Don't preload rarely seen large images
[chromium-blink-merge.git] / sandbox / linux / BUILD.gn
bloba1a77204f5f370a1a0c65c19a32b084e7e541b28
1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
6 import("//testing/test.gni")
8 declare_args() {
9   compile_suid_client = is_linux
11   compile_credentials = is_linux
13   # On Android, use plain GTest.
14   use_base_test_suite = is_linux
17 # We have two principal targets: sandbox and sandbox_linux_unittests
18 # All other targets are listed as dependencies.
19 # There is one notable exception: for historical reasons, chrome_sandbox is
20 # the setuid sandbox and is its own target.
22 group("sandbox") {
23   deps = [
24     ":sandbox_services",
25   ]
27   if (compile_suid_client) {
28     deps += [ ":suid_sandbox_client" ]
29   }
30   if (use_seccomp_bpf) {
31     deps += [
32       ":seccomp_bpf",
33       ":seccomp_bpf_helpers",
34     ]
35   }
38 source_set("sandbox_linux_test_utils") {
39   testonly = true
40   sources = [
41     "tests/sandbox_test_runner.cc",
42     "tests/sandbox_test_runner.h",
43     "tests/sandbox_test_runner_function_pointer.cc",
44     "tests/sandbox_test_runner_function_pointer.h",
45     "tests/test_utils.cc",
46     "tests/test_utils.h",
47     "tests/unit_tests.cc",
48     "tests/unit_tests.h",
49   ]
51   deps = [
52     "//testing/gtest",
53   ]
55   if (use_seccomp_bpf) {
56     sources += [
57       "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58       "seccomp-bpf/bpf_tests.h",
59       "seccomp-bpf/sandbox_bpf_test_runner.cc",
60       "seccomp-bpf/sandbox_bpf_test_runner.h",
61     ]
62     deps += [ ":seccomp_bpf" ]
63   }
65   if (use_base_test_suite) {
66     deps += [ "//base/test:test_support" ]
67     defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
68   }
71 # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
72 source_set("sandbox_linux_unittests_sources") {
73   testonly = true
75   sources = [
76     "services/proc_util_unittest.cc",
77     "services/resource_limits_unittests.cc",
78     "services/scoped_process_unittest.cc",
79     "services/syscall_wrappers_unittest.cc",
80     "services/thread_helpers_unittests.cc",
81     "services/yama_unittests.cc",
82     "syscall_broker/broker_file_permission_unittest.cc",
83     "syscall_broker/broker_process_unittest.cc",
84     "tests/main.cc",
85     "tests/scoped_temporary_file.cc",
86     "tests/scoped_temporary_file.h",
87     "tests/scoped_temporary_file_unittest.cc",
88     "tests/test_utils_unittest.cc",
89     "tests/unit_tests_unittest.cc",
90   ]
92   deps = [
93     ":sandbox",
94     ":sandbox_linux_test_utils",
95     "//base",
96     "//testing/gtest",
97   ]
99   if (use_base_test_suite) {
100     deps += [ "//base/test:test_support" ]
101     defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
102   }
104   if (is_linux) {
105     # Don't use this on Android.
106     libs = [ "rt" ]
107   }
109   if (compile_suid_client) {
110     sources += [
111       "suid/client/setuid_sandbox_client_unittest.cc",
112       "suid/client/setuid_sandbox_host_unittest.cc",
113     ]
114   }
115   if (use_seccomp_bpf) {
116     sources += [
117       "bpf_dsl/bpf_dsl_unittest.cc",
118       "bpf_dsl/codegen_unittest.cc",
119       "bpf_dsl/cons_unittest.cc",
120       "bpf_dsl/syscall_set_unittest.cc",
121       "integration_tests/bpf_dsl_seccomp_unittest.cc",
122       "integration_tests/seccomp_broker_process_unittest.cc",
123       "seccomp-bpf-helpers/baseline_policy_unittest.cc",
124       "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
125       "seccomp-bpf/bpf_tests_unittest.cc",
126       "seccomp-bpf/errorcode_unittest.cc",
127       "seccomp-bpf/sandbox_bpf_unittest.cc",
128       "seccomp-bpf/syscall_unittest.cc",
129       "seccomp-bpf/trap_unittest.cc",
130     ]
131   }
132   if (compile_credentials) {
133     sources += [
134       "integration_tests/namespace_unix_domain_socket_unittest.cc",
135       "services/credentials_unittest.cc",
136       "services/namespace_utils_unittest.cc",
137     ]
139     if (use_base_test_suite) {
140       # Tests that use advanced features not available in stock GTest.
