fix: remove unprivileged and macos (#78)

* fix: remove unprivileged and macos

* ci: remove macos from CI

* fix: remove mentioning of unprivileged and macos from docs

Author: evgeniy-scherbina

.github/workflows/ci.yml

@@ -47,7 +47,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
 
     steps:

ARCHITECTURE.md

@@ -48,7 +48,7 @@ This document describes the architecture and components of boundary, a network i
 │ │  │   TARGET COMMAND    │                                                │ │
 │ │  │                     │                                                │ │
 │ │  │   npm install       │  ◄── HTTP_PROXY/HTTPS_PROXY env vars           │ │
-│ │  │   curl https://...  │  ◄── Network isolation (Linux/macOS)           │ │
+│ │  │   curl https://...  │  ◄── Network isolation (Linux)                 │ │
 │ │  │   git clone         │  ◄── DNS redirection                           │ │
 │ │  │                     │                                                │ │
 │ │  └─────────────────────┘                                                │ │
@@ -61,7 +61,7 @@ This document describes the architecture and components of boundary, a network i
 ## Component Details
 
 ### 1. CLI Layer
-**Input**: Command line arguments (`--allow`, `--log-level`, `--unprivileged`, target command)
+**Input**: Command line arguments (`--allow`, `--log-level`, target command)
 **Output**: Configured boundary instance and executed target command
 
