sandbox/linux/BUILD.gn

# Copyright 2014 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import("//build/config/features.gni")

declare_args() {
  compile_suid_client = is_linux

  compile_credentials = is_linux

  compile_seccomp_bpf_demo =
    (is_linux && (cpu_arch == "x86" || cpu_arch == "x64"))
}

# We have two principal targets: sandbox and sandbox_linux_unittests
# All other targets are listed as dependencies.
# There is one notable exception: for historical reasons, chrome_sandbox is
# the setuid sandbox and is its own target.

group("sandbox") {
  deps = [
    ":sandbox_services",
  ]

  if (compile_suid_client) {
    deps += [ ":suid_sandbox_client" ]
  }
  if (use_seccomp_bpf) {
    deps += [
      ":seccomp_bpf",
      ":seccomp_bpf_helpers",
    ]
  }
}

source_set("sandbox_linux_test_utils") {
  sources = [
    "tests/sandbox_test_runner.cc",
    "tests/sandbox_test_runner.h",
    "tests/sandbox_test_runner_function_pointer.cc",
    "tests/sandbox_test_runner_function_pointer.h",
    "tests/test_utils.cc",
    "tests/test_utils.h",
    "tests/unit_tests.cc",
    "tests/unit_tests.h",
  ]

  deps = [
    "//testing/gtest",
  ]

  if (use_seccomp_bpf) {
    sources += [
      "seccomp-bpf/bpf_tester_compatibility_delegate.h",
      "seccomp-bpf/bpf_tests.h",
      "seccomp-bpf/sandbox_bpf_test_runner.cc",
      "seccomp-bpf/sandbox_bpf_test_runner.h",
    ]
    deps += [
      ":seccomp_bpf",
    ]
  }
}

# The main sandboxing test target.
test("sandbox_linux_unittests") {
  sources = [
    "services/broker_process_unittest.cc",
    "services/scoped_process_unittest.cc",
    "services/thread_helpers_unittests.cc",
    "services/yama_unittests.cc",
    "tests/main.cc",
    "tests/scoped_temporary_file.cc",
    "tests/scoped_temporary_file.h",
    "tests/scoped_temporary_file_unittest.cc",
    "tests/unit_tests_unittest.cc",
  ]

  deps = [
    ":sandbox",
    ":sandbox_linux_test_utils",
    "//base",
    "//base/test:test_support",
    "//testing/gtest",
  ]

  if (compile_suid_client) {
    sources += [
      "suid/client/setuid_sandbox_client_unittest.cc",
    ]
  }
  if (use_seccomp_bpf) {
    sources += [
      "bpf_dsl/bpf_dsl_unittest.cc",
      "bpf_dsl/cons_unittest.cc",
      "seccomp-bpf-helpers/baseline_policy_unittest.cc",
      "seccomp-bpf/bpf_tests_unittest.cc",
      "seccomp-bpf/codegen_unittest.cc",
      "seccomp-bpf/errorcode_unittest.cc",
      "seccomp-bpf/sandbox_bpf_unittest.cc",
      "seccomp-bpf/syscall_iterator_unittest.cc",
      "seccomp-bpf/syscall_unittest.cc",
    ]
  }
  if (compile_credentials) {
    sources += [
      "services/credentials_unittest.cc",
      "services/unix_domain_socket_unittest.cc",
    ]
  }
}

# TODO(GYP) Android version of this test.
#    {
#      # This target is the shared library used by Android APK (i.e.
#      # JNI-friendly) tests.
#      "target_name": "sandbox_linux_jni_unittests",
#      "includes": [
#        "sandbox_linux_test_sources.gypi",
#      ],
#      "type": "shared_library",
#      "conditions": [
#        [ "OS == "android"", {
#          "dependencies": [
#            "../testing/android/native_test.gyp:native_test_native_code",
#          ],
#        }],
#      ],
#    },

component("seccomp_bpf") {
  sources = [
    "bpf_dsl/bpf_dsl.cc",
    "bpf_dsl/bpf_dsl.h",
    "bpf_dsl/cons.h",
    "seccomp-bpf/basicblock.cc",
    "seccomp-bpf/basicblock.h",
    "seccomp-bpf/codegen.cc",
    "seccomp-bpf/codegen.h",
    "seccomp-bpf/die.cc",
    "seccomp-bpf/die.h",
    "seccomp-bpf/errorcode.cc",
    "seccomp-bpf/errorcode.h",
    "seccomp-bpf/instruction.h",
    "seccomp-bpf/linux_seccomp.h",
    "seccomp-bpf/sandbox_bpf.cc",
    "seccomp-bpf/sandbox_bpf.h",
    "seccomp-bpf/sandbox_bpf_compatibility_policy.h",
    "seccomp-bpf/sandbox_bpf_policy.cc",
    "seccomp-bpf/sandbox_bpf_policy.h",
    "seccomp-bpf/syscall.cc",
    "seccomp-bpf/syscall.h",
    "seccomp-bpf/syscall_iterator.cc",
    "seccomp-bpf/syscall_iterator.h",
    "seccomp-bpf/trap.cc",
    "seccomp-bpf/trap.h",
    "seccomp-bpf/verifier.cc",
    "seccomp-bpf/verifier.h",
  ]
  defines = [ "SANDBOX_IMPLEMENTATION" ]

