading /dev/kmsg requires CAP_SYSLOG (2df9689 by desbma)
- ProtectKernelLogs=true denies syslog (39e2aa4 by desbma)
- PrivateDevices=true denies mknod and makes /dev noexec (7f5b3d5 by desbma)
- Per option element '-' prefix (cc6fe8a by desbma)
- Passing of network firewalling option (6d1a361 by desbma)
- Bind port 0 (153531e by desbma)
- tests: Dmesg tests depending on system logs (ed7f5cf by desbma)
- Remove option negated by exception on / (023bb61 by desbma)
- Sort paths (e2b75d5 by desbma)
- Ensure paths in PATH env var are accessible (877f62a by desbma)
- Don't make /proc or /run inaccessible (e66e342 by desbma)
- Hide effect not incompatible with Create action (5cce1b1 by desbma)
- Null effect removal inverted test (4c228df by desbma)
- Debian man page names (4136bed by desbma)
- Add crates.io link & install instructions (8986cfb by desbma)
- Improve description of --network-firewalling and --filesystem-whitelisting options (4f5a867 by desbma)
- Add FAQ (8ab785e by desbma)
- Comment typo (71548b6 by desbma)
- Minor option description improvements (e39c0bc by desbma)
- README: Add shh run examples (defe380 by desbma)
- Fix sched_realtime integration test broken with Python 3.13 (4fa9d25 by desbma)
- Add integration tests running systemd-run (b59c63d by desbma)
- systemd-run: Log shh run options (efa12eb by desbma)
- Simplify mmap W+X commands (2c83c5f by desbma)
- Fix passing file via /tmp (b927803 by desbma)
- Simplify OptionValue::List (0e9a7fc by desbma)
- Improve error handling for fd type conversions (db420d3 by desbma)
- Add convenience constructors for PathDescription (f74cf59 by desbma)
- Enable systemd-run integration tests (c3b4d7f by desbma)
- Add cargo metadata & rename package to publish on crates.io (1214fee by desbma)
- Lint (3763bc0 by desbma)
- Update lints (418bb2a by desbma)
- Update options for systemd v257 (2ca1c42 by desbma)
- Add shh version in unit fragment header (81bf6fd by desbma)
- strace-parser: Indexed arrays (f3c0c2f by desbma)
- Add changelog (01ca7a1 by desbma)
- Add man pages (53ba284 by desbma)
- README: Add portability warning (a9439ae by desbma)
- Update changelog template (e666607 by desbma)
- Add mknod integration test (c6284af by desbma-s1n)
- Simplify reference string definitions (6971f54 by desbma)
- Fix integration tests for PrivateTmp=disconnected broken by 2ca1c42 (7a32f7e by desbma)
- Drop peg strace parser (5f1a98c by desbma)
- summary: Split summary into per syscall group functions (83fc818 by desbma)
- Factorize unit fragment header creation (0687e63 by desbma)
- Release script auto version (6fbca7e by desbma)
- Remove unmaintained prettier pre-commit hook (9c8a960 by desbma)
- Support for CapabilityBoundingSet systemd option (WIP) (8f6a472 by desbma)
- Cl goodies (57fbeb5 by desbma)
- Support CAP_BLOCK_SUSPEND capability (8e0530c by desbma)
- Support CAP_BPF capability (62bb876 by desbma)
- Support CAP_SYS_CHROOT capability (ca7ab16 by desbma)
- Support CAP_NET_RAW capability (47f333a by desbma)
- Support CAP_SYS_TIME capability (8f47d34 by desbma)
- Support CAP_PERFMON capability (e717bdd by desbma)
- Support CAP_SYS_PTRACE capability (f46a220 by desbma)
- Support CAP_SYSLOG capability (9c5f65f by desbma)
- Support CAP_MKNOD capability (169536e by desbma)
- Support CAP_SYS_TTY_CONFIG capability (b348788 by desbma)
- Support CAP_WAKE_ALARM capability (94082a0 by desbma)
- Support negative sets (baeea83 by desbma)
- Changeable effects (fc69691 by desbma-s1n)