 **Responsibilities**:
@@ -106,57 +106,7 @@ Platform-specific implementations:
 └─────────────────────────────────────────────┘
 ```
 
-#### macOS Jailer
-```
-┌─────────────────────────────────────────────┐
-│              MACOS JAILER                   │
-├─────────────────────────────────────────────┤
-│                                             │
-│  PF (Packet Filter) Rules                   │
-│  │                                          │
-│  ├─ Create custom anchor                    │
-│  ├─ REDIRECT HTTP  → proxy (127.0.0.1:8080) │
-│  ├─ REDIRECT HTTPS → proxy (127.0.0.1:8080) │
-│  └─ Apply rules to specific process group   │
-│                                             │
-│  Process Group Isolation                    │
-│  │                                          │
-│  ├─ Create restricted group                 │
-│  ├─ Set process group ID                    │
-│  └─ Configure environment variables         │
-│                                             │
-│  Process Execution                          │
-│  │                                          │
-│  ├─ Set HTTP_PROXY env var                  │
-│  ├─ Set HTTPS_PROXY env var                 │
-│  ├─ Set SSL_CERT_FILE (custom CA)           │
-│  └─ Execute with group restrictions         │
-│                                             │
-└─────────────────────────────────────────────┘
-```
 
-#### Unprivileged Jailer
-```
-┌─────────────────────────────────────────────┐
-│           UNPRIVILEGED JAILER               │
-├─────────────────────────────────────────────┤
-│                                             │
-│  Environment Variables Only                 │
-│  │                                          │
-│  ├─ Set HTTP_PROXY env var                  │
-│  ├─ Set HTTPS_PROXY env var                 │
-│  ├─ Set SSL_CERT_FILE (custom CA)           │
-│  └─ No network isolation                    │
-│                                             │
-│  Process Execution                          │
-│  │                                          │
-│  ├─ Execute with proxy env vars             │
-│  └─ Relies on application proxy support     │
-│                                             │
-│  Note: Less secure but works without sudo   │
-│                                             │
-└─────────────────────────────────────────────┘
-```
 
 ### 3. Proxy Server Component
 **Input**: HTTP/HTTPS requests from jailed processes
@@ -427,15 +377,15 @@ Platform-specific implementations:
 
 ## Platform Differences
 
-| Aspect | Linux | macOS | Unprivileged |
-|--------|--------|--------|--------------|
-| **Isolation** | Network namespaces | Process groups + PF | Environment variables only |
-| **Traffic Interception** | iptables REDIRECT | PF rdr rules | HTTP_PROXY/HTTPS_PROXY |
-| **DNS** | Custom resolv.conf | System DNS + PF | System DNS |
-| **Privileges** | Requires sudo | Requires sudo | No privileges required |
-| **Security** | Strong isolation | Moderate isolation | Weak (app-dependent) |
-| **Compatibility** | Linux kernel 3.8+ | macOS with PF | Any platform |
-| **Process Control** | Network namespace | Process group | Standard process |
+| Aspect | Linux |
+|--------|-------|
+| **Isolation** | Network namespaces |
+| **Traffic Interception** | iptables REDIRECT |
+| **DNS** | Custom resolv.conf |
+| **Privileges** | Requires network capabilities (e.g., CAP_NET_ADMIN) |
+| **Security** | Strong isolation |
+| **Compatibility** | Linux kernel 3.8+ |
+| **Process Control** | Network namespace |
 
 ## Security Model
 
@@ -445,7 +395,7 @@ Platform-specific implementations:
 - Fail-safe behavior: unknown requests are denied
 
 ### Network Isolation
-- Process cannot bypass boundary (except in unprivileged mode)
+- Process cannot bypass boundary
 - All traffic routed through proxy server
 - TLS interception prevents encrypted bypass
 

Makefile

@@ -28,10 +28,7 @@ build-all:
 	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./cmd/boundary
 	@echo "Building Linux arm64..."
 	GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./cmd/boundary
-	@echo "Building macOS amd64..."
-	GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-amd64 ./cmd/boundary
-	@echo "Building macOS arm64..."
-	GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./cmd/boundary
+	@# macOS builds removed; Linux only
 	@echo "✓ All binaries built successfully!"
 	@echo "Binaries are in the '$(BUILD_DIR)' directory:"
 	@ls -la $(BUILD_DIR)/

README.md

@@ -6,11 +6,11 @@ boundary creates an isolated network environment for target processes, intercept
 
 ## Features
 
-- Process-level network isolation (Linux namespaces, macOS process groups)
+ - Process-level network isolation (Linux namespaces)
 - HTTP/HTTPS interception with transparent proxy and TLS certificate injection
 - Wildcard pattern matching for URL patterns
 - Request logging and monitoring
-- Cross-platform support (Linux and macOS)
+ - Linux support
 - Default deny-all security model
 
 ## Installation
@@ -69,42 +69,22 @@ boundary --log-level debug --allow "domain=github.com" -- git pull  # Debug info
 
 **Log Levels:** `error`, `warn` (default), `info`, `debug`
 
-## Unprivileged Mode
-
-When you can't or don't want to run with sudo privileges, use `--unprivileged`:
-
-```bash
-# Run without network isolation (uses HTTP_PROXY/HTTPS_PROXY environment variables)
-boundary --unprivileged --allow "domain=github.com" -- npm install
-
-# Useful in containers or restricted environments
-boundary --unprivileged --allow "domain=*.npmjs.org" --allow "domain=registry.npmjs.org" -- npm install
-```
-
-**Unprivileged Mode:**
-- No network namespaces or firewall rules
-- Works without sudo privileges  
-- Uses proxy environment variables instead
-- Applications must respect HTTP_PROXY/HTTPS_PROXY settings
-- Less secure but more compatible
-
 ## Platform Support
 
-| Platform | Implementation | Sudo Required |
-|----------|----------------|---------------|
-| Linux    | Network namespaces + iptables | Yes |
-| macOS    | Process groups + PF rules | Yes |
-| Windows  | Not supported | - |
+| Platform | Implementation                 | Privileges                |
+|----------|--------------------------------|---------------------------|
+| Linux    | Network namespaces + iptables  | CAP_NET_ADMIN (or root)   |
+| macOS    | Not supported                  | -                         |
+| Windows  | Not supported                  | -                         |
 
 ## Command-Line Options
 
 ```text
 boundary [flags] -- command [args...]
 
