opensnitch: 1.6.9 -> 1.7.0.0 by LordGrimmauld · Pull Request #412616 · NixOS/nixpkgs (original) (raw)

@LordGrimmauld

Diff: evilsocket/opensnitch@refs/tags/v1.6.9...refs/tags/v1.7.0.0

Supersedes #412554

No Qt6 yet, see evilsocket/opensnitch#1009

Things done

Add a 👍 reaction to pull requests you find important.

@LordGrimmauld

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 412616
Commit: 1d59d1417d573b028a835fb22f559ff3814d3e76

x86_64-linux

✅ 25 packages built:

@onny

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 412616

x86_64-linux

✅ 25 packages built:

@onny

Test fails for me:

vm-test-run-opensnitch> client_allowed_ebpf # curl: (28) Failed to connect to server port 80 after 132854 ms: Could not connect to server
vm-test-run-opensnitch> client_allowed_ebpf: output:
vm-test-run-opensnitch> !!! Traceback (most recent call last):
vm-test-run-opensnitch> !!!   File "<string>", line 8, in <module>
vm-test-run-opensnitch> !!!     client_allowed_ebpf.succeed("curl http://server")
vm-test-run-opensnitch> !!! 
vm-test-run-opensnitch> !!! RequestedAssertionFailed: command `curl http://server` failed (exit code 28)

@onny onny marked this pull request as draft

June 2, 2025 12:41

@LordGrimmauld

huh, alright, that is surprising... Upstream changed some libs, but most of those just go stuff covered by the vendor hash part. I'll have to rerun build and VM test and closely monitor what it complains about. I had it running on my own machine (outside VM test) and that seemed to work, but maybe i missed something...

@LordGrimmauld

Okay, i finally got around to taking a look now. It seems audit backend complaisn about auditctl not being a valid command (likely needs to enable audit in the opensnitch module if os is set to audit), ebpf complains about kernel version. Investigating, hopefully i will be able to fix it.

@LordGrimmauld

it worked on my system because i run audit backend and explicitly had audit enabled elsewhere in my config...

@LordGrimmauld

Okay, what? I am now very confused. It seems the ebpf test is just super flaky? after it failed, i increased the logging level - and suddenly it succeeds?? it failed after all, just took longer...

@LordGrimmauld

Okay, i bisected upstream. evilsocket/opensnitch@ffb7668 is the commit that broke it - but i don't yet understand why. After all, in theory the module should support the module path stuff.

@LordGrimmauld

Hmm... that might have been fixed in evilsocket/opensnitch@159494d again... Kinda hard to bisect something that is not just broken and works, but has multiple versions of broke and working, not necessarily attached...

@LordGrimmauld

@onny help would be appreciated. I am not sure how to best test this further...

@LordGrimmauld

@LordGrimmauld

Okay, some extra findings documented in evilsocket/opensnitch#1356.
I did try to limit the source of the error as much as i could, but now i am a bit lost.

@LordGrimmauld

@LordGrimmauld

@LordGrimmauld

No wonder this "worked" on my system!

huh, alright, that is surprising... Upstream changed some libs, but most of those just go stuff covered by the vendor hash part. I'll have to rerun build and VM test and closely monitor what it complains about. I had it running on my own machine (outside VM test) and that seemed to work, but maybe i missed something...

While my rules apply to absolute paths, most stuff not started from a console already executes the absolute path, and for most other things i probably reflexively it "allow"...

@LordGrimmauld

Tests do pass now, though this is still a bug that i found.

@LordGrimmauld

@LordGrimmauld

@LordGrimmauld

Upstream fixed the regression, this should be good now. Tests pass for real now!

@grimmauld-bot

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 412616
Commit: 65af72507c50b8537968324e038aab3e706ac3f7

aarch64-linux

✅ 21 packages built:

niklaskorz

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merging within the next hour, unless there are any objections

@niklaskorz

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 412616
Commit: 65af72507c50b8537968324e038aab3e706ac3f7

aarch64-linux

✅ 21 packages built:

@nixpkgs-ci

Backport failed for release-25.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-25.05 git worktree add -d .worktree/backport-412616-to-release-25.05 origin/release-25.05 cd .worktree/backport-412616-to-release-25.05 git switch --create backport-412616-to-release-25.05 git cherry-pick -x ee9b4c7b70b2076600392a4a400d6caad41bf219 65af72507c50b8537968324e038aab3e706ac3f7

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})