| blob | d693df6708929b2e014cd0da35c99022666a12ce |
1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
6 import("//testing/test.gni")
8 declare_args() {
9 compile_suid_client = is_linux
11 compile_credentials = is_linux
13 # On Android, use plain GTest.
14 use_base_test_suite = is_linux
15 }
17 # We have two principal targets: sandbox and sandbox_linux_unittests
18 # All other targets are listed as dependencies.
19 # There is one notable exception: for historical reasons, chrome_sandbox is
20 # the setuid sandbox and is its own target.
22 group("sandbox") {
23 deps = [
24 ":sandbox_services",
25 ]
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
29 }
30 if (use_seccomp_bpf) {
31 deps += [
32 ":seccomp_bpf",
33 ":seccomp_bpf_helpers",
34 ]
35 }
36 }
38 source_set("sandbox_linux_test_utils") {
39 testonly = true
40 sources = [
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
46 "tests/test_utils.h",
47 "tests/unit_tests.cc",
48 "tests/unit_tests.h",
49 ]
51 deps = [
52 "//testing/gtest",
53 ]
55 if (use_seccomp_bpf) {
56 sources += [
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
61 ]
62 deps += [ ":seccomp_bpf" ]
63 }
65 if (use_base_test_suite) {
66 deps += [ "//base/test:test_support" ]
67 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
68 }
69 }
71 # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
72 source_set("sandbox_linux_unittests_sources") {
73 testonly = true
75 sources = [
76 "services/proc_util_unittest.cc",
77 "services/resource_limits_unittests.cc",
78 "services/scoped_process_unittest.cc",
79 "services/syscall_wrappers_unittest.cc",
80 "services/thread_helpers_unittests.cc",
81 "services/yama_unittests.cc",
82 "syscall_broker/broker_file_permission_unittest.cc",
83 "syscall_broker/broker_process_unittest.cc",
84 "tests/main.cc",
85 "tests/scoped_temporary_file.cc",
86 "tests/scoped_temporary_file.h",
87 "tests/scoped_temporary_file_unittest.cc",
88 "tests/test_utils_unittest.cc",
89 "tests/unit_tests_unittest.cc",
90 ]
92 deps = [
93 ":sandbox",
94 ":sandbox_linux_test_utils",
95 "//base",
96 "//testing/gtest",
97 ]
99 if (use_base_test_suite) {
100 deps += [ "//base/test:test_support" ]
101 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
102 }
104 if (is_linux) {
105 # Don't use this on Android.
106 libs = [ "rt" ]
107 }
109 if (compile_suid_client) {
110 sources += [
111 "suid/client/setuid_sandbox_client_unittest.cc",
112 "suid/client/setuid_sandbox_host_unittest.cc",
113 ]
114 }
115 if (use_seccomp_bpf) {
116 sources += [
117 "bpf_dsl/bpf_dsl_unittest.cc",
118 "bpf_dsl/codegen_unittest.cc",
119 "bpf_dsl/cons_unittest.cc",
120 "bpf_dsl/dump_bpf.cc",
121 "bpf_dsl/dump_bpf.h",
122 "bpf_dsl/errorcode_unittest.cc",
123 "bpf_dsl/syscall_set_unittest.cc",
124 "bpf_dsl/test_trap_registry.cc",
125 "bpf_dsl/test_trap_registry.h",
126 "bpf_dsl/test_trap_registry_unittest.cc",
127 "bpf_dsl/verifier.cc",
128 "bpf_dsl/verifier.h",
129 "integration_tests/bpf_dsl_seccomp_unittest.cc",
130 "integration_tests/seccomp_broker_process_unittest.cc",
131 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
132 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
133 "seccomp-bpf/bpf_tests_unittest.cc",
134 "seccomp-bpf/sandbox_bpf_unittest.cc",
135 "seccomp-bpf/syscall_unittest.cc",
136 "seccomp-bpf/trap_unittest.cc",
137 ]
138 deps += [ ":bpf_dsl_golden" ]
139 }
140 if (compile_credentials) {
141 sources += [
142 "integration_tests/namespace_unix_domain_socket_unittest.cc",
143 "services/credentials_unittest.cc",
144 "services/namespace_utils_unittest.cc",
145 ]
147 if (use_base_test_suite) {
148 # Tests that use advanced features not available in stock GTest.
