blob: 6cca0d3806627aa1367c8a4d24ffb7e329e8b10a [file] [log] [blame]
[email protected]75cd8f02014-05-29 20:56:021# Copyright 2014 The Chromium Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import("//build/config/features.gni")
qsrfb5251d12015-01-21 15:57:226import("//testing/test.gni")
[email protected]75cd8f02014-05-29 20:56:027
8declare_args() {
9 compile_suid_client = is_linux
10
11 compile_credentials = is_linux
12
jln01954fd2015-05-15 06:19:3313 # On Android, use plain GTest.
14 use_base_test_suite = is_linux
[email protected]75cd8f02014-05-29 20:56:0215}
16
17# We have two principal targets: sandbox and sandbox_linux_unittests
18# All other targets are listed as dependencies.
19# There is one notable exception: for historical reasons, chrome_sandbox is
20# the setuid sandbox and is its own target.
21
22group("sandbox") {
23 deps = [
24 ":sandbox_services",
25 ]
26
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
29 }
30 if (use_seccomp_bpf) {
31 deps += [
32 ":seccomp_bpf",
33 ":seccomp_bpf_helpers",
34 ]
35 }
36}
37
38source_set("sandbox_linux_test_utils") {
Brett Wilson0c8745a2014-09-08 22:59:4939 testonly = true
[email protected]75cd8f02014-05-29 20:56:0240 sources = [
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
46 "tests/test_utils.h",
47 "tests/unit_tests.cc",
48 "tests/unit_tests.h",
49 ]
50
51 deps = [
52 "//testing/gtest",
53 ]
54
55 if (use_seccomp_bpf) {
56 sources += [
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
61 ]
scottmg34fb7e52014-12-03 23:27:2462 deps += [ ":seccomp_bpf" ]
[email protected]75cd8f02014-05-29 20:56:0263 }
jln01954fd2015-05-15 06:19:3364
65 if (use_base_test_suite) {
66 deps += [ "//base/test:test_support" ]
67 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
68 }
[email protected]75cd8f02014-05-29 20:56:0269}
70
rockot86da06c7f2015-02-21 00:40:5871# Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
72source_set("sandbox_linux_unittests_sources") {
73 testonly = true
74
[email protected]75cd8f02014-05-29 20:56:0275 sources = [
jlnb14fc802015-02-12 05:32:1176 "services/proc_util_unittest.cc",
jln977185982015-02-13 20:58:4177 "services/resource_limits_unittests.cc",
[email protected]75cd8f02014-05-29 20:56:0278 "services/scoped_process_unittest.cc",
jlnc420f0d2014-11-22 01:12:0979 "services/syscall_wrappers_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:0280 "services/thread_helpers_unittests.cc",
81 "services/yama_unittests.cc",
leecamad78f422014-11-26 22:08:4582 "syscall_broker/broker_file_permission_unittest.cc",
jln70c42c202014-11-01 00:59:5783 "syscall_broker/broker_process_unittest.cc",
[email protected]232f6e112014-06-27 07:51:3884 "tests/main.cc",
85 "tests/scoped_temporary_file.cc",
86 "tests/scoped_temporary_file.h",
87 "tests/scoped_temporary_file_unittest.cc",
jlnc420f0d2014-11-22 01:12:0988 "tests/test_utils_unittest.cc",
[email protected]232f6e112014-06-27 07:51:3889 "tests/unit_tests_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:0290 ]
91
92 deps = [
93 ":sandbox",
94 ":sandbox_linux_test_utils",
95 "//base",
[email protected]75cd8f02014-05-29 20:56:0296 "//testing/gtest",
97 ]
98
jln01954fd2015-05-15 06:19:3399 if (use_base_test_suite) {
100 deps += [ "//base/test:test_support" ]
101 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
102 }
103
Brett Wilson73067532014-09-12 22:24:14104 if (is_linux) {
105 # Don't use this on Android.
