Supervised users: Re-check ManagementPolicy when ProfileIsSupervised changes.
[chromium-blink-merge.git] / sandbox / linux / sandbox_linux.gypi
blob1cf3b2d040ee79c4ca6c0640ccbadede2e47f065
1 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
6   'variables': {
7     'conditions': [
8       ['OS=="linux"', {
9         'compile_suid_client': 1,
10         'compile_credentials': 1,
11       }, {
12         'compile_suid_client': 0,
13         'compile_credentials': 0,
14       }],
15       ['OS=="linux" and (target_arch=="ia32" or target_arch=="x64" or '
16          'target_arch=="mipsel")', {
17         'compile_seccomp_bpf_demo': 1,
18       }, {
19         'compile_seccomp_bpf_demo': 0,
20       }],
21     ],
22   },
23   'target_defaults': {
24     'target_conditions': [
25       # All linux/ files will automatically be excluded on Android
26       # so make sure we re-include them explicitly.
27       ['OS == "android"', {
28         'sources/': [
29           ['include', '^linux/'],
30         ],
31       }],
32     ],
33   },
34   'targets': [
35     # We have two principal targets: sandbox and sandbox_linux_unittests
36     # All other targets are listed as dependencies.
37     # There is one notable exception: for historical reasons, chrome_sandbox is
38     # the setuid sandbox and is its own target.
39     {
40       'target_name': 'sandbox',
41       'type': 'none',
42       'dependencies': [
43         'sandbox_services',
44       ],
45       'conditions': [
46         [ 'compile_suid_client==1', {
47           'dependencies': [
48             'suid_sandbox_client',
49           ],
50         }],
51         # Compile seccomp BPF when we support it.
52         [ 'use_seccomp_bpf==1', {
53           'dependencies': [
54             'seccomp_bpf',
55             'seccomp_bpf_helpers',
56           ],
57         }],
58       ],
59     },
60     {
61       'target_name': 'sandbox_linux_test_utils',
62       'type': 'static_library',
63       'dependencies': [
64         '../testing/gtest.gyp:gtest',
65       ],
66       'include_dirs': [
67         '../..',
68       ],
69       'sources': [
70         'tests/sandbox_test_runner.cc',
71         'tests/sandbox_test_runner.h',
72         'tests/sandbox_test_runner_function_pointer.cc',
73         'tests/sandbox_test_runner_function_pointer.h',
74         'tests/test_utils.cc',
75         'tests/test_utils.h',
76         'tests/unit_tests.cc',
77         'tests/unit_tests.h',
78       ],
79       'conditions': [
80         [ 'use_seccomp_bpf==1', {
81           'sources': [
82             'seccomp-bpf/bpf_tester_compatibility_delegate.h',
83             'seccomp-bpf/bpf_tests.h',
84             'seccomp-bpf/sandbox_bpf_test_runner.cc',
85             'seccomp-bpf/sandbox_bpf_test_runner.h',
86           ],
87           'dependencies': [
88             'seccomp_bpf',
89           ]
90         }],
91       ],
92     },
93     {
94       # The main sandboxing test target.
95       'target_name': 'sandbox_linux_unittests',
96       'includes': [
97         'sandbox_linux_test_sources.gypi',
98       ],
99       'type': 'executable',
100     },
101     {
102       # This target is the shared library used by Android APK (i.e.
103       # JNI-friendly) tests.
