sandbox/linux/BUILD.gn

# Copyright 2014 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import("//build/config/features.gni")
import("//testing/test.gni")

declare_args() {
  compile_suid_client = is_linux

  compile_credentials = is_linux

  # On Android, use plain GTest.
  use_base_test_suite = is_linux
}

# We have two principal targets: sandbox and sandbox_linux_unittests
# All other targets are listed as dependencies.
# There is one notable exception: for historical reasons, chrome_sandbox is
# the setuid sandbox and is its own target.

group("sandbox") {
  deps = [
    ":sandbox_services",
  ]

  if (compile_suid_client) {
    deps += [ ":suid_sandbox_client" ]
  }
  if (use_seccomp_bpf) {
    deps += [
      ":seccomp_bpf",
      ":seccomp_bpf_helpers",
    ]
  }
}

source_set("sandbox_linux_test_utils") {
  testonly = true
  sources = [
    "tests/sandbox_test_runner.cc",
    "tests/sandbox_test_runner.h",
    "tests/sandbox_test_runner_function_pointer.cc",
    "tests/sandbox_test_runner_function_pointer.h",
    "tests/test_utils.cc",
    "tests/test_utils.h",
    "tests/unit_tests.cc",
    "tests/unit_tests.h",
  ]

  deps = [
    "//testing/gtest",
  ]

  if (use_seccomp_bpf) {
    sources += [
      "seccomp-bpf/bpf_tester_compatibility_delegate.h",
      "seccomp-bpf/bpf_tests.h",
      "seccomp-bpf/sandbox_bpf_test_runner.cc",
      "seccomp-bpf/sandbox_bpf_test_runner.h",
    ]
    deps += [ ":seccomp_bpf" ]
  }

  if (use_base_test_suite) {
    deps += [ "//base/test:test_support" ]
    defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
  }
}

# Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
source_set("sandbox_linux_unittests_sources") {
  testonly = true

  sources = [
    "services/proc_util_unittest.cc",
    "services/resource_limits_unittests.cc",
    "services/scoped_process_unittest.cc",
    "services/syscall_wrappers_unittest.cc",
    "services/thread_helpers_unittests.cc",
    "services/yama_unittests.cc",
    "syscall_broker/broker_file_permission_unittest.cc",
    "syscall_broker/broker_process_unittest.cc",
    "tests/main.cc",
    "tests/scoped_temporary_file.cc",
    "tests/scoped_temporary_file.h",
    "tests/scoped_temporary_file_unittest.cc",
    "tests/test_utils_unittest.cc",
    "tests/unit_tests_unittest.cc",
  ]

  deps = [
    ":sandbox",
    ":sandbox_linux_test_utils",
    "//base",
    "//testing/gtest",
  ]

  if (use_base_test_suite) {
    deps += [ "//base/test:test_support" ]
    defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
  }

  if (is_linux) {
    # Don't use this on Android.
    libs = [ "rt" ]
  }

  if (compile_suid_client) {
    sources += [
      "suid/client/setuid_sandbox_client_unittest.cc",
      "suid/client/setuid_sandbox_host_unittest.cc",
    ]
  }
  if (use_seccomp_bpf) {
    sources += [
      "bpf_dsl/bpf_dsl_unittest.cc",
      "bpf_dsl/codegen_unittest.cc",
      "bpf_dsl/cons_unittest.cc",
      "bpf_dsl/syscall_set_unittest.cc",
      "integration_tests/bpf_dsl_seccomp_unittest.cc",
      "integration_tests/seccomp_broker_process_unittest.cc",
      "seccomp-bpf-helpers/baseline_policy_unittest.cc",
      "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
      "seccomp-bpf/bpf_tests_unittest.cc",
      "seccomp-bpf/errorcode_unittest.cc",
      "seccomp-bpf/sandbox_bpf_unittest.cc",
      "seccomp-bpf/syscall_unittest.cc",
      "seccomp-bpf/trap_unittest.cc",
    ]
  }
  if (compile_credentials) {
    sources += [
      "integration_tests/namespace_unix_domain_socket_unittest.cc",
      "services/credentials_unittest.cc",
      "services/namespace_utils_unittest.cc",
    ]

    if (use_base_test_suite) {
      # Tests that use advanced features not available in stock GTest.
      sources += [ "services/namespace_sandbox_unittest.cc" ]
    }