106 libs = [ "rt" ]
107 }
Brett Wilsone39344352014-09-12 21:07:26108
[email protected]75cd8f02014-05-29 20:56:02109 if (compile_suid_client) {
mdempsky3cc942a2015-02-05 03:29:25110 sources += [
111 "suid/client/setuid_sandbox_client_unittest.cc",
112 "suid/client/setuid_sandbox_host_unittest.cc",
113 ]
[email protected]75cd8f02014-05-29 20:56:02114 }
115 if (use_seccomp_bpf) {
116 sources += [
[email protected]fb75e2a2014-07-17 07:24:58117 "bpf_dsl/bpf_dsl_unittest.cc",
mdempskyb80b1f52015-02-05 00:54:35118 "bpf_dsl/codegen_unittest.cc",
[email protected]fb75e2a2014-07-17 07:24:58119 "bpf_dsl/cons_unittest.cc",
mdempskyce4c9f12015-02-05 06:23:05120 "bpf_dsl/syscall_set_unittest.cc",
jlnaedcc3e2015-02-12 03:18:10121 "integration_tests/bpf_dsl_seccomp_unittest.cc",
122 "integration_tests/seccomp_broker_process_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02123 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
jlnfcdfb102014-09-12 02:47:44124 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
[email protected]75cd8f02014-05-29 20:56:02125 "seccomp-bpf/bpf_tests_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02126 "seccomp-bpf/errorcode_unittest.cc",
jlna29d0a32014-11-26 22:38:35127 "seccomp-bpf/sandbox_bpf_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02128 "seccomp-bpf/syscall_unittest.cc",
hidehikoa926d0b2015-04-24 21:55:21129 "seccomp-bpf/trap_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02130 ]
131 }
132 if (compile_credentials) {
133 sources += [
jlnaedcc3e2015-02-12 03:18:10134 "integration_tests/namespace_unix_domain_socket_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02135 "services/credentials_unittest.cc",
rickyz41fb1452015-01-27 03:57:58136 "services/namespace_utils_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02137 ]
rickyz966f039d2015-03-17 07:23:43138
jln01954fd2015-05-15 06:19:33139 if (use_base_test_suite) {
140 # Tests that use advanced features not available in stock GTest.
141 sources += [ "services/namespace_sandbox_unittest.cc" ]
142 }
143
rickyz966f039d2015-03-17 07:23:43144 # For credentials_unittest.cc
145 configs += [ "//build/config/linux:libcap" ]
[email protected]75cd8f02014-05-29 20:56:02146 }
147}
148
rockot86da06c7f2015-02-21 00:40:58149# The main sandboxing test target.
150test("sandbox_linux_unittests") {
151 deps = [
152 ":sandbox_linux_unittests_sources",
153 ]
154}
155
156# This target is the shared library used by Android APK (i.e.
157# JNI-friendly) tests.
158shared_library("sandbox_linux_jni_unittests") {
159 testonly = true
160 deps = [
161 ":sandbox_linux_unittests_sources",
162 ]
163 if (is_android) {
jbudorick6ab224952015-04-09 21:51:55164 deps += [ "//testing/android/native_test:native_test_native_code" ]
rockot86da06c7f2015-02-21 00:40:58165 }
166}
[email protected]75cd8f02014-05-29 20:56:02167
168component("seccomp_bpf") {
169 sources = [
[email protected]fb75e2a2014-07-17 07:24:58170 "bpf_dsl/bpf_dsl.cc",
171 "bpf_dsl/bpf_dsl.h",
mdempskyc60a1c52014-10-24 23:07:10172 "bpf_dsl/bpf_dsl_forward.h",
mdempskyfb10cce2014-10-14 17:56:44173 "bpf_dsl/bpf_dsl_impl.h",
mdempskyb80b1f52015-02-05 00:54:35174 "bpf_dsl/codegen.cc",
175 "bpf_dsl/codegen.h",
[email protected]fb75e2a2014-07-17 07:24:58176 "bpf_dsl/cons.h",
mdempskya41c4042014-10-31 20:50:27177 "bpf_dsl/dump_bpf.cc",
178 "bpf_dsl/dump_bpf.h",
jlna65ffca2015-02-13 04:12:43179 "bpf_dsl/linux_syscall_ranges.h",
mdempskyc60a1c52014-10-24 23:07:10180 "bpf_dsl/policy.cc",
181 "bpf_dsl/policy.h",
mdempsky27e78ad72014-10-16 16:49:54182 "bpf_dsl/policy_compiler.cc",
183 "bpf_dsl/policy_compiler.h",
jlna65ffca2015-02-13 04:12:43184 "bpf_dsl/seccomp_macros.h",
mdempskyce4c9f12015-02-05 06:23:05185 "bpf_dsl/syscall_set.cc",
186 "bpf_dsl/syscall_set.h",
