| blob | 659af01faf1e51c6146b0d7d2e841057fce44652 |
1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
7 declare_args() {
8 compile_suid_client = is_linux
10 compile_credentials = is_linux
12 compile_seccomp_bpf_demo =
13 (is_linux && (cpu_arch == "x86" || cpu_arch == "x64"))
14 }
16 # We have two principal targets: sandbox and sandbox_linux_unittests
17 # All other targets are listed as dependencies.
18 # There is one notable exception: for historical reasons, chrome_sandbox is
19 # the setuid sandbox and is its own target.
21 group("sandbox") {
22 deps = [
23 ":sandbox_services",
24 ]
26 if (compile_suid_client) {
27 deps += [ ":suid_sandbox_client" ]
28 }
29 if (use_seccomp_bpf) {
30 deps += [
31 ":seccomp_bpf",
32 ":seccomp_bpf_helpers",
33 ]
34 }
35 }
37 source_set("sandbox_linux_test_utils") {
38 testonly = true
39 sources = [
40 "tests/sandbox_test_runner.cc",
41 "tests/sandbox_test_runner.h",
42 "tests/sandbox_test_runner_function_pointer.cc",
43 "tests/sandbox_test_runner_function_pointer.h",
44 "tests/test_utils.cc",
45 "tests/test_utils.h",
46 "tests/unit_tests.cc",
47 "tests/unit_tests.h",
48 ]
50 deps = [
51 "//testing/gtest",
52 ]
54 if (use_seccomp_bpf) {
55 sources += [
56 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
57 "seccomp-bpf/bpf_tests.h",
58 "seccomp-bpf/sandbox_bpf_test_runner.cc",
59 "seccomp-bpf/sandbox_bpf_test_runner.h",
60 ]
61 deps += [
62 ":seccomp_bpf",
63 ]
64 }
65 }
67 # The main sandboxing test target.
68 test("sandbox_linux_unittests") {
69 sources = [
70 "services/broker_process_unittest.cc",
71 "services/scoped_process_unittest.cc",
72 "services/thread_helpers_unittests.cc",
73 "services/yama_unittests.cc",
74 "tests/main.cc",
75 "tests/scoped_temporary_file.cc",
76 "tests/scoped_temporary_file.h",
77 "tests/scoped_temporary_file_unittest.cc",
78 "tests/unit_tests_unittest.cc",
79 ]
81 deps = [
82 ":sandbox",
83 ":sandbox_linux_test_utils",
84 "//base",
85 "//base/test:test_support",
86 "//testing/gtest",
87 ]
89 if (is_linux) {
90 # Don't use this on Android.
91 libs = [ "rt" ]
92 }
94 if (compile_suid_client) {
95 sources += [
96 "suid/client/setuid_sandbox_client_unittest.cc",
97 ]
98 }
99 if (use_seccomp_bpf) {
100 sources += [
101 "bpf_dsl/bpf_dsl_more_unittest.cc",
102 "bpf_dsl/bpf_dsl_unittest.cc",
103 "bpf_dsl/cons_unittest.cc",
104 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
105 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
106 "seccomp-bpf/bpf_tests_unittest.cc",
107 "seccomp-bpf/codegen_unittest.cc",
108 "seccomp-bpf/errorcode_unittest.cc",
109 "seccomp-bpf/syscall_iterator_unittest.cc",
110 "seccomp-bpf/syscall_unittest.cc",
111 ]
112 }
113 if (compile_credentials) {
114 sources += [
115 "services/credentials_unittest.cc",
116 "services/unix_domain_socket_unittest.cc",
117 ]
118 }
119 }
121 # TODO(GYP) Android version of this test.
122 # {
123 # # This target is the shared library used by Android APK (i.e.
124 # # JNI-friendly) tests.