    # For credentials_unittest.cc
    configs += [ "//build/config/linux:libcap" ]
  }
}

# The main sandboxing test target.
test("sandbox_linux_unittests") {
  deps = [
    ":sandbox_linux_unittests_sources",
  ]
}

# This target is the shared library used by Android APK (i.e.
# JNI-friendly) tests.
shared_library("sandbox_linux_jni_unittests") {
  testonly = true
  deps = [
    ":sandbox_linux_unittests_sources",
  ]
  if (is_android) {
    deps += [ "//testing/android/native_test:native_test_native_code" ]
  }
}

component("seccomp_bpf") {
  sources = [
    "bpf_dsl/bpf_dsl.cc",
    "bpf_dsl/bpf_dsl.h",
    "bpf_dsl/bpf_dsl_forward.h",
    "bpf_dsl/bpf_dsl_impl.h",
    "bpf_dsl/codegen.cc",
    "bpf_dsl/codegen.h",
    "bpf_dsl/cons.h",
    "bpf_dsl/dump_bpf.cc",
    "bpf_dsl/dump_bpf.h",
    "bpf_dsl/linux_syscall_ranges.h",
    "bpf_dsl/policy.cc",
    "bpf_dsl/policy.h",
    "bpf_dsl/policy_compiler.cc",
    "bpf_dsl/policy_compiler.h",
    "bpf_dsl/seccomp_macros.h",
    "bpf_dsl/syscall_set.cc",
    "bpf_dsl/syscall_set.h",
    "bpf_dsl/trap_registry.h",
    "bpf_dsl/verifier.cc",
    "bpf_dsl/verifier.h",
    "seccomp-bpf/die.cc",
    "seccomp-bpf/die.h",
    "seccomp-bpf/errorcode.cc",
    "seccomp-bpf/errorcode.h",
    "seccomp-bpf/sandbox_bpf.cc",
    "seccomp-bpf/sandbox_bpf.h",
    "seccomp-bpf/syscall.cc",
    "seccomp-bpf/syscall.h",
    "seccomp-bpf/trap.cc",
    "seccomp-bpf/trap.h",
  ]
  defines = [ "SANDBOX_IMPLEMENTATION" ]

  deps = [
    ":sandbox_services",
    ":sandbox_services_headers",
    "//base",
  ]
}

component("seccomp_bpf_helpers") {
  sources = [
    "seccomp-bpf-helpers/baseline_policy.cc",
    "seccomp-bpf-helpers/baseline_policy.h",
    "seccomp-bpf-helpers/sigsys_handlers.cc",
    "seccomp-bpf-helpers/sigsys_handlers.h",
    "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
    "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
    "seccomp-bpf-helpers/syscall_sets.cc",
    "seccomp-bpf-helpers/syscall_sets.h",
  ]
  defines = [ "SANDBOX_IMPLEMENTATION" ]

  deps = [
    "//base",
    ":sandbox_services",
    ":seccomp_bpf",
  ]
}

if (is_linux) {
  # The setuid sandbox for Linux.
  executable("chrome_sandbox") {
    sources = [
      "suid/common/sandbox.h",
      "suid/common/suid_unsafe_environment_variables.h",
      "suid/process_util.h",
      "suid/process_util_linux.c",
      "suid/sandbox.c",
    ]

    cflags = [
      # For ULLONG_MAX
      "-std=gnu99",

      # These files have a suspicious comparison.
      # TODO fix this and re-enable this warning.
      "-Wno-sign-compare",
    ]
  }
}

