sandbox/linux/BUILD.gn

   1 # Copyright 2014 The Chromium Authors. All rights reserved.
   2 # Use of this source code is governed by a BSD-style license that can be
   3 # found in the LICENSE file.
   4
   5 import("//build/config/features.gni")
   6
   7 declare_args() {
   8   compile_suid_client = is_linux
   9
  10   compile_credentials = is_linux
  11
  12   compile_seccomp_bpf_demo =
  13     (is_linux && (cpu_arch == "x86" || cpu_arch == "x64"))
  14 }
  15
  16 # We have two principal targets: sandbox and sandbox_linux_unittests
  17 # All other targets are listed as dependencies.
  18 # There is one notable exception: for historical reasons, chrome_sandbox is
  19 # the setuid sandbox and is its own target.
  20
  21 group("sandbox") {
  22   deps = [
  23     ":sandbox_services",
  24   ]
  25
  26   if (compile_suid_client) {
  27     deps += [ ":suid_sandbox_client" ]
  28   }
  29   if (use_seccomp_bpf) {
  30     deps += [
  31       ":seccomp_bpf",
  32       ":seccomp_bpf_helpers",
  33     ]
  34   }
  35 }
  36
  37 source_set("sandbox_linux_test_utils") {
  38   testonly = true
  39   sources = [
  40     "tests/sandbox_test_runner.cc",
  41     "tests/sandbox_test_runner.h",
  42     "tests/sandbox_test_runner_function_pointer.cc",
  43     "tests/sandbox_test_runner_function_pointer.h",
  44     "tests/test_utils.cc",
  45     "tests/test_utils.h",
  46     "tests/unit_tests.cc",
  47     "tests/unit_tests.h",
  48   ]
  49
  50   deps = [
  51     "//testing/gtest",
  52   ]
  53
  54   if (use_seccomp_bpf) {
  55     sources += [
  56       "seccomp-bpf/bpf_tester_compatibility_delegate.h",
  57       "seccomp-bpf/bpf_tests.h",
  58       "seccomp-bpf/sandbox_bpf_test_runner.cc",
  59       "seccomp-bpf/sandbox_bpf_test_runner.h",
  60     ]
  61     deps += [
  62       ":seccomp_bpf",
  63     ]
  64   }
  65 }
  66
  67 # The main sandboxing test target.
  68 test("sandbox_linux_unittests") {
  69   sources = [
  70     "services/scoped_process_unittest.cc",
  71     "services/thread_helpers_unittests.cc",
  72     "services/yama_unittests.cc",
  73     "syscall_broker/broker_process_unittest.cc",
  74     "tests/main.cc",
  75     "tests/scoped_temporary_file.cc",
  76     "tests/scoped_temporary_file.h",
  77     "tests/scoped_temporary_file_unittest.cc",
  78     "tests/unit_tests_unittest.cc",
  79   ]
  80
  81   deps = [
  82     ":sandbox",
  83     ":sandbox_linux_test_utils",
  84     "//base",
  85     "//base/test:test_support",
  86     "//testing/gtest",
  87   ]
  88
  89   if (is_linux) {
  90     # Don't use this on Android.
  91     libs = [ "rt" ]
  92   }
  93
  94   if (compile_suid_client) {
  95     sources += [
  96       "suid/client/setuid_sandbox_client_unittest.cc",
  97     ]
  98   }
  99   if (use_seccomp_bpf) {
 100     sources += [
 101       "bpf_dsl/bpf_dsl_more_unittest.cc",
 102       "bpf_dsl/bpf_dsl_unittest.cc",
 103       "bpf_dsl/cons_unittest.cc",
 104       "seccomp-bpf-helpers/baseline_policy_unittest.cc",
 105       "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
 106       "seccomp-bpf/bpf_tests_unittest.cc",
 107       "seccomp-bpf/codegen_unittest.cc",
 108       "seccomp-bpf/errorcode_unittest.cc",
 109       "seccomp-bpf/syscall_iterator_unittest.cc",
 110       "seccomp-bpf/syscall_unittest.cc",
 111     ]
 112   }
 113   if (compile_credentials) {
 114     sources += [
 115       "services/credentials_unittest.cc",
 116       "services/unix_domain_socket_unittest.cc",
 117     ]
 118   }
 119 }
 120
 121 # TODO(GYP) Android version of this test.
