feat: Report hardened version

macie · macie · commit 4ab17f281274 · 2023-10-27T11:35:42.000+02:00
Show `(hardened)` next to version number in CLI.
diff --git a/cmd/config.go b/cmd/config.go
@@ -8,23 +8,22 @@ import (
 	"os/signal"
 	"strings"
 	"time"
+
+	"github.com/macie/opinions/security"
 )
 
 // AppConfig represets current app configuration.
 type AppConfig struct {
+	appVersion  string
 	Query       string
 	Timeout     time.Duration
-	Version     string
 	ShowVersion bool
 }
 
 // NewAppConfig combines command line arguments and app version into AppConfig.
 func NewAppConfig(cliArgs []string, appVersion string) (AppConfig, error) {
-	if appVersion == "" {
-		appVersion = time.Now().Format("2006.01.02-dev150405")
-	}
 	config := AppConfig{
-		Version: appVersion,
+		appVersion: appVersion,
 	}
 	f := flag.NewFlagSet("opinions", flag.ContinueOnError)
 
@@ -46,6 +45,19 @@ func NewAppConfig(cliArgs []string, appVersion string) (AppConfig, error) {
 	return config, nil
 }
 
+// Version returns string with full version description.
+func (c *AppConfig) Version() string {
+	ver := c.appVersion
+	if ver == "" {
+		ver = time.Now().Format("2006.01.02-dev150405")
+	}
+	build := ""
+	if security.IsHardened {
+		build = " (hardened)"
+	}
+	return fmt.Sprintf("opinions %s%s\n", ver, build)
+}
+
 // NewAppContext creates cancellable app context with optional timeout.
 func NewAppContext(config AppConfig) (context.Context, context.CancelFunc) {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
diff --git a/cmd/main.go b/cmd/main.go
@@ -29,7 +29,7 @@ func main() {
 		os.Exit(1)
 	}
 	if config.ShowVersion {
-		fmt.Fprintf(os.Stderr, "opinions %s\n", config.Version)
+		fmt.Fprint(os.Stderr, config.Version())
 		os.Exit(0)
 	}
 
diff --git a/security/sandbox.go b/security/sandbox.go
@@ -4,7 +4,10 @@
 
 package security
 
-// Sandbox restrict access to system resources. Currently only works on OpenBSD.
+// IsHardened reports whether security sandbox is enabled.
+const IsHardened = false
+
+// Sandbox restrict access to system resources.
 func Sandbox() error {
 	return nil
 }
diff --git a/security/sandbox_openbsd.go b/security/sandbox_openbsd.go
@@ -4,6 +4,9 @@ package security
 
 import "golang.org/x/sys/unix"
 
+// IsHardened reports whether security sandbox is enabled.
+const IsHardened = true
+
 // Sandbox restrict application access to necessary system calls needed by
 // network connections and standard i/o.
 //

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func main() {`
`29`	`29`	`os.Exit(1)`
`30`	`30`	`}`
`31`	`31`	`if config.ShowVersion {`
`32`		`- fmt.Fprintf(os.Stderr, "opinions %s\n", config.Version)`
	`32`	`+ fmt.Fprint(os.Stderr, config.Version())`
`33`	`33`	`os.Exit(0)`
`34`	`34`	`}`
`35`	`35`