141       sources += [ "services/namespace_sandbox_unittest.cc" ]
142     }
144     # For credentials_unittest.cc
145     configs += [ "//build/config/linux:libcap" ]
146   }
149 # The main sandboxing test target.
150 test("sandbox_linux_unittests") {
151   deps = [
152     ":sandbox_linux_unittests_sources",
153   ]
156 # This target is the shared library used by Android APK (i.e.
157 # JNI-friendly) tests.
158 shared_library("sandbox_linux_jni_unittests") {
159   testonly = true
160   deps = [
161     ":sandbox_linux_unittests_sources",
162   ]
163   if (is_android) {
164     deps += [ "//testing/android/native_test:native_test_native_code" ]
165   }
168 component("seccomp_bpf") {
169   sources = [
170     "bpf_dsl/bpf_dsl.cc",
171     "bpf_dsl/bpf_dsl.h",
172     "bpf_dsl/bpf_dsl_forward.h",
173     "bpf_dsl/bpf_dsl_impl.h",
174     "bpf_dsl/codegen.cc",
175     "bpf_dsl/codegen.h",
176     "bpf_dsl/cons.h",
177     "bpf_dsl/dump_bpf.cc",
178     "bpf_dsl/dump_bpf.h",
179     "bpf_dsl/linux_syscall_ranges.h",
180     "bpf_dsl/policy.cc",
181     "bpf_dsl/policy.h",
182     "bpf_dsl/policy_compiler.cc",
183     "bpf_dsl/policy_compiler.h",
184     "bpf_dsl/seccomp_macros.h",
185     "bpf_dsl/syscall_set.cc",
186     "bpf_dsl/syscall_set.h",
187     "bpf_dsl/trap_registry.h",
188     "bpf_dsl/verifier.cc",
189     "bpf_dsl/verifier.h",
190     "seccomp-bpf/die.cc",
191     "seccomp-bpf/die.h",
192     "seccomp-bpf/errorcode.cc",
193     "seccomp-bpf/errorcode.h",
194     "seccomp-bpf/sandbox_bpf.cc",
195     "seccomp-bpf/sandbox_bpf.h",
196     "seccomp-bpf/syscall.cc",
197     "seccomp-bpf/syscall.h",
198     "seccomp-bpf/trap.cc",
199     "seccomp-bpf/trap.h",
200   ]
201   defines = [ "SANDBOX_IMPLEMENTATION" ]
203   deps = [
204     ":sandbox_services",
205     ":sandbox_services_headers",
206     "//base",
207   ]
210 component("seccomp_bpf_helpers") {
211   sources = [
212     "seccomp-bpf-helpers/baseline_policy.cc",
213     "seccomp-bpf-helpers/baseline_policy.h",
214     "seccomp-bpf-helpers/sigsys_handlers.cc",
215     "seccomp-bpf-helpers/sigsys_handlers.h",
216     "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
217     "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
218     "seccomp-bpf-helpers/syscall_sets.cc",
219     "seccomp-bpf-helpers/syscall_sets.h",
220   ]
221   defines = [ "SANDBOX_IMPLEMENTATION" ]
223   deps = [
224     "//base",
225     ":sandbox_services",
226     ":seccomp_bpf",
227   ]
230 if (is_linux) {
231   # The setuid sandbox for Linux.
232   executable("chrome_sandbox") {
233     sources = [
234       "suid/common/sandbox.h",
235       "suid/common/suid_unsafe_environment_variables.h",
236       "suid/process_util.h",
237       "suid/process_util_linux.c",
238       "suid/sandbox.c",
239     ]
241     cflags = [
242       # For ULLONG_MAX
243       "-std=gnu99",
245       # These files have a suspicious comparison.
246       # TODO fix this and re-enable this warning.
