FIXME enable sandboxing for ARM

macie · Dec 10, 2023 · 19f1c7e · 19f1c7e
1 parent 8432b22
commit 19f1c7e
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 135 deletions.
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -1,6 +1,9 @@
 name: E2E tests
 on:
   pull_request:
+  push:
+    branches:
+    - arm_seccomp
 
 permissions:
   contents: read
@@ -92,7 +95,7 @@ jobs:
         run: make
 
       - name: Build executable
-        run: GOOS=linux GOARCH=arm GOARM=7 make unsafe
+        run: GOOS=linux GOARCH=arm GOARM=7 make build
 
       - name: Run E2E tests inside VM
         uses: pguyot/arm-runner-action@e04ca3becb581a2b52cabe31e53835ada344522f # v2.5.2
@@ -142,7 +145,7 @@ jobs:
         run: make
 
       - name: Build executable
-        run: GOOS=linux GOARCH=arm64 make unsafe
+        run: GOOS=linux GOARCH=arm64 make build
 
       - name: Run E2E tests inside VM
         uses: pguyot/arm-runner-action@e04ca3becb581a2b52cabe31e53835ada344522f # v2.5.2
@@ -153,131 +156,131 @@ jobs:
           commands: |
             make e2e
 
-  windows:
-    name: Windows amd64 (not hardened)
-    runs-on: windows-latest
-    timeout-minutes: 10
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: 'stable'
-
-      - name: Install dependencies
-        run: make
-
-      - name: Build executable
-        run: make unsafe
-
-      - run: make e2e
-
-  freebsd:
-    name: FreeBSD amd64
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            api.github.com:443
-            proxy.golang.org:443
-            0.freebsd.pool.ntp.org:443
-            2.freebsd.pool.ntp.org:443
-            raw.githubusercontent.com:443
-            objects.githubusercontent.com:443
-            changelogs.ubuntu.com:443
-            ppa.launchpadcontent.net:443
-            packages.microsoft.com:443
-            azure.archive.ubuntu.com:80
-            motd.ubuntu.com:443
-            esm.ubuntu.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            hn.algolia.com:80
-            hn.algolia.com:443
-            lemmy.world:443
-            lobste.rs:443
-            www.reddit.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: 'stable'
-
-      - name: Install dependencies
-        run: make
-
-      - name: Build executable for FreeBSD amd64
-        run: GOOS=freebsd GOARCH=amd64 make unsafe
-
-      - name: Run E2E tests inside VM
-        uses: vmactions/freebsd-vm@d139f0eaa5d47d9fcc44f7ab1748574475d89565 # v1.0.5
-        with:
-          usesh: true
-          run: |
-            set -e -x
-            make e2e
-
-  openbsd:
-    name: OpenBSD amd64
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            github.com:443
-            api.github.com:443
-            proxy.golang.org:443
-            pool.ntp.org:443
-            cdn.openbsd.org:443
-            www.google.com:443
-            raw.githubusercontent.com:443
-            objects.githubusercontent.com:443
-            time.cloudflare.com:443
-            ppa.launchpadcontent.net:443
-            packages.microsoft.com:443
-            azure.archive.ubuntu.com:80
-            motd.ubuntu.com:443
-            esm.ubuntu.com:443
-            pypi.org:443
-            files.pythonhosted.org:443
-            hn.algolia.com:80
-            hn.algolia.com:443
-            lemmy.world:443
-            lobste.rs:443
-            www.reddit.com:443
-
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version: 'stable'
-
-      - name: Install dependencies
-        run: make
-
-      - name: Build executable for OpenBSD amd64
-        run: GOOS=openbsd GOARCH=amd64 make build
-
-      - name: Run E2E tests inside VM
-        uses: vmactions/openbsd-vm@c69c6aa05e19f11533a5d00913e398606bd66133 # v1.0.4
-        with:
-          run: |
-            make e2e
+  # windows:
+  #   name: Windows amd64 (not hardened)
+  #   runs-on: windows-latest
+  #   timeout-minutes: 10
+
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+  #     - name: Setup Go
+  #       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+  #       with:
+  #         go-version: 'stable'
+
+  #     - name: Install dependencies
+  #       run: make
+
+  #     - name: Build executable
+  #       run: make unsafe
+
+  #     - run: make e2e
+
+  # freebsd:
+  #   name: FreeBSD amd64
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 10
+
+  #   steps:
+  #     - name: Harden Runner
+  #       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+  #       with:
+  #         egress-policy: block
+  #         allowed-endpoints: >
+  #           github.com:443
+  #           api.github.com:443
+  #           proxy.golang.org:443
+  #           0.freebsd.pool.ntp.org:443
