Google Git
Sign in
chromium / chromium / src.git / 878dca3cca9b96886ddb4233adb5c7fca779fbcc / . / sandbox / linux / BUILD.gn
blob: 23baf4e2af160f3e5119d91a4af5504ed2c3bbaf [file] [log] [blame]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]1# Copyright 2014 The Chromium Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import("//build/config/features.gni")
6
7declare_args() {
8 compile_suid_client = is_linux
9
10 compile_credentials = is_linux
11
12 compile_seccomp_bpf_demo =
13 (is_linux && (cpu_arch == "x86" || cpu_arch == "x64"))
14}
15
16# We have two principal targets: sandbox and sandbox_linux_unittests
17# All other targets are listed as dependencies.
18# There is one notable exception: for historical reasons, chrome_sandbox is
19# the setuid sandbox and is its own target.
20
21group("sandbox") {
22 deps = [
23 ":sandbox_services",
24 ]
25
26 if (compile_suid_client) {
27 deps += [ ":suid_sandbox_client" ]
28 }
29 if (use_seccomp_bpf) {
30 deps += [
31 ":seccomp_bpf",
32 ":seccomp_bpf_helpers",
33 ]
34 }
35}
36
37source_set("sandbox_linux_test_utils") {
Brett Wilson0c8745a2014-09-08 22:59:49[diff] [blame]38 testonly = true
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]39 sources = [
40 "tests/sandbox_test_runner.cc",
41 "tests/sandbox_test_runner.h",
42 "tests/sandbox_test_runner_function_pointer.cc",
43 "tests/sandbox_test_runner_function_pointer.h",
44 "tests/test_utils.cc",
45 "tests/test_utils.h",
46 "tests/unit_tests.cc",
47 "tests/unit_tests.h",
48 ]
49
50 deps = [
51 "//testing/gtest",
52 ]
53
54 if (use_seccomp_bpf) {
55 sources += [
56 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
57 "seccomp-bpf/bpf_tests.h",
58 "seccomp-bpf/sandbox_bpf_test_runner.cc",
59 "seccomp-bpf/sandbox_bpf_test_runner.h",
60 ]
61 deps += [
62 ":seccomp_bpf",
63 ]
64 }
65}
66
67# The main sandboxing test target.
68test("sandbox_linux_unittests") {
69 sources = [
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]70 "services/scoped_process_unittest.cc",
71 "services/thread_helpers_unittests.cc",
72 "services/yama_unittests.cc",
jln70c42c202014-11-01 00:59:57[diff] [blame]73 "syscall_broker/broker_process_unittest.cc",
[email protected]232f6e112014-06-27 07:51:38[diff] [blame]74 "tests/main.cc",
75 "tests/scoped_temporary_file.cc",
76 "tests/scoped_temporary_file.h",
77 "tests/scoped_temporary_file_unittest.cc",
78 "tests/unit_tests_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]79 ]
80
81 deps = [
82 ":sandbox",
83 ":sandbox_linux_test_utils",
84 "//base",
85 "//base/test:test_support",
86 "//testing/gtest",
87 ]
88
Brett Wilson73067532014-09-12 22:24:14[diff] [blame]89 if (is_linux) {
90 # Don't use this on Android.
91 libs = [ "rt" ]
92 }
Brett Wilsone39344352014-09-12 21:07:26[diff] [blame]93
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]94 if (compile_suid_client) {
95 sources += [
96 "suid/client/setuid_sandbox_client_unittest.cc",
97 ]
98 }
99 if (use_seccomp_bpf) {
100 sources += [
mdempsky22aa66d2014-09-13 01:41:34[diff] [blame]101 "bpf_dsl/bpf_dsl_more_unittest.cc",
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]102 "bpf_dsl/bpf_dsl_unittest.cc",
103 "bpf_dsl/cons_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]104 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
jlnfcdfb102014-09-12 02:47:44[diff] [blame]105 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]106 "seccomp-bpf/bpf_tests_unittest.cc",
107 "seccomp-bpf/codegen_unittest.cc",
108 "seccomp-bpf/errorcode_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]109 "seccomp-bpf/syscall_iterator_unittest.cc",
110 "seccomp-bpf/syscall_unittest.cc",
111 ]
112 }
113 if (compile_credentials) {
114 sources += [
115 "services/credentials_unittest.cc",
116 "services/unix_domain_socket_unittest.cc",
117 ]
118 }
119}
120
121# TODO(GYP) Android version of this test.