- Add network firewalling option (4722239 by desbma)
- Force StandardOutput=journal when profiling (852b37c by desbma)
- Comment typo (04b1887 by desbma)
- Comment typo (63770db by desbma-s1n)
- README: Minor clarification (fb5c6af by desbma)
- Add comments (d91cd42 by desbma)
- Add option model comment (4cc41a9 by desbma)
- Update capabilities TODOs (0dc33c0 by desbma)
- Add autogenerated list of supported systemd options (9ea16cb by desbma)
- Add CapabilityBoundingSet integration tests (a98859a by desbma-s1n)
- peg: Match on rules instead of tags (cb97a99 by desbma-s1n)
- Effect/option types (26c7f41 by desbma)
- String -> & 'static str (af995f0 by desbma)
- Replace lazy_static by LazyLock (192c8ad by desbma)
- Use Option::transpose (bc55cb1 by desbma)
- Update release script (c1b79db by desbma)
- Enable more lints (7620b50 by desbma)
- Update dependencies (5c4454b by desbma)
- Add error context if starting strace fails (eb0bca2 by desbma-s1n)
- Add PEG based Pest parser (d0c570f by desbma-s1n)
- Add optional strace log mirror output (76f3c14 by desbma-s1n)
- Combinator based parser (40086ae by desbma-s1n)
- Handling of '+' prefixed ExecStart directives (776b146 by desbma)
- Clippy false positive (0ec360b by desbma)
- Add parse_line bench (c57daee by desbma-s1n)
- Improve incomplete syscall types + move handling out of parser (ae3ea4f by desbma-s1n)
- Remove legacy regex parser (d43a9a0 by desbma-s1n)
- Merge imports (bd6b6b5 by desbma-s1n)
- Build deb with glibc (09e6f66 by desbma-s1n)
- Strace array parsing (fixes #3) (be5dd32 by desbma)
- Parsing of multiline ExecStartXxx commands (91d363c by desbma-s1n)
- Handling of required command line multiple arguments (79ec626 by desbma-s1n)
- Swap official/mirror repository roles (a782302 by desbma)
- Stopping some services like nginx (c80f428 by desbma)
- Don't wait on systemctl if we don't need to (b08881d by desbma)
- Support services with multiple ExecStartPre/ExecStart/ExecStartPost directives (30d15b5 by desbma)
- Systemd rc version parsing (5c8ec20 by desbma-s1n)
- README: Add repo links (d1d7102 by desbma)
- README: Add AUR link (2881aa2 by desbma)
- README: Add badges (e549755 by desbma)
- List of address families missing some chars (75eba5f by desbma-s1n)
- Work around inconsistent strace 5.10 output (86e9d54 by desbma-s1n)
- Support LockPersonality systemd option (d46c422 by desbma-s1n)
- Support RestrictRealtime systemd option (93e9efb by desbma-s1n)
- Support ProtectClock systemd option (f995ed2 by desbma-s1n)
- Support SocketBindDeny systemd option (4927217 by desbma-s1n)
- Track socket protocols per process (0b67312 by desbma-s1n)
- Script to run integration tests as {user,root} and from /{home,tmp} (0dfe73f by desbma-s1n)
- Simplify dmesg test (92cef27 by desbma-s1n)
- Detect unsupported services and throw error (c3cab7b by desbma-s1n)
- Support RestrictAddressFamilies systemd option (10d0dad by desbma-s1n)
- Support MemoryDenyWriteExecute systemd option (3d0daf1 by desbma-s1n)
- Improve summary code to do a single hashmap search + support some more syscalls (8dd0668 by desbma-s1n)
- Add optional aggressive mode + support PrivateNetwork systemd option (1cdb462 by desbma-s1n)
- Support SystemCallArchitectures systemd option (8f66c05 by desbma-s1n)
- Return EPERM instead of killing with signal when denied syscall is called (5aefc36 by desbma-s1n)
- Recvmsg strace parsing (b393dda by desbma-s1n)
- Handling of systemd syscall classes containing classes (f98d508 by desbma)