mdempsky27e78ad72014-10-16 16:49:54187 "bpf_dsl/trap_registry.h",
mdempsky5953fcd2015-03-09 18:06:18188 "bpf_dsl/verifier.cc",
189 "bpf_dsl/verifier.h",
[email protected]75cd8f02014-05-29 20:56:02190 "seccomp-bpf/die.cc",
191 "seccomp-bpf/die.h",
192 "seccomp-bpf/errorcode.cc",
193 "seccomp-bpf/errorcode.h",
[email protected]75cd8f02014-05-29 20:56:02194 "seccomp-bpf/sandbox_bpf.cc",
195 "seccomp-bpf/sandbox_bpf.h",
[email protected]75cd8f02014-05-29 20:56:02196 "seccomp-bpf/syscall.cc",
197 "seccomp-bpf/syscall.h",
[email protected]75cd8f02014-05-29 20:56:02198 "seccomp-bpf/trap.cc",
199 "seccomp-bpf/trap.h",
[email protected]75cd8f02014-05-29 20:56:02200 ]
201 defines = [ "SANDBOX_IMPLEMENTATION" ]
202
203 deps = [
jlnbd4df41c2014-11-25 02:32:30204 ":sandbox_services",
[email protected]75cd8f02014-05-29 20:56:02205 ":sandbox_services_headers",
206 "//base",
207 ]
208}
209
210component("seccomp_bpf_helpers") {
211 sources = [
212 "seccomp-bpf-helpers/baseline_policy.cc",
213 "seccomp-bpf-helpers/baseline_policy.h",
214 "seccomp-bpf-helpers/sigsys_handlers.cc",
215 "seccomp-bpf-helpers/sigsys_handlers.h",
216 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
217 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
218 "seccomp-bpf-helpers/syscall_sets.cc",
219 "seccomp-bpf-helpers/syscall_sets.h",
220 ]
221 defines = [ "SANDBOX_IMPLEMENTATION" ]
222
223 deps = [
224 "//base",
jamesr4359db72015-01-21 12:40:00225 ":sandbox_services",
[email protected]75cd8f02014-05-29 20:56:02226 ":seccomp_bpf",
227 ]
228}
229
James Robinson060f2e32014-09-10 22:31:37230if (is_linux) {
scottmg34fb7e52014-12-03 23:27:24231 # The setuid sandbox for Linux.
James Robinson060f2e32014-09-10 22:31:37232 executable("chrome_sandbox") {
233 sources = [
234 "suid/common/sandbox.h",
235 "suid/common/suid_unsafe_environment_variables.h",
James Robinson060f2e32014-09-10 22:31:37236 "suid/process_util.h",
237 "suid/process_util_linux.c",
238 "suid/sandbox.c",
239 ]
[email protected]75cd8f02014-05-29 20:56:02240
James Robinson060f2e32014-09-10 22:31:37241 cflags = [
242 # For ULLONG_MAX
243 "-std=gnu99",
scottmg34fb7e52014-12-03 23:27:24244
James Robinson060f2e32014-09-10 22:31:37245 # These files have a suspicious comparison.
246 # TODO fix this and re-enable this warning.
247 "-Wno-sign-compare",
248 ]
249 }
[email protected]75cd8f02014-05-29 20:56:02250}
251
252component("sandbox_services") {
253 sources = [
[email protected]75cd8f02014-05-29 20:56:02254 "services/init_process_reaper.cc",
255 "services/init_process_reaper.h",
jlnb14fc802015-02-12 05:32:11256 "services/proc_util.cc",
257 "services/proc_util.h",
jln977185982015-02-13 20:58:41258 "services/resource_limits.cc",
259 "services/resource_limits.h",
[email protected]75cd8f02014-05-29 20:56:02260 "services/scoped_process.cc",
261 "services/scoped_process.h",
jln610a4a612014-11-20 18:58:21262 "services/syscall_wrappers.cc",
263 "services/syscall_wrappers.h",
[email protected]75cd8f02014-05-29 20:56:02264 "services/thread_helpers.cc",
265 "services/thread_helpers.h",
[email protected]75cd8f02014-05-29 20:56:02266 "services/yama.cc",
jlnb14fc802015-02-12 05:32:11267 "services/yama.h",
jln878dca32014-11-11 07:43:57268 "syscall_broker/broker_channel.cc",
269 "syscall_broker/broker_channel.h",
jln70c42c202014-11-01 00:59:57270 "syscall_broker/broker_client.cc",
271 "syscall_broker/broker_client.h",
272 "syscall_broker/broker_common.h",
leecamad78f422014-11-26 22:08:45273 "syscall_broker/broker_file_permission.cc",
274 "syscall_broker/broker_file_permission.h",
jln70c42c202014-11-01 00:59:57275 "syscall_broker/broker_host.cc",
276 "syscall_broker/broker_host.h",
277 "syscall_broker/broker_policy.cc",
278 "syscall_broker/broker_policy.h",