122# {
123# # This target is the shared library used by Android APK (i.e.
124# # JNI-friendly) tests.
125# "target_name": "sandbox_linux_jni_unittests",
126# "includes": [
127# "sandbox_linux_test_sources.gypi",
128# ],
129# "type": "shared_library",
130# "conditions": [
131# [ "OS == "android"", {
132# "dependencies": [
133# "../testing/android/native_test.gyp:native_test_native_code",
134# ],
135# }],
136# ],
137# },
138
139component("seccomp_bpf") {
140 sources = [
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]141 "bpf_dsl/bpf_dsl.cc",
142 "bpf_dsl/bpf_dsl.h",
mdempskyc60a1c52014-10-24 23:07:10[diff] [blame]143 "bpf_dsl/bpf_dsl_forward.h",
mdempskyfb10cce2014-10-14 17:56:44[diff] [blame]144 "bpf_dsl/bpf_dsl_impl.h",
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]145 "bpf_dsl/cons.h",
mdempskya41c4042014-10-31 20:50:27[diff] [blame]146 "bpf_dsl/dump_bpf.cc",
147 "bpf_dsl/dump_bpf.h",
mdempskyc60a1c52014-10-24 23:07:10[diff] [blame]148 "bpf_dsl/policy.cc",
149 "bpf_dsl/policy.h",
mdempsky27e78ad72014-10-16 16:49:54[diff] [blame]150 "bpf_dsl/policy_compiler.cc",
151 "bpf_dsl/policy_compiler.h",
152 "bpf_dsl/trap_registry.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]153 "seccomp-bpf/basicblock.cc",
154 "seccomp-bpf/basicblock.h",
155 "seccomp-bpf/codegen.cc",
156 "seccomp-bpf/codegen.h",
157 "seccomp-bpf/die.cc",
158 "seccomp-bpf/die.h",
159 "seccomp-bpf/errorcode.cc",
160 "seccomp-bpf/errorcode.h",
161 "seccomp-bpf/instruction.h",
162 "seccomp-bpf/linux_seccomp.h",
163 "seccomp-bpf/sandbox_bpf.cc",
164 "seccomp-bpf/sandbox_bpf.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]165 "seccomp-bpf/syscall.cc",
166 "seccomp-bpf/syscall.h",
167 "seccomp-bpf/syscall_iterator.cc",
168 "seccomp-bpf/syscall_iterator.h",
169 "seccomp-bpf/trap.cc",
170 "seccomp-bpf/trap.h",
171 "seccomp-bpf/verifier.cc",
172 "seccomp-bpf/verifier.h",
173 ]
174 defines = [ "SANDBOX_IMPLEMENTATION" ]
175
176 deps = [
177 ":sandbox_services_headers",
178 "//base",
179 ]
180}
181
182component("seccomp_bpf_helpers") {
183 sources = [
184 "seccomp-bpf-helpers/baseline_policy.cc",
185 "seccomp-bpf-helpers/baseline_policy.h",
186 "seccomp-bpf-helpers/sigsys_handlers.cc",
187 "seccomp-bpf-helpers/sigsys_handlers.h",
188 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
189 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
190 "seccomp-bpf-helpers/syscall_sets.cc",
191 "seccomp-bpf-helpers/syscall_sets.h",
192 ]
193 defines = [ "SANDBOX_IMPLEMENTATION" ]
194
195 deps = [
196 "//base",
197 ":seccomp_bpf",
198 ]
199}
200
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]201if (is_linux) {
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]202# The setuid sandbox for Linux.
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]203 executable("chrome_sandbox") {
204 sources = [
205 "suid/common/sandbox.h",
206 "suid/common/suid_unsafe_environment_variables.h",
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]207 "suid/process_util.h",
208 "suid/process_util_linux.c",
209 "suid/sandbox.c",
210 ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]211
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]212 cflags = [
213 # For ULLONG_MAX
214 "-std=gnu99",
215 # These files have a suspicious comparison.
