Google Git
Sign in
chromium / chromium / src.git / a926d0b8cd3d2a3175ef518d8987c7511b083303 / . / sandbox / linux / BUILD.gn
blob: 84966854cec7762df3530489d16dfacb818f14ed [file] [log] [blame]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]1# Copyright 2014 The Chromium Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import("//build/config/features.gni")
qsrfb5251d12015-01-21 15:57:22[diff] [blame]6import("//testing/test.gni")
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]7
8declare_args() {
9 compile_suid_client = is_linux
10
11 compile_credentials = is_linux
12
13 compile_seccomp_bpf_demo =
dpranke43276212015-02-20 02:55:19[diff] [blame]14 is_linux && (current_cpu == "x86" || current_cpu == "x64")
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]15}
16
17# We have two principal targets: sandbox and sandbox_linux_unittests
18# All other targets are listed as dependencies.
19# There is one notable exception: for historical reasons, chrome_sandbox is
20# the setuid sandbox and is its own target.
21
22group("sandbox") {
23 deps = [
24 ":sandbox_services",
25 ]
26
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
29 }
30 if (use_seccomp_bpf) {
31 deps += [
32 ":seccomp_bpf",
33 ":seccomp_bpf_helpers",
34 ]
35 }
36}
37
38source_set("sandbox_linux_test_utils") {
Brett Wilson0c8745a2014-09-08 22:59:49[diff] [blame]39 testonly = true
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]40 sources = [
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
46 "tests/test_utils.h",
47 "tests/unit_tests.cc",
48 "tests/unit_tests.h",
49 ]
50
51 deps = [
52 "//testing/gtest",
53 ]
54
55 if (use_seccomp_bpf) {
56 sources += [
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
61 ]
scottmg34fb7e52014-12-03 23:27:24[diff] [blame]62 deps += [ ":seccomp_bpf" ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]63 }
64}
65
rockot86da06c7f2015-02-21 00:40:58[diff] [blame]66# Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
67source_set("sandbox_linux_unittests_sources") {
68 testonly = true
69
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]70 sources = [
jlnb14fc802015-02-12 05:32:11[diff] [blame]71 "services/proc_util_unittest.cc",
jln977185982015-02-13 20:58:41[diff] [blame]72 "services/resource_limits_unittests.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]73 "services/scoped_process_unittest.cc",
jlnc420f0d2014-11-22 01:12:09[diff] [blame]74 "services/syscall_wrappers_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]75 "services/thread_helpers_unittests.cc",
76 "services/yama_unittests.cc",
leecamad78f422014-11-26 22:08:45[diff] [blame]77 "syscall_broker/broker_file_permission_unittest.cc",
jln70c42c202014-11-01 00:59:57[diff] [blame]78 "syscall_broker/broker_process_unittest.cc",
[email protected]232f6e112014-06-27 07:51:38[diff] [blame]79 "tests/main.cc",
80 "tests/scoped_temporary_file.cc",
81 "tests/scoped_temporary_file.h",
82 "tests/scoped_temporary_file_unittest.cc",
jlnc420f0d2014-11-22 01:12:09[diff] [blame]83 "tests/test_utils_unittest.cc",
[email protected]232f6e112014-06-27 07:51:38[diff] [blame]84 "tests/unit_tests_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]85 ]
86
87 deps = [
88 ":sandbox",
89 ":sandbox_linux_test_utils",
90 "//base",
91 "//base/test:test_support",
92 "//testing/gtest",
93 ]
94
Brett Wilson73067532014-09-12 22:24:14[diff] [blame]95 if (is_linux) {
96 # Don't use this on Android.