 122 #    {
 123 #      # This target is the shared library used by Android APK (i.e.
 124 #      # JNI-friendly) tests.
 125 #      "target_name": "sandbox_linux_jni_unittests",
 126 #      "includes": [
 127 #        "sandbox_linux_test_sources.gypi",
 128 #      ],
 129 #      "type": "shared_library",
 130 #      "conditions": [
 131 #        [ "OS == "android"", {
 132 #          "dependencies": [
 133 #            "../testing/android/native_test.gyp:native_test_native_code",
 134 #          ],
 135 #        }],
 136 #      ],
 137 #    },
 138
 139 component("seccomp_bpf") {
 140   sources = [
 141     "bpf_dsl/bpf_dsl.cc",
 142     "bpf_dsl/bpf_dsl.h",
 143     "bpf_dsl/bpf_dsl_forward.h",
 144     "bpf_dsl/bpf_dsl_impl.h",
 145     "bpf_dsl/cons.h",
 146     "bpf_dsl/dump_bpf.cc",
 147     "bpf_dsl/dump_bpf.h",
 148     "bpf_dsl/policy.cc",
 149     "bpf_dsl/policy.h",
 150     "bpf_dsl/policy_compiler.cc",
 151     "bpf_dsl/policy_compiler.h",
 152     "bpf_dsl/trap_registry.h",
 153     "seccomp-bpf/codegen.cc",
 154     "seccomp-bpf/codegen.h",
 155     "seccomp-bpf/die.cc",
 156     "seccomp-bpf/die.h",
 157     "seccomp-bpf/errorcode.cc",
 158     "seccomp-bpf/errorcode.h",
 159     "seccomp-bpf/linux_seccomp.h",
 160     "seccomp-bpf/sandbox_bpf.cc",
 161     "seccomp-bpf/sandbox_bpf.h",
 162     "seccomp-bpf/syscall.cc",
 163     "seccomp-bpf/syscall.h",
 164     "seccomp-bpf/syscall_iterator.cc",
 165     "seccomp-bpf/syscall_iterator.h",
 166     "seccomp-bpf/trap.cc",
 167     "seccomp-bpf/trap.h",
 168     "seccomp-bpf/verifier.cc",
 169     "seccomp-bpf/verifier.h",
 170   ]
 171   defines = [ "SANDBOX_IMPLEMENTATION" ]
 172
 173   deps = [
 174     ":sandbox_services_headers",
 175     "//base",
 176   ]
 177 }
 178
 179 component("seccomp_bpf_helpers") {
 180   sources = [
 181     "seccomp-bpf-helpers/baseline_policy.cc",
 182     "seccomp-bpf-helpers/baseline_policy.h",
 183     "seccomp-bpf-helpers/sigsys_handlers.cc",
 184     "seccomp-bpf-helpers/sigsys_handlers.h",
 185     "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
 186     "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
 187     "seccomp-bpf-helpers/syscall_sets.cc",
 188     "seccomp-bpf-helpers/syscall_sets.h",
 189   ]
 190   defines = [ "SANDBOX_IMPLEMENTATION" ]
 191
 192   deps = [
 193     "//base",
 194     ":seccomp_bpf",
 195   ]
 196 }
 197
 198 if (is_linux) {
 199 # The setuid sandbox for Linux.
 200   executable("chrome_sandbox") {
 201     sources = [
 202       "suid/common/sandbox.h",
 203       "suid/common/suid_unsafe_environment_variables.h",
 204       "suid/process_util.h",
 205       "suid/process_util_linux.c",
 206       "suid/sandbox.c",
 207     ]
 208
 209     cflags = [
 210       # For ULLONG_MAX
 211       "-std=gnu99",
 212       # These files have a suspicious comparison.
 213       # TODO fix this and re-enable this warning.