104       'target_name': 'sandbox_linux_jni_unittests',
105       'includes': [
106         'sandbox_linux_test_sources.gypi',
107       ],
108       'type': 'shared_library',
109       'conditions': [
110         [ 'OS == "android"', {
111           'dependencies': [
112             '../testing/android/native_test.gyp:native_test_native_code',
113           ],
114         }],
115       ],
116     },
117     {
118       'target_name': 'seccomp_bpf',
119       'type': '<(component)',
120       'sources': [
121         'bpf_dsl/bpf_dsl.cc',
122         'bpf_dsl/bpf_dsl.h',
123         'bpf_dsl/bpf_dsl_forward.h',
124         'bpf_dsl/bpf_dsl_impl.h',
125         'bpf_dsl/codegen.cc',
126         'bpf_dsl/codegen.h',
127         'bpf_dsl/cons.h',
128         'bpf_dsl/dump_bpf.cc',
129         'bpf_dsl/dump_bpf.h',
130         'bpf_dsl/linux_syscall_ranges.h',
131         'bpf_dsl/policy.cc',
132         'bpf_dsl/policy.h',
133         'bpf_dsl/policy_compiler.cc',
134         'bpf_dsl/policy_compiler.h',
135         'bpf_dsl/seccomp_macros.h',
136         'bpf_dsl/seccomp_macros.h',
137         'bpf_dsl/syscall_set.cc',
138         'bpf_dsl/syscall_set.h',
139         'bpf_dsl/trap_registry.h',
140         'bpf_dsl/verifier.cc',
141         'bpf_dsl/verifier.h',
142         'seccomp-bpf/die.cc',
143         'seccomp-bpf/die.h',
144         'seccomp-bpf/errorcode.cc',
145         'seccomp-bpf/errorcode.h',
146         'seccomp-bpf/sandbox_bpf.cc',
147         'seccomp-bpf/sandbox_bpf.h',
148         'seccomp-bpf/syscall.cc',
149         'seccomp-bpf/syscall.h',
150         'seccomp-bpf/trap.cc',
151         'seccomp-bpf/trap.h',
152       ],
153       'dependencies': [
154         '../base/base.gyp:base',
155         'sandbox_services',
156         'sandbox_services_headers',
157       ],
158       'defines': [
159         'SANDBOX_IMPLEMENTATION',
160       ],
161       'includes': [
162         # Disable LTO due to compiler bug
163         # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57703
164         '../../build/android/disable_lto.gypi',
165       ],
166       'include_dirs': [
167         '../..',
168       ],
169     },
170     {
171       'target_name': 'seccomp_bpf_helpers',
172       'type': '<(component)',
173       'sources': [
174         'seccomp-bpf-helpers/baseline_policy.cc',
175         'seccomp-bpf-helpers/baseline_policy.h',
176         'seccomp-bpf-helpers/sigsys_handlers.cc',
177         'seccomp-bpf-helpers/sigsys_handlers.h',
178         'seccomp-bpf-helpers/syscall_parameters_restrictions.cc',
179         'seccomp-bpf-helpers/syscall_parameters_restrictions.h',
180         'seccomp-bpf-helpers/syscall_sets.cc',
181         'seccomp-bpf-helpers/syscall_sets.h',
182       ],
183       'dependencies': [
184         '../base/base.gyp:base',
185         'sandbox_services',
186         'seccomp_bpf',
187       ],
188       'defines': [
189         'SANDBOX_IMPLEMENTATION',
190       ],
191       'include_dirs': [
192         '../..',
193       ],
194     },
195     {
196       # The setuid sandbox, for Linux
197       'target_name': 'chrome_sandbox',
198       'type': 'executable',
199       'sources': [
200         'suid/common/sandbox.h',
201         'suid/common/suid_unsafe_environment_variables.h',
202         'suid/process_util.h',
203         'suid/process_util_linux.c',
204         'suid/sandbox.c',
205       ],
206       'cflags': [
207         # For ULLONG_MAX
208         '-std=gnu99',
209       ],
210       'include_dirs': [
211         '../..',
212       ],
213       # Do not use any sanitizer tools with this binary. http://crbug.com/382766
214       'cflags/': [
215         ['exclude', '-fsanitize'],
216       ],
217       'ldflags/': [
218         ['exclude', '-fsanitize'],
219       ],
220     },
221     { 'target_name': 'sandbox_services',
222       'type': '<(component)',
223       'sources': [
224         'services/init_process_reaper.cc',
225         'services/init_process_reaper.h',
226         'services/proc_util.cc',
227         'services/proc_util.h',
228         'services/resource_limits.cc',
229         'services/resource_limits.h',
230         'services/scoped_process.cc',
231         'services/scoped_process.h',
232         'services/syscall_wrappers.cc',
233         'services/syscall_wrappers.h',
234         'services/thread_helpers.cc',
235         'services/thread_helpers.h',
236         'services/yama.cc',
237         'services/yama.h',
238         'syscall_broker/broker_channel.cc',
239         'syscall_broker/broker_channel.h',
240         'syscall_broker/broker_client.cc',
241         'syscall_broker/broker_client.h',
242         'syscall_broker/broker_common.h',
243         'syscall_broker/broker_file_permission.cc',
244         'syscall_broker/broker_file_permission.h',
245         'syscall_broker/broker_host.cc',
246         'syscall_broker/broker_host.h',
247         'syscall_broker/broker_policy.cc',
248         'syscall_broker/broker_policy.h',
249         'syscall_broker/broker_process.cc',
250         'syscall_broker/broker_process.h',
251       ],
252       'dependencies': [
253         '../base/base.gyp:base',
254       ],
255       'defines': [
256         'SANDBOX_IMPLEMENTATION',
257       ],
258       'conditions': [
259         ['compile_credentials==1', {
260           'sources': [
261             'services/credentials.cc',
262             'services/credentials.h',
263             'services/namespace_sandbox.cc',
264             'services/namespace_sandbox.h',
265             'services/namespace_utils.cc',
266             'services/namespace_utils.h',
267           ],
268           'dependencies': [
269             # for capability.h.