247       "-Wno-sign-compare",
248     ]
249   }
252 component("sandbox_services") {
253   sources = [
254     "services/init_process_reaper.cc",
255     "services/init_process_reaper.h",
256     "services/proc_util.cc",
257     "services/proc_util.h",
258     "services/resource_limits.cc",
259     "services/resource_limits.h",
260     "services/scoped_process.cc",
261     "services/scoped_process.h",
262     "services/syscall_wrappers.cc",
263     "services/syscall_wrappers.h",
264     "services/thread_helpers.cc",
265     "services/thread_helpers.h",
266     "services/yama.cc",
267     "services/yama.h",
268     "syscall_broker/broker_channel.cc",
269     "syscall_broker/broker_channel.h",
270     "syscall_broker/broker_client.cc",
271     "syscall_broker/broker_client.h",
272     "syscall_broker/broker_common.h",
273     "syscall_broker/broker_file_permission.cc",
274     "syscall_broker/broker_file_permission.h",
275     "syscall_broker/broker_host.cc",
276     "syscall_broker/broker_host.h",
277     "syscall_broker/broker_policy.cc",
278     "syscall_broker/broker_policy.h",
279     "syscall_broker/broker_process.cc",
280     "syscall_broker/broker_process.h",
281   ]
283   defines = [ "SANDBOX_IMPLEMENTATION" ]
285   deps = [
286     "//base",
287   ]
289   if (compile_credentials) {
290     sources += [
291       "services/credentials.cc",
292       "services/credentials.h",
293       "services/namespace_sandbox.cc",
294       "services/namespace_sandbox.h",
295       "services/namespace_utils.cc",
296       "services/namespace_utils.h",
297     ]
299     deps += [ ":sandbox_services_headers" ]
300   }
303 source_set("sandbox_services_headers") {
304   sources = [
305     "system_headers/arm64_linux_syscalls.h",
306     "system_headers/arm64_linux_ucontext.h",
307     "system_headers/arm_linux_syscalls.h",
308     "system_headers/arm_linux_ucontext.h",
309     "system_headers/i386_linux_ucontext.h",
310     "system_headers/linux_futex.h",
311     "system_headers/linux_seccomp.h",
312     "system_headers/linux_signal.h",
313     "system_headers/linux_syscalls.h",
314     "system_headers/linux_time.h",
315     "system_headers/linux_ucontext.h",
316     "system_headers/x86_32_linux_syscalls.h",
317     "system_headers/x86_64_linux_syscalls.h",
318   ]
321 # We make this its own target so that it does not interfere with our tests.
322 source_set("libc_urandom_override") {
323   sources = [
324     "services/libc_urandom_override.cc",
325     "services/libc_urandom_override.h",
326   ]
327   deps = [
328     "//base",
329   ]
332 if (compile_suid_client) {
333   component("suid_sandbox_client") {
334     sources = [
335       "suid/client/setuid_sandbox_client.cc",
336       "suid/client/setuid_sandbox_client.h",
337       "suid/client/setuid_sandbox_host.cc",
338       "suid/client/setuid_sandbox_host.h",
339       "suid/common/sandbox.h",
340       "suid/common/suid_unsafe_environment_variables.h",
341     ]
342     defines = [ "SANDBOX_IMPLEMENTATION" ]
344     deps = [
345       ":sandbox_services",
346       "//base",
347     ]
348   }
351 if (is_android) {
352   # TODO(GYP) enable this. Needs an android_strip wrapper python script.
353   #action("sandbox_linux_unittests_stripped") {
354   #  script = "android_stip.py"
355   #
356   #  in_file = "$root_out_dir/sandbox_linux_unittests"
357   #
358   #  out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
359   #  outputs = [ out_file ]
360   #
361   #  args = [
362   #    rebase_path(in_file, root_build_dir),
363   #    "-o", rebase_path(out_file, root_build_dir),
364   #  ]
365   #
366   #  deps = [
367   #    ":sandbox_linux_unittests",
368   #  ]
369   #}
370   # TODO(GYP) convert this.
371   #      {
372   #      'target_name': 'sandbox_linux_jni_unittests_apk',
373   #      'type': 'none',
374   #      'variables': {
375   #        'test_suite_name': 'sandbox_linux_jni_unittests',
376   #      },
377   #      'dependencies': [
378   #        'sandbox_linux_jni_unittests',
379   #      ],
380   #      'includes': [ '../../build/apk_test.gypi' ],
381   #      }