---allow <SPEC>             Allow rule (repeatable)
---log-level <LEVEL>        Set log level (error, warn, info, debug)
---unprivileged             Run without network isolation
--h, --help                 Print help
+ --allow <SPEC>             Allow rule (repeatable)
+ --log-level <LEVEL>        Set log level (error, warn, info, debug)
+ -h, --help                 Print help
 ```
 
 ## Development

RELEASES.md

@@ -26,8 +26,7 @@ This triggers the **Release** workflow which:
 |----------|--------------|-------------|----------|
 | Linux | x64 | `boundary-linux-amd64` | `.tar.gz` |
 | Linux | ARM64 | `boundary-linux-arm64` | `.tar.gz` |
-| macOS | Intel | `boundary-darwin-amd64` | `.tar.gz` |
-| macOS | Apple Silicon | `boundary-darwin-arm64` | `.tar.gz` |
+
 
 ## Version Naming
 
@@ -87,19 +86,7 @@ sudo mv boundary-linux-arm64 /usr/local/bin/boundary
 boundary --help
 ```
 
-**macOS (Intel)**
-```bash
-curl -fsSL https://github.com/coder/boundary/releases/latest/download/boundary-darwin-amd64.tar.gz | tar -xz
-sudo mv boundary-darwin-amd64 /usr/local/bin/boundary
-boundary --help
-```
 
-**macOS (Apple Silicon)**
-```bash
-curl -fsSL https://github.com/coder/boundary/releases/latest/download/boundary-darwin-arm64.tar.gz | tar -xz
-sudo mv boundary-darwin-arm64 /usr/local/bin/boundary
-boundary --help
-```
 
 ### Verify Installation
 

cli/cli.go

@@ -27,7 +27,6 @@ type Config struct {
 	AllowStrings []string
 	LogLevel     string
 	LogDir       string
-	Unprivileged bool
 	ProxyPort    int64
 	PprofEnabled bool
 	PprofPort    int64
@@ -83,12 +82,6 @@ func BaseCommand() *serpent.Command {
 				Description: "Set a directory to write logs to rather than stderr.",
 				Value:       serpent.StringOf(&config.LogDir),
 			},
-			{
-				Flag:        "unprivileged",
-				Env:         "BOUNDARY_UNPRIVILEGED",
-				Description: "Run in unprivileged mode (no network isolation, uses proxy environment variables).",
-				Value:       serpent.BoolOf(&config.Unprivileged),
-			},
 			{
 				Flag:        "proxy-port",
 				Env:         "PROXY_PORT",
@@ -211,7 +204,7 @@ func Run(ctx context.Context, config Config, args []string) error {
 		HomeDir:       homeDir,
 		ConfigDir:     configDir,
 		CACertPath:    caCertPath,
-	}, config.Unprivileged)
+	})
 	if err != nil {
 		return fmt.Errorf("failed to create jailer: %v", err)
 	}
@@ -334,11 +327,7 @@ func setupLogging(config Config) (*slog.Logger, error) {
 }
 
 // createJailer creates a new jail instance for the current platform
-func createJailer(config jail.Config, unprivileged bool) (jail.Jailer, error) {
-	if unprivileged {
-		return jail.NewUnprivileged(config)
-	}
-
+func createJailer(config jail.Config) (jail.Jailer, error) {
 	// Use the DefaultOS function for platform-specific jail creation
 	return jail.DefaultOS(config)
 }

install.sh

@@ -64,11 +64,8 @@ detect_platform() {
         Linux*)
             os="linux"
             ;;
-        Darwin*)
-            os="darwin"
-            ;;
         *)
-            log_error "Unsupported operating system: $(uname -s). Only Linux and macOS are supported."
+            log_error "Unsupported operating system: $(uname -s). Only Linux is supported."
             ;;
     esac
 

jail/jail.go

@@ -30,8 +30,6 @@ func DefaultOS(config Config) (Jailer, error) {
 	switch runtime.GOOS {
 	case "linux":
 		return NewLinuxJail(config)
-	case "darwin":
-		return NewMacOSJail(config)
 	default:
 		return nil, fmt.Errorf("unsupported operating system: %s", runtime.GOOS)
 	}