125 # "target_name": "sandbox_linux_jni_unittests",
126 # "includes": [
127 # "sandbox_linux_test_sources.gypi",
128 # ],
129 # "type": "shared_library",
130 # "conditions": [
131 # [ "OS == "android"", {
132 # "dependencies": [
133 # "../testing/android/native_test.gyp:native_test_native_code",
134 # ],
135 # }],
136 # ],
137 # },
139 component("seccomp_bpf") {
140 sources = [
141 "bpf_dsl/bpf_dsl.cc",
142 "bpf_dsl/bpf_dsl.h",
143 "bpf_dsl/cons.h",
144 "seccomp-bpf/basicblock.cc",
145 "seccomp-bpf/basicblock.h",
146 "seccomp-bpf/codegen.cc",
147 "seccomp-bpf/codegen.h",
148 "seccomp-bpf/die.cc",
149 "seccomp-bpf/die.h",
150 "seccomp-bpf/errorcode.cc",
151 "seccomp-bpf/errorcode.h",
152 "seccomp-bpf/instruction.h",
153 "seccomp-bpf/linux_seccomp.h",
154 "seccomp-bpf/sandbox_bpf.cc",
155 "seccomp-bpf/sandbox_bpf.h",
156 "seccomp-bpf/sandbox_bpf_policy.cc",
157 "seccomp-bpf/sandbox_bpf_policy.h",
158 "seccomp-bpf/syscall.cc",
159 "seccomp-bpf/syscall.h",
160 "seccomp-bpf/syscall_iterator.cc",
161 "seccomp-bpf/syscall_iterator.h",
162 "seccomp-bpf/trap.cc",
163 "seccomp-bpf/trap.h",
164 "seccomp-bpf/verifier.cc",
165 "seccomp-bpf/verifier.h",
166 ]
167 defines = [ "SANDBOX_IMPLEMENTATION" ]
169 deps = [
170 ":sandbox_services_headers",
171 "//base",
172 ]
173 }
175 component("seccomp_bpf_helpers") {
176 sources = [
177 "seccomp-bpf-helpers/baseline_policy.cc",
178 "seccomp-bpf-helpers/baseline_policy.h",
179 "seccomp-bpf-helpers/sigsys_handlers.cc",
180 "seccomp-bpf-helpers/sigsys_handlers.h",
181 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
182 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
183 "seccomp-bpf-helpers/syscall_sets.cc",
184 "seccomp-bpf-helpers/syscall_sets.h",
185 ]
186 defines = [ "SANDBOX_IMPLEMENTATION" ]
188 deps = [
189 "//base",
190 ":seccomp_bpf",
191 ]
192 }
194 if (is_linux) {
195 # The setuid sandbox for Linux.
196 executable("chrome_sandbox") {
197 sources = [
198 "suid/common/sandbox.h",
199 "suid/common/suid_unsafe_environment_variables.h",
200 "suid/process_util.h",
201 "suid/process_util_linux.c",
202 "suid/sandbox.c",
203 ]
205 cflags = [
206 # For ULLONG_MAX
207 "-std=gnu99",
208 # These files have a suspicious comparison.
209 # TODO fix this and re-enable this warning.
210 "-Wno-sign-compare",
211 ]
212 }
213 }
215 component("sandbox_services") {
216 sources = [
217 "services/broker_process.cc",
218 "services/broker_process.h",
219 "services/init_process_reaper.cc",
220 "services/init_process_reaper.h",
221 "services/scoped_process.cc",
222 "services/scoped_process.h",
223 "services/thread_helpers.cc",
224 "services/thread_helpers.h",
225 "services/yama.h",
226 "services/yama.cc",
227 ]
229 defines = [ "SANDBOX_IMPLEMENTATION" ]
231 if (compile_credentials) {
232 sources += [
233 "services/credentials.cc",
234 "services/credentials.h",
235 ]
236 # For capabilities.cc.
237 configs += [ "//build/config/linux:libcap" ]
238 }
240 deps = [
241 "//base",
242 ]
243 }
245 source_set("sandbox_services_headers") {
246 sources = [
247 "services/android_arm_ucontext.h",
248 "services/android_arm64_ucontext.h",
249 "services/android_futex.h",
250 "services/android_ucontext.h",
251 "services/android_i386_ucontext.h",
252 "services/arm_linux_syscalls.h",
253 "services/arm64_linux_syscalls.h",
254 "services/linux_syscalls.h",
255 "services/x86_32_linux_syscalls.h",
256 "services/x86_64_linux_syscalls.h",
257 ]
258 }
260 # We make this its own target so that it does not interfere with our tests.
261 source_set("libc_urandom_override") {
262 sources = [
263 "services/libc_urandom_override.cc",
264 "services/libc_urandom_override.h",
265 ]
266 deps = [
267 "//base",
268 ]
269 }
271 if (compile_suid_client) {
272 component("suid_sandbox_client") {
273 sources = [
274 "suid/common/sandbox.h",
275 "suid/common/suid_unsafe_environment_variables.h",
276 "suid/client/setuid_sandbox_client.cc",
277 "suid/client/setuid_sandbox_client.h",
278 ]
279 defines = [ "SANDBOX_IMPLEMENTATION" ]
281 deps = [
282 ":sandbox_services",
283 "//base",
284 ]
285 }
286 }
288 if (is_android) {
289 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
290 #action("sandbox_linux_unittests_stripped") {
291 # script = "android_stip.py"
292 #
293 # in_file = "$root_out_dir/sandbox_linux_unittests"
294 #
295 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
296 # outputs = [ out_file ]
297 #
298 # args = [
299 # rebase_path(in_file, root_build_dir),
300 # "-o", rebase_path(out_file, root_build_dir),
301 # ]
302 #
303 # deps = [
304 # ":sandbox_linux_unittests",
305 # ]
306 #}
308 # TODO(GYP) convert this.
309 # {
310 # 'target_name': 'sandbox_linux_jni_unittests_apk',
311 # 'type': 'none',
312 # 'variables': {
313 # 'test_suite_name': 'sandbox_linux_jni_unittests',
314 # },
315 # 'dependencies': [
316 # 'sandbox_linux_jni_unittests',
317 # ],
318 # 'includes': [ '../../build/apk_test.gypi' ],
319 # }
320 }