97 libs = [ "rt" ]
98 }
Brett Wilsone39344352014-09-12 21:07:26[diff] [blame]99
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]100 if (compile_suid_client) {
mdempsky3cc942a2015-02-05 03:29:25[diff] [blame]101 sources += [
102 "suid/client/setuid_sandbox_client_unittest.cc",
103 "suid/client/setuid_sandbox_host_unittest.cc",
104 ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]105 }
106 if (use_seccomp_bpf) {
107 sources += [
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]108 "bpf_dsl/bpf_dsl_unittest.cc",
mdempskyb80b1f52015-02-05 00:54:35[diff] [blame]109 "bpf_dsl/codegen_unittest.cc",
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]110 "bpf_dsl/cons_unittest.cc",
mdempskyce4c9f12015-02-05 06:23:05[diff] [blame]111 "bpf_dsl/syscall_set_unittest.cc",
jlnaedcc3e2015-02-12 03:18:10[diff] [blame]112 "integration_tests/bpf_dsl_seccomp_unittest.cc",
113 "integration_tests/seccomp_broker_process_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]114 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
jlnfcdfb102014-09-12 02:47:44[diff] [blame]115 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]116 "seccomp-bpf/bpf_tests_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]117 "seccomp-bpf/errorcode_unittest.cc",
jlna29d0a32014-11-26 22:38:35[diff] [blame]118 "seccomp-bpf/sandbox_bpf_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]119 "seccomp-bpf/syscall_unittest.cc",
hidehikoa926d0b2015-04-24 21:55:21[diff] [blame^]120 "seccomp-bpf/trap_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]121 ]
122 }
123 if (compile_credentials) {
124 sources += [
jlnaedcc3e2015-02-12 03:18:10[diff] [blame]125 "integration_tests/namespace_unix_domain_socket_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]126 "services/credentials_unittest.cc",
rickyz8f235da2015-02-03 07:26:19[diff] [blame]127 "services/namespace_sandbox_unittest.cc",
rickyz41fb1452015-01-27 03:57:58[diff] [blame]128 "services/namespace_utils_unittest.cc",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]129 ]
rickyz966f039d2015-03-17 07:23:43[diff] [blame]130
131 # For credentials_unittest.cc
132 configs += [ "//build/config/linux:libcap" ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]133 }
134}
135
rockot86da06c7f2015-02-21 00:40:58[diff] [blame]136# The main sandboxing test target.
137test("sandbox_linux_unittests") {
138 deps = [
139 ":sandbox_linux_unittests_sources",
140 ]
141}
142
143# This target is the shared library used by Android APK (i.e.
144# JNI-friendly) tests.
145shared_library("sandbox_linux_jni_unittests") {
146 testonly = true
147 deps = [
148 ":sandbox_linux_unittests_sources",
149 ]
150 if (is_android) {
jbudorick6ab224952015-04-09 21:51:55[diff] [blame]151 deps += [ "//testing/android/native_test:native_test_native_code" ]
rockot86da06c7f2015-02-21 00:40:58[diff] [blame]152 }
153}
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]154
155component("seccomp_bpf") {
156 sources = [
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]157 "bpf_dsl/bpf_dsl.cc",
158 "bpf_dsl/bpf_dsl.h",
mdempskyc60a1c52014-10-24 23:07:10[diff] [blame]159 "bpf_dsl/bpf_dsl_forward.h",
mdempskyfb10cce2014-10-14 17:56:44[diff] [blame]160 "bpf_dsl/bpf_dsl_impl.h",
mdempskyb80b1f52015-02-05 00:54:35[diff] [blame]161 "bpf_dsl/codegen.cc",
162 "bpf_dsl/codegen.h",
[email protected]fb75e2a2014-07-17 07:24:58[diff] [blame]163 "bpf_dsl/cons.h",
mdempskya41c4042014-10-31 20:50:27[diff] [blame]164 "bpf_dsl/dump_bpf.cc",
165 "bpf_dsl/dump_bpf.h",
jlna65ffca2015-02-13 04:12:43[diff] [blame]166 "bpf_dsl/linux_syscall_ranges.h",
mdempskyc60a1c52014-10-24 23:07:10[diff] [blame]167 "bpf_dsl/policy.cc",
168 "bpf_dsl/policy.h",
mdempsky27e78ad72014-10-16 16:49:54[diff] [blame]169 "bpf_dsl/policy_compiler.cc",
170 "bpf_dsl/policy_compiler.h",
jlna65ffca2015-02-13 04:12:43[diff] [blame]171 "bpf_dsl/seccomp_macros.h",
mdempskyce4c9f12015-02-05 06:23:05[diff] [blame]172 "bpf_dsl/syscall_set.cc",
173 "bpf_dsl/syscall_set.h",
mdempsky27e78ad72014-10-16 16:49:54[diff] [blame]174 "bpf_dsl/trap_registry.h",