270             'sandbox_services_headers',
271           ],
272         }],
273       ],
274       'include_dirs': [
275         '..',
276       ],
277     },
278     { 'target_name': 'sandbox_services_headers',
279       'type': 'none',
280       'sources': [
281         'system_headers/android_arm64_ucontext.h',
282         'system_headers/android_arm_ucontext.h',
283         'system_headers/android_i386_ucontext.h',
284         'system_headers/android_mips_ucontext.h',
285         'system_headers/android_ucontext.h',
286         'system_headers/arm64_linux_syscalls.h',
287         'system_headers/arm_linux_syscalls.h',
288         'system_headers/capability.h',
289         'system_headers/linux_futex.h',
290         'system_headers/linux_seccomp.h',
291         'system_headers/linux_syscalls.h',
292         'system_headers/mips_linux_syscalls.h',
293         'system_headers/x86_32_linux_syscalls.h',
294         'system_headers/x86_64_linux_syscalls.h',
295       ],
296       'include_dirs': [
297         '..',
298       ],
299     },
300     {
301       # We make this its own target so that it does not interfere
302       # with our tests.
303       'target_name': 'libc_urandom_override',
304       'type': 'static_library',
305       'sources': [
306         'services/libc_urandom_override.cc',
307         'services/libc_urandom_override.h',
308       ],
309       'dependencies': [
310         '../base/base.gyp:base',
311       ],
312       'include_dirs': [
313         '..',
314       ],
315     },
316     {
317       'target_name': 'suid_sandbox_client',
318       'type': '<(component)',
319       'sources': [
320         'suid/common/sandbox.h',
321         'suid/common/suid_unsafe_environment_variables.h',
322         'suid/client/setuid_sandbox_client.cc',
323         'suid/client/setuid_sandbox_client.h',
324         'suid/client/setuid_sandbox_host.cc',
325         'suid/client/setuid_sandbox_host.h',
326       ],
327       'defines': [
328         'SANDBOX_IMPLEMENTATION',
329       ],
330       'dependencies': [
331         '../base/base.gyp:base',
332         'sandbox_services',
333       ],
334       'include_dirs': [
335         '..',
336       ],
337     },
338   ],
339   'conditions': [
340     [ 'OS=="android"', {
341       'targets': [
342       {
343         'target_name': 'sandbox_linux_unittests_stripped',
344         'type': 'none',
345         'dependencies': [ 'sandbox_linux_unittests' ],
346         'actions': [{
347           'action_name': 'strip sandbox_linux_unittests',
348           'inputs': [ '<(PRODUCT_DIR)/sandbox_linux_unittests' ],
349           'outputs': [ '<(PRODUCT_DIR)/sandbox_linux_unittests_stripped' ],
350           'action': [ '<(android_strip)', '<@(_inputs)', '-o', '<@(_outputs)' ],
351         }],
352       },
353       {
354         'target_name': 'sandbox_linux_unittests_deps',
355         'type': 'none',
356         'dependencies': [
357           'sandbox_linux_unittests_stripped',
358         ],
359         # For the component build, ensure dependent shared libraries are
360         # stripped and put alongside sandbox_linux_unittests to simplify pushing
361         # to the device.
362         'variables': {
363            'output_dir': '<(PRODUCT_DIR)/sandbox_linux_unittests_deps/',
364            'native_binary': '<(PRODUCT_DIR)/sandbox_linux_unittests_stripped',
365            'include_main_binary': 0,
366         },
367         'includes': [
368           '../../build/android/native_app_dependencies.gypi'
369         ],
370       }],
371     }],
372     [ 'OS=="android"', {
373       'targets': [
374         {
375         'target_name': 'sandbox_linux_jni_unittests_apk',
376         'type': 'none',
377         'variables': {
378           'test_suite_name': 'sandbox_linux_jni_unittests',
379         },
380         'dependencies': [
381           'sandbox_linux_jni_unittests',
382         ],
383         'includes': [ '../../build/apk_test.gypi' ],
384         }
385       ],
386     }],
387     ['test_isolation_mode != "noop"', {
388       'targets': [
389         {
390           'target_name': 'sandbox_linux_unittests_run',
391           'type': 'none',
392           'dependencies': [
393             'sandbox_linux_unittests',
394           ],
395           'includes': [
396             '../../build/isolate.gypi',
397           ],
398           'sources': [
399             '../sandbox_linux_unittests.isolate',
400           ],
401         },
402       ],
403     }],
404   ],