+  #           2.freebsd.pool.ntp.org:443
+  #           raw.githubusercontent.com:443
+  #           objects.githubusercontent.com:443
+  #           changelogs.ubuntu.com:443
+  #           ppa.launchpadcontent.net:443
+  #           packages.microsoft.com:443
+  #           azure.archive.ubuntu.com:80
+  #           motd.ubuntu.com:443
+  #           esm.ubuntu.com:443
+  #           pypi.org:443
+  #           files.pythonhosted.org:443
+  #           hn.algolia.com:80
+  #           hn.algolia.com:443
+  #           lemmy.world:443
+  #           lobste.rs:443
+  #           www.reddit.com:443
+
+  #     - name: Checkout repository
+  #       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+  #     - name: Setup Go
+  #       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+  #       with:
+  #         go-version: 'stable'
+
+  #     - name: Install dependencies
+  #       run: make
+
+  #     - name: Build executable for FreeBSD amd64
+  #       run: GOOS=freebsd GOARCH=amd64 make unsafe
+
+  #     - name: Run E2E tests inside VM
+  #       uses: vmactions/freebsd-vm@d139f0eaa5d47d9fcc44f7ab1748574475d89565 # v1.0.5
+  #       with:
+  #         usesh: true
+  #         run: |
+  #           set -e -x
+  #           make e2e
+
+  # openbsd:
+  #   name: OpenBSD amd64
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 10
+
+  #   steps:
+  #     - name: Harden Runner
+  #       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+  #       with:
+  #         egress-policy: block
+  #         allowed-endpoints: >
+  #           github.com:443
+  #           api.github.com:443
+  #           proxy.golang.org:443
+  #           pool.ntp.org:443
+  #           cdn.openbsd.org:443
+  #           www.google.com:443
+  #           raw.githubusercontent.com:443
+  #           objects.githubusercontent.com:443
+  #           time.cloudflare.com:443
+  #           ppa.launchpadcontent.net:443
+  #           packages.microsoft.com:443
+  #           azure.archive.ubuntu.com:80
+  #           motd.ubuntu.com:443
+  #           esm.ubuntu.com:443
+  #           pypi.org:443
+  #           files.pythonhosted.org:443
+  #           hn.algolia.com:80
+  #           hn.algolia.com:443
+  #           lemmy.world:443
+  #           lobste.rs:443
+  #           www.reddit.com:443
+
+  #     - name: Checkout repository
+  #       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+  #     - name: Setup Go
+  #       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+  #       with:
+  #         go-version: 'stable'
+
+  #     - name: Install dependencies
+  #       run: make
+
+  #     - name: Build executable for OpenBSD amd64
+  #       run: GOOS=openbsd GOARCH=amd64 make build
+
+  #     - name: Run E2E tests inside VM
+  #       uses: vmactions/openbsd-vm@c69c6aa05e19f11533a5d00913e398606bd66133 # v1.0.4
+  #       with:
+  #         run: |
+  #           make e2e
diff --git a/Makefile b/Makefile
@@ -61,9 +61,9 @@ dist: *.go
 		# hardened \
 		GOOS=openbsd GOARCH=amd64 go build -C cmd/ -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-openbsd_amd64-hardened'; \
 		GOOS=linux GOARCH=amd64 go build -C cmd/ -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_amd64-hardened'; \
+		GOOS=linux GOARCH=arm GOARM=7 go build -C cmd/ -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_armv7'; \
+		GOOS=linux GOARCH=arm64 go build -C cmd/ -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_arm64'; \
 		# without sandbox \
-		GOOS=linux GOARCH=arm GOARM=7 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_armv7'; \
-		GOOS=linux GOARCH=arm64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-linux_arm64'; \
 		GOOS=freebsd GOARCH=amd64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-freebsd_amd64'; \
 		GOOS=windows GOARCH=amd64 go build -C cmd/ -tags unsafe -ldflags="-s -w -X main.AppVersion=$$VERSION" -o '../dist/opinions-windows_amd64.exe'; \
 

diff --git a/security/sandbox.go b/security/sandbox.go
@@ -1,6 +1,6 @@
 // Package security contains OS specific mitigation mechanisms.
 
-//go:build !(linux && amd64) && !openbsd && !unsafe
+//go:build !linux && !openbsd && !unsafe
 
 package security
 

diff --git a/security/sandbox_linux_amd64.go → security/sandbox_linux.go b/security/sandbox_linux_amd64.go → security/sandbox_linux.go
@@ -1,4 +1,4 @@
-//go:build linux && amd64 && !openbsd && !unsafe
+//go:build linux && !openbsd && !unsafe
 
 package security
 

diff --git a/security/sandbox_openbsd.go b/security/sandbox_openbsd.go
@@ -1,4 +1,4 @@
-//go:build openbsd && !(linux && amd64) && !unsafe
+//go:build openbsd && !linux && !unsafe
 
 package security