mdempsky5953fcd2015-03-09 18:06:18[diff] [blame]175 "bpf_dsl/verifier.cc",
176 "bpf_dsl/verifier.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]177 "seccomp-bpf/die.cc",
178 "seccomp-bpf/die.h",
179 "seccomp-bpf/errorcode.cc",
180 "seccomp-bpf/errorcode.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]181 "seccomp-bpf/sandbox_bpf.cc",
182 "seccomp-bpf/sandbox_bpf.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]183 "seccomp-bpf/syscall.cc",
184 "seccomp-bpf/syscall.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]185 "seccomp-bpf/trap.cc",
186 "seccomp-bpf/trap.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]187 ]
188 defines = [ "SANDBOX_IMPLEMENTATION" ]
189
190 deps = [
jlnbd4df41c2014-11-25 02:32:30[diff] [blame]191 ":sandbox_services",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]192 ":sandbox_services_headers",
193 "//base",
194 ]
195}
196
197component("seccomp_bpf_helpers") {
198 sources = [
199 "seccomp-bpf-helpers/baseline_policy.cc",
200 "seccomp-bpf-helpers/baseline_policy.h",
201 "seccomp-bpf-helpers/sigsys_handlers.cc",
202 "seccomp-bpf-helpers/sigsys_handlers.h",
203 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
204 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
205 "seccomp-bpf-helpers/syscall_sets.cc",
206 "seccomp-bpf-helpers/syscall_sets.h",
207 ]
208 defines = [ "SANDBOX_IMPLEMENTATION" ]
209
210 deps = [
211 "//base",
jamesr4359db72015-01-21 12:40:00[diff] [blame]212 ":sandbox_services",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]213 ":seccomp_bpf",
214 ]
215}
216
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]217if (is_linux) {
scottmg34fb7e52014-12-03 23:27:24[diff] [blame]218 # The setuid sandbox for Linux.
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]219 executable("chrome_sandbox") {
220 sources = [
221 "suid/common/sandbox.h",
222 "suid/common/suid_unsafe_environment_variables.h",
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]223 "suid/process_util.h",
224 "suid/process_util_linux.c",
225 "suid/sandbox.c",
226 ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]227
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]228 cflags = [
229 # For ULLONG_MAX
230 "-std=gnu99",
scottmg34fb7e52014-12-03 23:27:24[diff] [blame]231
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]232 # These files have a suspicious comparison.
233 # TODO fix this and re-enable this warning.
234 "-Wno-sign-compare",
235 ]
236 }
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]237}
238
239component("sandbox_services") {
240 sources = [
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]241 "services/init_process_reaper.cc",
242 "services/init_process_reaper.h",
jlnb14fc802015-02-12 05:32:11[diff] [blame]243 "services/proc_util.cc",
244 "services/proc_util.h",
jln977185982015-02-13 20:58:41[diff] [blame]245 "services/resource_limits.cc",
246 "services/resource_limits.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]247 "services/scoped_process.cc",
248 "services/scoped_process.h",
jln610a4a612014-11-20 18:58:21[diff] [blame]249 "services/syscall_wrappers.cc",
250 "services/syscall_wrappers.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]251 "services/thread_helpers.cc",
252 "services/thread_helpers.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]253 "services/yama.cc",
jlnb14fc802015-02-12 05:32:11[diff] [blame]254 "services/yama.h",
jln878dca32014-11-11 07:43:57[diff] [blame]255 "syscall_broker/broker_channel.cc",
256 "syscall_broker/broker_channel.h",
jln70c42c202014-11-01 00:59:57[diff] [blame]257 "syscall_broker/broker_client.cc",
258 "syscall_broker/broker_client.h",
259 "syscall_broker/broker_common.h",
leecamad78f422014-11-26 22:08:45[diff] [blame]260 "syscall_broker/broker_file_permission.cc",
261 "syscall_broker/broker_file_permission.h",
jln70c42c202014-11-01 00:59:57[diff] [blame]262 "syscall_broker/broker_host.cc",
263 "syscall_broker/broker_host.h",
264 "syscall_broker/broker_policy.cc",
265 "syscall_broker/broker_policy.h",
266 "syscall_broker/broker_process.cc",
