1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
6 import("//testing/test.gni")
9 compile_suid_client = is_linux
11 compile_credentials = is_linux
13 # On Android, use plain GTest.
14 use_base_test_suite = is_linux
17 # We have two principal targets: sandbox and sandbox_linux_unittests
18 # All other targets are listed as dependencies.
19 # There is one notable exception: for historical reasons, chrome_sandbox is
20 # the setuid sandbox and is its own target.
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
30 if (use_seccomp_bpf) {
33 ":seccomp_bpf_helpers",
38 source_set("sandbox_linux_test_utils") {
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
47 "tests/unit_tests.cc",
55 if (use_seccomp_bpf) {
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
62 deps += [ ":seccomp_bpf" ]
65 if (use_base_test_suite) {
66 deps += [ "//base/test:test_support" ]
67 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
71 # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
72 source_set("sandbox_linux_unittests_sources") {
76 "services/proc_util_unittest.cc",
77 "services/resource_limits_unittests.cc",
78 "services/scoped_process_unittest.cc",
79 "services/syscall_wrappers_unittest.cc",
80 "services/thread_helpers_unittests.cc",
81 "services/yama_unittests.cc",
82 "syscall_broker/broker_file_permission_unittest.cc",
83 "syscall_broker/broker_process_unittest.cc",
85 "tests/scoped_temporary_file.cc",
86 "tests/scoped_temporary_file.h",
87 "tests/scoped_temporary_file_unittest.cc",
88 "tests/test_utils_unittest.cc",
89 "tests/unit_tests_unittest.cc",
94 ":sandbox_linux_test_utils",
99 if (use_base_test_suite) {
100 deps += [ "//base/test:test_support" ]
101 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
105 # Don't use this on Android.
109 if (compile_suid_client) {
111 "suid/client/setuid_sandbox_client_unittest.cc",
112 "suid/client/setuid_sandbox_host_unittest.cc",
115 if (use_seccomp_bpf) {
117 "bpf_dsl/bpf_dsl_unittest.cc",
118 "bpf_dsl/codegen_unittest.cc",
119 "bpf_dsl/cons_unittest.cc",
120 "bpf_dsl/syscall_set_unittest.cc",
121 "integration_tests/bpf_dsl_seccomp_unittest.cc",
122 "integration_tests/seccomp_broker_process_unittest.cc",
123 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
124 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
125 "seccomp-bpf/bpf_tests_unittest.cc",
126 "seccomp-bpf/errorcode_unittest.cc",
127 "seccomp-bpf/sandbox_bpf_unittest.cc",
128 "seccomp-bpf/syscall_unittest.cc",
129 "seccomp-bpf/trap_unittest.cc",
132 if (compile_credentials) {
134 "integration_tests/namespace_unix_domain_socket_unittest.cc",
135 "services/credentials_unittest.cc",
136 "services/namespace_utils_unittest.cc",
139 if (use_base_test_suite) {
140 # Tests that use advanced features not available in stock GTest.
141 sources += [ "services/namespace_sandbox_unittest.cc" ]
144 # For credentials_unittest.cc
145 configs += [ "//build/config/linux:libcap" ]
149 # The main sandboxing test target.
150 test("sandbox_linux_unittests") {
152 ":sandbox_linux_unittests_sources",
156 # This target is the shared library used by Android APK (i.e.
157 # JNI-friendly) tests.
158 shared_library("sandbox_linux_jni_unittests") {
161 ":sandbox_linux_unittests_sources",
164 deps += [ "//testing/android/native_test:native_test_native_code" ]
168 component("seccomp_bpf") {
170 "bpf_dsl/bpf_dsl.cc",
172 "bpf_dsl/bpf_dsl_forward.h",
173 "bpf_dsl/bpf_dsl_impl.h",
174 "bpf_dsl/codegen.cc",
177 "bpf_dsl/dump_bpf.cc",
178 "bpf_dsl/dump_bpf.h",
179 "bpf_dsl/linux_syscall_ranges.h",
182 "bpf_dsl/policy_compiler.cc",
183 "bpf_dsl/policy_compiler.h",
184 "bpf_dsl/seccomp_macros.h",
185 "bpf_dsl/syscall_set.cc",
186 "bpf_dsl/syscall_set.h",
187 "bpf_dsl/trap_registry.h",
188 "bpf_dsl/verifier.cc",
189 "bpf_dsl/verifier.h",
190 "seccomp-bpf/die.cc",
192 "seccomp-bpf/errorcode.cc",
193 "seccomp-bpf/errorcode.h",
194 "seccomp-bpf/sandbox_bpf.cc",
195 "seccomp-bpf/sandbox_bpf.h",
196 "seccomp-bpf/syscall.cc",
197 "seccomp-bpf/syscall.h",
198 "seccomp-bpf/trap.cc",
199 "seccomp-bpf/trap.h",
201 defines = [ "SANDBOX_IMPLEMENTATION" ]
205 ":sandbox_services_headers",
210 component("seccomp_bpf_helpers") {
212 "seccomp-bpf-helpers/baseline_policy.cc",
213 "seccomp-bpf-helpers/baseline_policy.h",
214 "seccomp-bpf-helpers/sigsys_handlers.cc",
215 "seccomp-bpf-helpers/sigsys_handlers.h",
216 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
217 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
218 "seccomp-bpf-helpers/syscall_sets.cc",
219 "seccomp-bpf-helpers/syscall_sets.h",
221 defines = [ "SANDBOX_IMPLEMENTATION" ]
231 # The setuid sandbox for Linux.