149 sources += [ "services/namespace_sandbox_unittest.cc" ]
150 }
152 # For credentials_unittest.cc
153 configs += [ "//build/config/linux:libcap" ]
154 }
155 }
157 action("bpf_dsl_golden") {
158 script = "bpf_dsl/golden/generate.py"
159 inputs = [
160 "bpf_dsl/golden/i386/ArgSizePolicy.txt",
161 "bpf_dsl/golden/i386/BasicPolicy.txt",
162 "bpf_dsl/golden/i386/ElseIfPolicy.txt",
163 "bpf_dsl/golden/i386/MaskingPolicy.txt",
164 "bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt",
165 "bpf_dsl/golden/i386/NegativeConstantsPolicy.txt",
166 "bpf_dsl/golden/i386/SwitchPolicy.txt",
167 "bpf_dsl/golden/x86-64/ArgSizePolicy.txt",
168 "bpf_dsl/golden/x86-64/BasicPolicy.txt",
169 "bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt",
170 "bpf_dsl/golden/x86-64/ElseIfPolicy.txt",
171 "bpf_dsl/golden/x86-64/MaskingPolicy.txt",
172 "bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt",
173 "bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt",
174 "bpf_dsl/golden/x86-64/SwitchPolicy.txt",
175 ]
176 outputs = [
177 "$target_gen_dir/bpf_dsl/golden/golden_files.h",
178 ]
179 args =
180 rebase_path(outputs, root_build_dir) + rebase_path(inputs, root_build_dir)
181 }
183 # TODO(GYP): Delete this after we've converted everything to GN.
184 # The _run targets exist only for compatibility w/ GYP.
185 group("sandbox_linux_unittests_run") {
186 testonly = true
187 deps = [
188 ":sandbox_linux_unittests",
189 ]
190 }
192 # The main sandboxing test target.
193 test("sandbox_linux_unittests") {
194 deps = [
195 ":sandbox_linux_unittests_sources",
196 ]
197 }
199 # This target is the shared library used by Android APK (i.e.
200 # JNI-friendly) tests.
201 shared_library("sandbox_linux_jni_unittests") {
202 testonly = true
203 deps = [
204 ":sandbox_linux_unittests_sources",
205 "//build/config/sanitizers:deps",
206 ]
207 if (is_android) {
208 deps += [ "//testing/android/native_test:native_test_native_code" ]
209 }
210 }
212 component("seccomp_bpf") {
213 sources = [
214 "bpf_dsl/bpf_dsl.cc",
215 "bpf_dsl/bpf_dsl.h",
216 "bpf_dsl/bpf_dsl_forward.h",
217 "bpf_dsl/bpf_dsl_impl.h",
218 "bpf_dsl/codegen.cc",
219 "bpf_dsl/codegen.h",
220 "bpf_dsl/cons.h",
221 "bpf_dsl/errorcode.cc",
222 "bpf_dsl/errorcode.h",
223 "bpf_dsl/linux_syscall_ranges.h",
224 "bpf_dsl/policy.cc",
225 "bpf_dsl/policy.h",
226 "bpf_dsl/policy_compiler.cc",
227 "bpf_dsl/policy_compiler.h",
228 "bpf_dsl/seccomp_macros.h",
229 "bpf_dsl/syscall_set.cc",
230 "bpf_dsl/syscall_set.h",
231 "bpf_dsl/trap_registry.h",
232 "seccomp-bpf/die.cc",
233 "seccomp-bpf/die.h",
234 "seccomp-bpf/sandbox_bpf.cc",
235 "seccomp-bpf/sandbox_bpf.h",
236 "seccomp-bpf/syscall.cc",
237 "seccomp-bpf/syscall.h",
238 "seccomp-bpf/trap.cc",
239 "seccomp-bpf/trap.h",
240 ]
241 defines = [ "SANDBOX_IMPLEMENTATION" ]
243 deps = [
244 ":sandbox_services",
245 ":sandbox_services_headers",
246 "//base",
247 ]
248 }
250 component("seccomp_bpf_helpers") {
251 sources = [
252 "seccomp-bpf-helpers/baseline_policy.cc",
253 "seccomp-bpf-helpers/baseline_policy.h",
254 "seccomp-bpf-helpers/sigsys_handlers.cc",
255 "seccomp-bpf-helpers/sigsys_handlers.h",
256 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
257 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
258 "seccomp-bpf-helpers/syscall_sets.cc",
259 "seccomp-bpf-helpers/syscall_sets.h",
260 ]
261 defines = [ "SANDBOX_IMPLEMENTATION" ]
263 deps = [
264 "//base",
265 ":sandbox_services",
266 ":seccomp_bpf",
267 ]
268 }
270 if (is_linux) {
271 # The setuid sandbox for Linux.
272 executable("chrome_sandbox") {
273 sources = [
274 "suid/common/sandbox.h",
275 "suid/common/suid_unsafe_environment_variables.h",
276 "suid/process_util.h",
277 "suid/process_util_linux.c",
278 "suid/sandbox.c",
279 ]
281 cflags = [
282 # For ULLONG_MAX
283 "-std=gnu99",
285 # These files have a suspicious comparison.