  deps = [
    ":sandbox_services_headers",
    "//base",
  ]
}

component("seccomp_bpf_helpers") {
  sources = [
    "seccomp-bpf-helpers/baseline_policy.cc",
    "seccomp-bpf-helpers/baseline_policy.h",
    "seccomp-bpf-helpers/sigsys_handlers.cc",
    "seccomp-bpf-helpers/sigsys_handlers.h",
    "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
    "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
    "seccomp-bpf-helpers/syscall_sets.cc",
    "seccomp-bpf-helpers/syscall_sets.h",
  ]
  defines = [ "SANDBOX_IMPLEMENTATION" ]

  deps = [
    "//base",
    ":seccomp_bpf",
  ]
}

if (compile_seccomp_bpf_demo) {
  # A demonstration program for the seccomp-bpf sandbox.
  executable("seccomp_bpf_demo") {
    sources = [
      "seccomp-bpf/demo.cc",
    ]
    deps = [
      ":seccomp_bpf",
    ]
  }
}

# The setuid sandbox for Linux.
executable("chrome_sandbox") {
  sources = [
    "suid/common/sandbox.h",
    "suid/common/suid_unsafe_environment_variables.h",
    "suid/linux_util.c",
    "suid/linux_util.h",
    "suid/process_util.h",
    "suid/process_util_linux.c",
    "suid/sandbox.c",
  ]

  cflags = [
    # For ULLONG_MAX
    "-std=gnu99",
    # These files have a suspicious comparison.
    # TODO fix this and re-enable this warning.
    "-Wno-sign-compare",
  ]
}

component("sandbox_services") {
  sources = [
    "services/broker_process.cc",
    "services/broker_process.h",
    "services/init_process_reaper.cc",
    "services/init_process_reaper.h",
    "services/scoped_process.cc",
    "services/scoped_process.h",
    "services/thread_helpers.cc",
    "services/thread_helpers.h",
    "services/yama.h",
    "services/yama.cc",
  ]

  defines = [ "SANDBOX_IMPLEMENTATION" ]

  if (compile_credentials) {
    sources += [
      "services/credentials.cc",
      "services/credentials.h",
    ]
    # For capabilities.cc.
    configs += [ "//build/config/linux:libcap" ]
  }

  deps = [
    "//base",
  ]
}

source_set("sandbox_services_headers") {
  sources = [
    "services/android_arm_ucontext.h",
    "services/android_arm64_ucontext.h",
    "services/android_futex.h",
    "services/android_ucontext.h",
    "services/android_i386_ucontext.h",
    "services/arm_linux_syscalls.h",
    "services/arm64_linux_syscalls.h",
    "services/linux_syscalls.h",
    "services/x86_32_linux_syscalls.h",
    "services/x86_64_linux_syscalls.h",
  ]
}

# We make this its own target so that it does not interfere with our tests.
source_set("libc_urandom_override") {
  sources = [
    "services/libc_urandom_override.cc",
    "services/libc_urandom_override.h",
  ]
  deps = [
    "//base",
  ]
}

component("suid_sandbox_client") {
  sources = [
    "suid/common/sandbox.h",
    "suid/common/suid_unsafe_environment_variables.h",
    "suid/client/setuid_sandbox_client.cc",
    "suid/client/setuid_sandbox_client.h",
  ]
  defines = [ "SANDBOX_IMPLEMENTATION" ]

  deps = [
    ":sandbox_services",
    "//base",
  ]
}

if (is_android) {
  # TODO(GYP) enable this. Needs an android_strip wrapper python script.
  #action("sandbox_linux_unittests_stripped") {
  #  script = "android_stip.py"
  #
  #  in_file = "$root_out_dir/sandbox_linux_unittests"
  #
  #  out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
  #  outputs = [ out_file ]
  #
  #  args = [
  #    rebase_path(in_file, root_build_dir),
  #    "-o", rebase_path(out_file, root_build_dir),
  #  ]
  #
  #  deps = [
  #    ":sandbox_linux_unittests",
  #  ]
  #}

  # TODO(GYP) convert this.
  #      {
  #      'target_name': 'sandbox_linux_jni_unittests_apk',
  #      'type': 'none',
  #      'variables': {
  #        'test_suite_name': 'sandbox_linux_jni_unittests',
  #      },
  #      'dependencies': [
  #        'sandbox_linux_jni_unittests',
  #      ],
  #      'includes': [ '../../build/apk_test.gypi' ],
  #      }
}