feat: Allow compilation without sandbox

Build without sandbox must be explicit.

Author: macie

.github/workflows/publish.yml

@@ -43,6 +43,11 @@ jobs:
       matrix:
         include:
           - bin_name: opinions-openbsd_amd64-hardened
+          - bin_name: opinions-linux_amd64
+          - bin_name: opinions-linux_arm
+          - bin_name: opinions-linux_arm64
+          - bin_name: opinions-freebsd_amd64
+          - bin_name: opinions-windows_amd64.exe
 
     steps:
       - name: Extract build artifacts

Makefile

@@ -33,12 +33,28 @@ build: check test
 		PSEUDOVERSION="$${PREV_VER_TAG:-0.0.0}-$$CURRENT_COMMIT_TAG"; \
 		VERSION="$${CURRENT_VER_TAG:-$$PSEUDOVERSION}"; \
 		# hardened \
-		GOOS=openbsd GOARCH=amd64 go build -C cmd/ -v -ldflags="-s -w -X main.AppVersion=$$VERSION" -o "../dist/opinions-openbsd_amd64-hardened"; \
+		GOOS=openbsd GOARCH=amd64 go build -C cmd/ -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-openbsd_amd64-hardened'; \
 		# without sandbox \
+		GOOS=linux GOARCH=amd64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_amd64'; \
+		GOOS=linux GOARCH=arm go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_arm'; \
+		GOOS=linux GOARCH=arm64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_arm64'; \
+		GOOS=freebsd GOARCH=amd64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-freebsd_amd64'; \
+		GOOS=windows GOARCH=amd64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-windows_amd64.exe'; \
 
 	@echo '# Create binaries checksum' >&2
 	@sha256sum ./dist/* >./dist/sha256sum.txt
 
+unsafe: check test
+	@echo '# Create release binary without sandbox in ./dist/opinions-unsafe' >&2
+	@CURRENT_VER_TAG="$$(git tag --points-at HEAD | sed 's/^v//' | sort -t. -k 1,1n -k 2,2n -k 3,3n | tail -1)"; \
+		PREV_VER_TAG="$$(git tag | sed 's/^v//' | sort -t. -k 1,1n -k 2,2n -k 3,3n | tail -1)"; \
+		CURRENT_COMMIT_TAG="$$(TZ=UTC git --no-pager show --quiet --abbrev=12 --date='format-local:%Y%m%d%H%M%S' --format='%cd-%h')"; \
+		PSEUDOVERSION="$${PREV_VER_TAG:-0.0.0}-$$CURRENT_COMMIT_TAG"; \
+		VERSION="$${CURRENT_VER_TAG:-$$PSEUDOVERSION}"; \
+		go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-unsafe'
+	@echo '# Create checksum' >&2
+	@sha256sum ./dist/opinions-unsafe >./dist/opinions-unsafe.sha256sum.txt
+
 release: prepare-release build
 
 install-dependencies:

README.md

@@ -35,6 +35,7 @@ Use `make` (GNU or BSD):
 - `make test` - runs test
 - `make check` - static code analysis
 - `make build` - compile binaries from latest commit for supported OSes (with [proper version number](https://go.dev/doc/modules/version-numbers))
+- `make unsafe` - compile binaries from latest commit without security sandbox
 - `make release` - mark latest commit with choosen version tag and compile binaries for supported OSes
 - `make clean` - removes compilation artifacts
 - `make info` - print system info (useful for debugging).

security/sandbox.go

@@ -1,13 +1,18 @@
 // Package security contains OS specific mitigation mechanisms.
 
-//go:build !openbsd
+//go:build !openbsd && !unsafe
 
 package security
 
+import (
+	"fmt"
+	"runtime"
+)
+
 // IsHardened reports whether security sandbox is enabled.
 const IsHardened = false
 
 // Sandbox restrict access to system resources.
 func Sandbox() error {
-	return nil
+	return fmt.Errorf("security sandbox is unavailable on %s/%s. To use app on this platform, compile it without sandbox (with 'unsafe' flag)", runtime.GOOS, runtime.GOARCH)
 }

security/sandbox_openbsd.go

@@ -1,4 +1,4 @@
-//go:build openbsd
+//go:build openbsd && !unsafe
 
 package security
 

security/sandbox_unsafe.go

@@ -0,0 +1,12 @@
+//go:build unsafe
+
+package security
+
+// IsHardened reports whether security sandbox is enabled.
+const IsHardened = false
+
+// Sandbox restrict access to system resources. In unsafe builds sandbox is
+// disabled.
+func Sandbox() error {
+	return nil
+}