286 # TODO fix this and re-enable this warning.
287 "-Wno-sign-compare",
288 ]
290 deps = [
291 "//build/config/sanitizers:deps",
292 ]
293 }
294 }
296 component("sandbox_services") {
297 sources = [
298 "services/init_process_reaper.cc",
299 "services/init_process_reaper.h",
300 "services/proc_util.cc",
301 "services/proc_util.h",
302 "services/resource_limits.cc",
303 "services/resource_limits.h",
304 "services/scoped_process.cc",
305 "services/scoped_process.h",
306 "services/syscall_wrappers.cc",
307 "services/syscall_wrappers.h",
308 "services/thread_helpers.cc",
309 "services/thread_helpers.h",
310 "services/yama.cc",
311 "services/yama.h",
312 "syscall_broker/broker_channel.cc",
313 "syscall_broker/broker_channel.h",
314 "syscall_broker/broker_client.cc",
315 "syscall_broker/broker_client.h",
316 "syscall_broker/broker_common.h",
317 "syscall_broker/broker_file_permission.cc",
318 "syscall_broker/broker_file_permission.h",
319 "syscall_broker/broker_host.cc",
320 "syscall_broker/broker_host.h",
321 "syscall_broker/broker_policy.cc",
322 "syscall_broker/broker_policy.h",
323 "syscall_broker/broker_process.cc",
324 "syscall_broker/broker_process.h",
325 ]
327 defines = [ "SANDBOX_IMPLEMENTATION" ]
329 deps = [
330 "//base",
331 ]
333 if (compile_credentials) {
334 sources += [
335 "services/credentials.cc",
336 "services/credentials.h",
337 "services/namespace_sandbox.cc",
338 "services/namespace_sandbox.h",
339 "services/namespace_utils.cc",
340 "services/namespace_utils.h",
341 ]
343 deps += [ ":sandbox_services_headers" ]
344 }
345 }
347 source_set("sandbox_services_headers") {
348 sources = [
349 "system_headers/arm64_linux_syscalls.h",
350 "system_headers/arm64_linux_ucontext.h",
351 "system_headers/arm_linux_syscalls.h",
352 "system_headers/arm_linux_ucontext.h",
353 "system_headers/i386_linux_ucontext.h",
354 "system_headers/linux_futex.h",
355 "system_headers/linux_seccomp.h",
356 "system_headers/linux_signal.h",
357 "system_headers/linux_syscalls.h",
358 "system_headers/linux_time.h",
359 "system_headers/linux_ucontext.h",
360 "system_headers/x86_32_linux_syscalls.h",
361 "system_headers/x86_64_linux_syscalls.h",
362 ]
363 }
365 # We make this its own target so that it does not interfere with our tests.
366 source_set("libc_urandom_override") {
367 sources = [
368 "services/libc_urandom_override.cc",
369 "services/libc_urandom_override.h",
370 ]
371 deps = [
372 "//base",
373 ]
374 }
376 if (compile_suid_client) {
377 component("suid_sandbox_client") {
378 sources = [
379 "suid/client/setuid_sandbox_client.cc",
380 "suid/client/setuid_sandbox_client.h",
381 "suid/client/setuid_sandbox_host.cc",
382 "suid/client/setuid_sandbox_host.h",
383 "suid/common/sandbox.h",
384 "suid/common/suid_unsafe_environment_variables.h",
385 ]
386 defines = [ "SANDBOX_IMPLEMENTATION" ]
388 deps = [
389 ":sandbox_services",
390 "//base",
391 ]
392 }
393 }
395 if (is_android) {
396 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
397 #action("sandbox_linux_unittests_stripped") {
398 # script = "android_stip.py"
399 #
400 # in_file = "$root_out_dir/sandbox_linux_unittests"
401 #
402 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
403 # outputs = [ out_file ]
404 #
405 # args = [
406 # rebase_path(in_file, root_build_dir),
407 # "-o", rebase_path(out_file, root_build_dir),
408 # ]
409 #
410 # deps = [
411 # ":sandbox_linux_unittests",
412 # ]
413 #}
414 # TODO(GYP) convert this.
415 # {
416 # 'target_name': 'sandbox_linux_jni_unittests_apk',
417 # 'type': 'none',
418 # 'variables': {
419 # 'test_suite_name': 'sandbox_linux_jni_unittests',
420 # },
421 # 'dependencies': [
422 # 'sandbox_linux_jni_unittests',
423 # ],
424 # 'includes': [ '../../build/apk_test.gypi' ],
425 # }
426 }