267 "syscall_broker/broker_process.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]268 ]
269
270 defines = [ "SANDBOX_IMPLEMENTATION" ]
271
rickyz966f039d2015-03-17 07:23:43[diff] [blame]272 deps = [
273 "//base",
274 ]
275
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]276 if (compile_credentials) {
277 sources += [
278 "services/credentials.cc",
279 "services/credentials.h",
rickyz8f235da2015-02-03 07:26:19[diff] [blame]280 "services/namespace_sandbox.cc",
281 "services/namespace_sandbox.h",
rickyz41fb1452015-01-27 03:57:58[diff] [blame]282 "services/namespace_utils.cc",
283 "services/namespace_utils.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]284 ]
scottmg34fb7e52014-12-03 23:27:24[diff] [blame]285
rickyz966f039d2015-03-17 07:23:43[diff] [blame]286 deps += [ ":sandbox_services_headers" ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]287 }
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]288}
289
290source_set("sandbox_services_headers") {
291 sources = [
jlnaedcc3e2015-02-12 03:18:10[diff] [blame]292 "system_headers/arm64_linux_syscalls.h",
hidehikoa926d0b2015-04-24 21:55:21[diff] [blame^]293 "system_headers/arm64_linux_ucontext.h",
jlna65ffca2015-02-13 04:12:43[diff] [blame]294 "system_headers/arm_linux_syscalls.h",
hidehikoa926d0b2015-04-24 21:55:21[diff] [blame^]295 "system_headers/arm_linux_ucontext.h",
296 "system_headers/i386_linux_ucontext.h",
dnicoara97178052015-04-15 17:44:04[diff] [blame]297 "system_headers/linux_futex.h",
jlna65ffca2015-02-13 04:12:43[diff] [blame]298 "system_headers/linux_seccomp.h",
hidehikoa926d0b2015-04-24 21:55:21[diff] [blame^]299 "system_headers/linux_signal.h",
jlnaedcc3e2015-02-12 03:18:10[diff] [blame]300 "system_headers/linux_syscalls.h",
hidehikoa926d0b2015-04-24 21:55:21[diff] [blame^]301 "system_headers/linux_ucontext.h",
jlnaedcc3e2015-02-12 03:18:10[diff] [blame]302 "system_headers/x86_32_linux_syscalls.h",
303 "system_headers/x86_64_linux_syscalls.h",
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]304 ]
305}
306
307# We make this its own target so that it does not interfere with our tests.
308source_set("libc_urandom_override") {
309 sources = [
310 "services/libc_urandom_override.cc",
311 "services/libc_urandom_override.h",
312 ]
313 deps = [
314 "//base",
315 ]
316}
317
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]318if (compile_suid_client) {
319 component("suid_sandbox_client") {
320 sources = [
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]321 "suid/client/setuid_sandbox_client.cc",
322 "suid/client/setuid_sandbox_client.h",
mdempsky3cc942a2015-02-05 03:29:25[diff] [blame]323 "suid/client/setuid_sandbox_host.cc",
324 "suid/client/setuid_sandbox_host.h",
scottmg7c7296f42015-02-28 02:23:09[diff] [blame]325 "suid/common/sandbox.h",
326 "suid/common/suid_unsafe_environment_variables.h",
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]327 ]
328 defines = [ "SANDBOX_IMPLEMENTATION" ]
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]329
James Robinson060f2e32014-09-10 22:31:37[diff] [blame]330 deps = [
331 ":sandbox_services",
332 "//base",
333 ]
334 }
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]335}
336
337if (is_android) {
338 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
339 #action("sandbox_linux_unittests_stripped") {
340 # script = "android_stip.py"
341 #
342 # in_file = "$root_out_dir/sandbox_linux_unittests"
343 #
344 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
345 # outputs = [ out_file ]
346 #
347 # args = [
348 # rebase_path(in_file, root_build_dir),
349 # "-o", rebase_path(out_file, root_build_dir),
350 # ]
351 #
352 # deps = [
353 # ":sandbox_linux_unittests",
354 # ]
355 #}
[email protected]75cd8f02014-05-29 20:56:02[diff] [blame]356 # TODO(GYP) convert this.
357 # {
358 # 'target_name': 'sandbox_linux_jni_unittests_apk',
359 # 'type': 'none',
360 # 'variables': {
361 # 'test_suite_name': 'sandbox_linux_jni_unittests',
362 # },
363 # 'dependencies': [
364 # 'sandbox_linux_jni_unittests',
365 # ],
366 # 'includes': [ '../../build/apk_test.gypi' ],
367 # }
368}