 214       "-Wno-sign-compare",
 215     ]
 216   }
 217 }
 218
 219 component("sandbox_services") {
 220   sources = [
 221     "services/init_process_reaper.cc",
 222     "services/init_process_reaper.h",
 223     "services/scoped_process.cc",
 224     "services/scoped_process.h",
 225     "services/syscall_wrappers.cc",
 226     "services/syscall_wrappers.h",
 227     "services/thread_helpers.cc",
 228     "services/thread_helpers.h",
 229     "services/yama.h",
 230     "services/yama.cc",
 231     "syscall_broker/broker_channel.cc",
 232     "syscall_broker/broker_channel.h",
 233     "syscall_broker/broker_client.cc",
 234     "syscall_broker/broker_client.h",
 235     "syscall_broker/broker_common.h",
 236     "syscall_broker/broker_host.cc",
 237     "syscall_broker/broker_host.h",
 238     "syscall_broker/broker_policy.cc",
 239     "syscall_broker/broker_policy.h",
 240     "syscall_broker/broker_process.cc",
 241     "syscall_broker/broker_process.h",
 242   ]
 243
 244   defines = [ "SANDBOX_IMPLEMENTATION" ]
 245
 246   if (compile_credentials) {
 247     sources += [
 248       "services/credentials.cc",
 249       "services/credentials.h",
 250     ]
 251     # For capabilities.cc.
 252     configs += [ "//build/config/linux:libcap" ]
 253   }
 254
 255   deps = [
 256     "//base",
 257   ]
 258 }
 259
 260 source_set("sandbox_services_headers") {
 261   sources = [
 262     "services/android_arm_ucontext.h",
 263     "services/android_arm64_ucontext.h",
 264     "services/android_futex.h",
 265     "services/android_ucontext.h",
 266     "services/android_i386_ucontext.h",
 267     "services/arm_linux_syscalls.h",
 268     "services/arm64_linux_syscalls.h",
 269     "services/linux_syscalls.h",
 270     "services/x86_32_linux_syscalls.h",
 271     "services/x86_64_linux_syscalls.h",
 272   ]
 273 }
 274
 275 # We make this its own target so that it does not interfere with our tests.
 276 source_set("libc_urandom_override") {
 277   sources = [
 278     "services/libc_urandom_override.cc",
 279     "services/libc_urandom_override.h",
 280   ]
 281   deps = [
 282     "//base",
 283   ]
 284 }
 285
 286 if (compile_suid_client) {
 287   component("suid_sandbox_client") {
 288     sources = [
 289       "suid/common/sandbox.h",
 290       "suid/common/suid_unsafe_environment_variables.h",
 291       "suid/client/setuid_sandbox_client.cc",
 292       "suid/client/setuid_sandbox_client.h",
 293     ]
 294     defines = [ "SANDBOX_IMPLEMENTATION" ]
 295
 296     deps = [
 297       ":sandbox_services",
 298       "//base",
 299     ]
 300   }
 301 }
 302
 303 if (is_android) {
 304   # TODO(GYP) enable this. Needs an android_strip wrapper python script.
 305   #action("sandbox_linux_unittests_stripped") {
 306   #  script = "android_stip.py"
 307   #
 308   #  in_file = "$root_out_dir/sandbox_linux_unittests"
 309   #
 310   #  out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
 311   #  outputs = [ out_file ]
 312   #
 313   #  args = [
 314   #    rebase_path(in_file, root_build_dir),
 315   #    "-o", rebase_path(out_file, root_build_dir),
 316   #  ]
 317   #
 318   #  deps = [
 319   #    ":sandbox_linux_unittests",
 320   #  ]
 321   #}
 322
 323   # TODO(GYP) convert this.
 324   #      {
 325   #      'target_name': 'sandbox_linux_jni_unittests_apk',
 326   #      'type': 'none',
 327   #      'variables': {
 328   #        'test_suite_name': 'sandbox_linux_jni_unittests',
 329   #      },
 330   #      'dependencies': [
 331   #        'sandbox_linux_jni_unittests',
 332   #      ],
 333   #      'includes': [ '../../build/apk_test.gypi' ],
 334   #      }
 335 }