component("sandbox_services") {
  sources = [
    "services/init_process_reaper.cc",
    "services/init_process_reaper.h",
    "services/proc_util.cc",
    "services/proc_util.h",
    "services/resource_limits.cc",
    "services/resource_limits.h",
    "services/scoped_process.cc",
    "services/scoped_process.h",
    "services/syscall_wrappers.cc",
    "services/syscall_wrappers.h",
    "services/thread_helpers.cc",
    "services/thread_helpers.h",
    "services/yama.cc",
    "services/yama.h",
    "syscall_broker/broker_channel.cc",
    "syscall_broker/broker_channel.h",
    "syscall_broker/broker_client.cc",
    "syscall_broker/broker_client.h",
    "syscall_broker/broker_common.h",
    "syscall_broker/broker_file_permission.cc",
    "syscall_broker/broker_file_permission.h",
    "syscall_broker/broker_host.cc",
    "syscall_broker/broker_host.h",
    "syscall_broker/broker_policy.cc",
    "syscall_broker/broker_policy.h",
    "syscall_broker/broker_process.cc",
    "syscall_broker/broker_process.h",
  ]

  defines = [ "SANDBOX_IMPLEMENTATION" ]

  deps = [
    "//base",
  ]

  if (compile_credentials) {
    sources += [
      "services/credentials.cc",
      "services/credentials.h",
      "services/namespace_sandbox.cc",
      "services/namespace_sandbox.h",
      "services/namespace_utils.cc",
      "services/namespace_utils.h",
    ]

    deps += [ ":sandbox_services_headers" ]
  }
}

source_set("sandbox_services_headers") {
  sources = [
    "system_headers/arm64_linux_syscalls.h",
    "system_headers/arm64_linux_ucontext.h",
    "system_headers/arm_linux_syscalls.h",
    "system_headers/arm_linux_ucontext.h",
    "system_headers/i386_linux_ucontext.h",
    "system_headers/linux_futex.h",
    "system_headers/linux_seccomp.h",
    "system_headers/linux_signal.h",
    "system_headers/linux_syscalls.h",
    "system_headers/linux_ucontext.h",
    "system_headers/x86_32_linux_syscalls.h",
    "system_headers/x86_64_linux_syscalls.h",
  ]
}

# We make this its own target so that it does not interfere with our tests.
source_set("libc_urandom_override") {
  sources = [
    "services/libc_urandom_override.cc",
    "services/libc_urandom_override.h",
  ]
  deps = [
    "//base",
  ]
}

if (compile_suid_client) {
  component("suid_sandbox_client") {
    sources = [
      "suid/client/setuid_sandbox_client.cc",
      "suid/client/setuid_sandbox_client.h",
      "suid/client/setuid_sandbox_host.cc",
      "suid/client/setuid_sandbox_host.h",
      "suid/common/sandbox.h",
      "suid/common/suid_unsafe_environment_variables.h",
    ]
    defines = [ "SANDBOX_IMPLEMENTATION" ]

    deps = [
      ":sandbox_services",
      "//base",
    ]
  }
}

if (is_android) {
  # TODO(GYP) enable this. Needs an android_strip wrapper python script.
  #action("sandbox_linux_unittests_stripped") {
  #  script = "android_stip.py"
  #
  #  in_file = "$root_out_dir/sandbox_linux_unittests"
  #
  #  out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
  #  outputs = [ out_file ]
  #
  #  args = [
  #    rebase_path(in_file, root_build_dir),
  #    "-o", rebase_path(out_file, root_build_dir),
  #  ]
  #
  #  deps = [
  #    ":sandbox_linux_unittests",
  #  ]
  #}
  # TODO(GYP) convert this.
  #      {
  #      'target_name': 'sandbox_linux_jni_unittests_apk',
  #      'type': 'none',
  #      'variables': {
  #        'test_suite_name': 'sandbox_linux_jni_unittests',
  #      },
  #      'dependencies': [
  #        'sandbox_linux_jni_unittests',
  #      ],
  #      'includes': [ '../../build/apk_test.gypi' ],
  #      }
}