216 # TODO fix this and re-enable this warning.
217 "-Wno-sign-compare",
218 ]
219 }
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]220}
221
222component("sandbox_services") {
223 sources = [
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]224 "services/init_process_reaper.cc",
225 "services/init_process_reaper.h",
226 "services/scoped_process.cc",
227 "services/scoped_process.h",
228 "services/thread_helpers.cc",
229 "services/thread_helpers.h",
230 "services/yama.h",
231 "services/yama.cc",
jln878dca32014-11-11 07:43:57[diff] [blame^]232 "syscall_broker/broker_channel.cc",
233 "syscall_broker/broker_channel.h",
jln70c42c202014-11-01 00:59:57[diff] [blame]234 "syscall_broker/broker_client.cc",
235 "syscall_broker/broker_client.h",
236 "syscall_broker/broker_common.h",
237 "syscall_broker/broker_host.cc",
238 "syscall_broker/broker_host.h",
239 "syscall_broker/broker_policy.cc",
240 "syscall_broker/broker_policy.h",
241 "syscall_broker/broker_process.cc",
242 "syscall_broker/broker_process.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]243 ]
244
245 defines = [ "SANDBOX_IMPLEMENTATION" ]
246
247 if (compile_credentials) {
248 sources += [
249 "services/credentials.cc",
250 "services/credentials.h",
251 ]
252 # For capabilities.cc.
253 configs += [ "//build/config/linux:libcap" ]
254 }
255
256 deps = [
257 "//base",
258 ]
259}
260
261source_set("sandbox_services_headers") {
262 sources = [
263 "services/android_arm_ucontext.h",
leecame6f6b732014-08-24 23:38:09[diff] [blame]264 "services/android_arm64_ucontext.h",
[email protected]9de395e42014-06-04 22:25:28[diff] [blame]265 "services/android_futex.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]266 "services/android_ucontext.h",
267 "services/android_i386_ucontext.h",
268 "services/arm_linux_syscalls.h",
leecame6f6b732014-08-24 23:38:09[diff] [blame]269 "services/arm64_linux_syscalls.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]270 "services/linux_syscalls.h",
271 "services/x86_32_linux_syscalls.h",
272 "services/x86_64_linux_syscalls.h",
273 ]
274}
275
276# We make this its own target so that it does not interfere with our tests.
277source_set("libc_urandom_override") {
278 sources = [
279 "services/libc_urandom_override.cc",
280 "services/libc_urandom_override.h",
281 ]
282 deps = [
283 "//base",
284 ]
285}
286
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]287if (compile_suid_client) {
288 component("suid_sandbox_client") {
289 sources = [
290 "suid/common/sandbox.h",
291 "suid/common/suid_unsafe_environment_variables.h",
292 "suid/client/setuid_sandbox_client.cc",
293 "suid/client/setuid_sandbox_client.h",
294 ]
295 defines = [ "SANDBOX_IMPLEMENTATION" ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]296
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]297 deps = [
298 ":sandbox_services",
299 "//base",
300 ]
301 }
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]302}
303
304if (is_android) {
305 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
306 #action("sandbox_linux_unittests_stripped") {
307 # script = "android_stip.py"
308 #
309 # in_file = "$root_out_dir/sandbox_linux_unittests"
310 #
311 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
312 # outputs = [ out_file ]
313 #
314 # args = [
315 # rebase_path(in_file, root_build_dir),
316 # "-o", rebase_path(out_file, root_build_dir),
317 # ]
318 #
319 # deps = [
320 # ":sandbox_linux_unittests",
321 # ]
322 #}
323
324 # TODO(GYP) convert this.
325 # {
326 # 'target_name': 'sandbox_linux_jni_unittests_apk',
327 # 'type': 'none',
328 # 'variables': {
329 # 'test_suite_name': 'sandbox_linux_jni_unittests',
330 # },
331 # 'dependencies': [
332 # 'sandbox_linux_jni_unittests',
333 # ],
334 # 'includes': [ '../../build/apk_test.gypi' ],
335 # }
336}