279 "syscall_broker/broker_process.cc",
280 "syscall_broker/broker_process.h",
[email protected]75cd8f02014-05-29 20:56:02281 ]
282
283 defines = [ "SANDBOX_IMPLEMENTATION" ]
284
rickyz966f039d2015-03-17 07:23:43285 deps = [
286 "//base",
287 ]
288
[email protected]75cd8f02014-05-29 20:56:02289 if (compile_credentials) {
290 sources += [
291 "services/credentials.cc",
292 "services/credentials.h",
rickyz8f235da2015-02-03 07:26:19293 "services/namespace_sandbox.cc",
294 "services/namespace_sandbox.h",
rickyz41fb1452015-01-27 03:57:58295 "services/namespace_utils.cc",
296 "services/namespace_utils.h",
[email protected]75cd8f02014-05-29 20:56:02297 ]
scottmg34fb7e52014-12-03 23:27:24298
rickyz966f039d2015-03-17 07:23:43299 deps += [ ":sandbox_services_headers" ]
[email protected]75cd8f02014-05-29 20:56:02300 }
[email protected]75cd8f02014-05-29 20:56:02301}
302
303source_set("sandbox_services_headers") {
304 sources = [
jlnaedcc3e2015-02-12 03:18:10305 "system_headers/arm64_linux_syscalls.h",
hidehikoa926d0b2015-04-24 21:55:21306 "system_headers/arm64_linux_ucontext.h",
jlna65ffca2015-02-13 04:12:43307 "system_headers/arm_linux_syscalls.h",
hidehikoa926d0b2015-04-24 21:55:21308 "system_headers/arm_linux_ucontext.h",
309 "system_headers/i386_linux_ucontext.h",
dnicoara97178052015-04-15 17:44:04310 "system_headers/linux_futex.h",
jlna65ffca2015-02-13 04:12:43311 "system_headers/linux_seccomp.h",
hidehikoa926d0b2015-04-24 21:55:21312 "system_headers/linux_signal.h",
jlnaedcc3e2015-02-12 03:18:10313 "system_headers/linux_syscalls.h",
hidehikoa926d0b2015-04-24 21:55:21314 "system_headers/linux_ucontext.h",
jlnaedcc3e2015-02-12 03:18:10315 "system_headers/x86_32_linux_syscalls.h",
316 "system_headers/x86_64_linux_syscalls.h",
[email protected]75cd8f02014-05-29 20:56:02317 ]
318}
319
320# We make this its own target so that it does not interfere with our tests.
321source_set("libc_urandom_override") {
322 sources = [
323 "services/libc_urandom_override.cc",
324 "services/libc_urandom_override.h",
325 ]
326 deps = [
327 "//base",
328 ]
329}
330
James Robinson060f2e32014-09-10 22:31:37331if (compile_suid_client) {
332 component("suid_sandbox_client") {
333 sources = [
James Robinson060f2e32014-09-10 22:31:37334 "suid/client/setuid_sandbox_client.cc",
335 "suid/client/setuid_sandbox_client.h",
mdempsky3cc942a2015-02-05 03:29:25336 "suid/client/setuid_sandbox_host.cc",
337 "suid/client/setuid_sandbox_host.h",
scottmg7c7296f42015-02-28 02:23:09338 "suid/common/sandbox.h",
339 "suid/common/suid_unsafe_environment_variables.h",
James Robinson060f2e32014-09-10 22:31:37340 ]
341 defines = [ "SANDBOX_IMPLEMENTATION" ]
[email protected]75cd8f02014-05-29 20:56:02342
James Robinson060f2e32014-09-10 22:31:37343 deps = [
344 ":sandbox_services",
345 "//base",
346 ]
347 }
[email protected]75cd8f02014-05-29 20:56:02348}
349
350if (is_android) {
351 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
352 #action("sandbox_linux_unittests_stripped") {
353 # script = "android_stip.py"
354 #
355 # in_file = "$root_out_dir/sandbox_linux_unittests"
356 #
357 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
358 # outputs = [ out_file ]
359 #
360 # args = [
361 # rebase_path(in_file, root_build_dir),
362 # "-o", rebase_path(out_file, root_build_dir),
363 # ]
364 #
365 # deps = [
366 # ":sandbox_linux_unittests",
367 # ]
368 #}
[email protected]75cd8f02014-05-29 20:56:02369 # TODO(GYP) convert this.
370 # {
371 # 'target_name': 'sandbox_linux_jni_unittests_apk',
372 # 'type': 'none',
373 # 'variables': {
374 # 'test_suite_name': 'sandbox_linux_jni_unittests',
375 # },
376 # 'dependencies': [
377 # 'sandbox_linux_jni_unittests',
378 # ],
379 # 'includes': [ '../../build/apk_test.gypi' ],
380 # }
381}