232 executable("chrome_sandbox") {
234 "suid/common/sandbox.h",
235 "suid/common/suid_unsafe_environment_variables.h",
236 "suid/process_util.h",
237 "suid/process_util_linux.c",
245 # These files have a suspicious comparison.
246 # TODO fix this and re-enable this warning.
252 component("sandbox_services") {
254 "services/init_process_reaper.cc",
255 "services/init_process_reaper.h",
256 "services/proc_util.cc",
257 "services/proc_util.h",
258 "services/resource_limits.cc",
259 "services/resource_limits.h",
260 "services/scoped_process.cc",
261 "services/scoped_process.h",
262 "services/syscall_wrappers.cc",
263 "services/syscall_wrappers.h",
264 "services/thread_helpers.cc",
265 "services/thread_helpers.h",
268 "syscall_broker/broker_channel.cc",
269 "syscall_broker/broker_channel.h",
270 "syscall_broker/broker_client.cc",
271 "syscall_broker/broker_client.h",
272 "syscall_broker/broker_common.h",
273 "syscall_broker/broker_file_permission.cc",
274 "syscall_broker/broker_file_permission.h",
275 "syscall_broker/broker_host.cc",
276 "syscall_broker/broker_host.h",
277 "syscall_broker/broker_policy.cc",
278 "syscall_broker/broker_policy.h",
279 "syscall_broker/broker_process.cc",
280 "syscall_broker/broker_process.h",
283 defines = [ "SANDBOX_IMPLEMENTATION" ]
289 if (compile_credentials) {
291 "services/credentials.cc",
292 "services/credentials.h",
293 "services/namespace_sandbox.cc",
294 "services/namespace_sandbox.h",
295 "services/namespace_utils.cc",
296 "services/namespace_utils.h",
299 deps += [ ":sandbox_services_headers" ]
303 source_set("sandbox_services_headers") {
305 "system_headers/arm64_linux_syscalls.h",
306 "system_headers/arm64_linux_ucontext.h",
307 "system_headers/arm_linux_syscalls.h",
308 "system_headers/arm_linux_ucontext.h",
309 "system_headers/i386_linux_ucontext.h",
310 "system_headers/linux_futex.h",
311 "system_headers/linux_seccomp.h",
312 "system_headers/linux_signal.h",
313 "system_headers/linux_syscalls.h",
314 "system_headers/linux_time.h",
315 "system_headers/linux_ucontext.h",
316 "system_headers/x86_32_linux_syscalls.h",
317 "system_headers/x86_64_linux_syscalls.h",
321 # We make this its own target so that it does not interfere with our tests.
322 source_set("libc_urandom_override") {
324 "services/libc_urandom_override.cc",
325 "services/libc_urandom_override.h",
332 if (compile_suid_client) {
333 component("suid_sandbox_client") {
335 "suid/client/setuid_sandbox_client.cc",
336 "suid/client/setuid_sandbox_client.h",
337 "suid/client/setuid_sandbox_host.cc",
338 "suid/client/setuid_sandbox_host.h",
339 "suid/common/sandbox.h",
340 "suid/common/suid_unsafe_environment_variables.h",
342 defines = [ "SANDBOX_IMPLEMENTATION" ]
352 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
353 #action("sandbox_linux_unittests_stripped") {
354 # script = "android_stip.py"
356 # in_file = "$root_out_dir/sandbox_linux_unittests"
358 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
359 # outputs = [ out_file ]
362 # rebase_path(in_file, root_build_dir),
363 # "-o", rebase_path(out_file, root_build_dir),
367 # ":sandbox_linux_unittests",
370 # TODO(GYP) convert this.
372 # 'target_name': 'sandbox_linux_jni_unittests_apk',
375 # 'test_suite_name': 'sandbox_linux_jni_unittests',
378 # 'sandbox_linux_jni_unittests',
380 # 'includes': [ '../../build/apk_test.gypi' ],