| blob | 120b4b7de9c2c1ed9a2e55f64862acd6234f9c43 |
1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
6 import("//testing/test.gni")
8 declare_args() {
9 compile_suid_client = is_linux
11 compile_credentials = is_linux
13 compile_seccomp_bpf_demo =
14 is_linux && (cpu_arch == "x86" || cpu_arch == "x64")
15 }
17 # We have two principal targets: sandbox and sandbox_linux_unittests
18 # All other targets are listed as dependencies.
19 # There is one notable exception: for historical reasons, chrome_sandbox is
20 # the setuid sandbox and is its own target.
22 group("sandbox") {
23 deps = [
24 ":sandbox_services",
25 ]
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
29 }
30 if (use_seccomp_bpf) {
31 deps += [
32 ":seccomp_bpf",
33 ":seccomp_bpf_helpers",
34 ]
35 }
36 }
38 source_set("sandbox_linux_test_utils") {
39 testonly = true
40 sources = [
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
46 "tests/test_utils.h",
47 "tests/unit_tests.cc",
48 "tests/unit_tests.h",
49 ]
51 deps = [
52 "//testing/gtest",
53 ]
55 if (use_seccomp_bpf) {
56 sources += [
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
61 ]
62 deps += [ ":seccomp_bpf" ]
63 }
64 }
66 # The main sandboxing test target.
67 test("sandbox_linux_unittests") {
68 sources = [
69 "services/scoped_process_unittest.cc",
70 "services/syscall_wrappers_unittest.cc",
71 "services/thread_helpers_unittests.cc",
72 "services/yama_unittests.cc",
73 "syscall_broker/broker_file_permission_unittest.cc",
74 "syscall_broker/broker_process_unittest.cc",
75 "tests/main.cc",
76 "tests/scoped_temporary_file.cc",
77 "tests/scoped_temporary_file.h",
78 "tests/scoped_temporary_file_unittest.cc",
79 "tests/test_utils_unittest.cc",
80 "tests/unit_tests_unittest.cc",
81 ]
83 deps = [
84 ":sandbox",
85 ":sandbox_linux_test_utils",
86 "//base",
87 "//base/test:test_support",
88 "//testing/gtest",
89 ]
91 if (is_linux) {
92 # Don't use this on Android.
93 libs = [ "rt" ]
94 }
96 if (compile_suid_client) {
97 sources += [ "suid/client/setuid_sandbox_client_unittest.cc" ]
98 }
99 if (use_seccomp_bpf) {
100 sources += [
101 "bpf_dsl/bpf_dsl_more_unittest.cc",
102 "bpf_dsl/bpf_dsl_unittest.cc",
103 "bpf_dsl/cons_unittest.cc",
104 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
105 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
106 "seccomp-bpf/bpf_tests_unittest.cc",
107 "seccomp-bpf/codegen_unittest.cc",
108 "seccomp-bpf/errorcode_unittest.cc",
109 "seccomp-bpf/sandbox_bpf_unittest.cc",
110 "seccomp-bpf/syscall_iterator_unittest.cc",
111 "seccomp-bpf/syscall_unittest.cc",
112 ]
113 }
114 if (compile_credentials) {
115 sources += [
116 "services/credentials_unittest.cc",
117 "services/namespace_utils_unittest.cc",
118 "services/proc_util_unittest.cc",
119 "services/unix_domain_socket_unittest.cc",
120 ]
121 }
122 }
124 # TODO(GYP) Android version of this test.
125 # {
126 # # This target is the shared library used by Android APK (i.e.
127 # # JNI-friendly) tests.
128 # "target_name": "sandbox_linux_jni_unittests",
129 # "includes": [
130 # "sandbox_linux_test_sources.gypi",
131 # ],
132 # "type": "shared_library",
133 # "conditions": [
134 # [ "OS == "android"", {
135 # "dependencies": [
136 # "../testing/android/native_test.gyp:native_test_native_code",
137 # ],
138 # }],
139 # ],
140 # },
142 component("seccomp_bpf") {
143 sources = [
144 "bpf_dsl/bpf_dsl.cc",
145 "bpf_dsl/bpf_dsl.h",
146 "bpf_dsl/bpf_dsl_forward.h",
147 "bpf_dsl/bpf_dsl_impl.h",
148 "bpf_dsl/cons.h",
149 "bpf_dsl/dump_bpf.cc",
150 "bpf_dsl/dump_bpf.h",
151 "bpf_dsl/policy.cc",
152 "bpf_dsl/policy.h",
153 "bpf_dsl/policy_compiler.cc",
154 "bpf_dsl/policy_compiler.h",
155 "bpf_dsl/trap_registry.h",
156 "seccomp-bpf/codegen.cc",
157 "seccomp-bpf/codegen.h",
158 "seccomp-bpf/die.cc",
159 "seccomp-bpf/die.h",
160 "seccomp-bpf/errorcode.cc",
161 "seccomp-bpf/errorcode.h",
162 "seccomp-bpf/linux_seccomp.h",
163 "seccomp-bpf/sandbox_bpf.cc",
164 "seccomp-bpf/sandbox_bpf.h",
165 "seccomp-bpf/syscall.cc",
166 "seccomp-bpf/syscall.h",
167 "seccomp-bpf/syscall_iterator.cc",
168 "seccomp-bpf/syscall_iterator.h",
169 "seccomp-bpf/trap.cc",
170 "seccomp-bpf/trap.h",
171 "seccomp-bpf/verifier.cc",
172 "seccomp-bpf/verifier.h",
173 ]
174 defines = [ "SANDBOX_IMPLEMENTATION" ]
176 deps = [
177 ":sandbox_services",
178 ":sandbox_services_headers",
179 "//base",
180 ]
181 }
183 component("seccomp_bpf_helpers") {
184 sources = [
185 "seccomp-bpf-helpers/baseline_policy.cc",
186 "seccomp-bpf-helpers/baseline_policy.h",
187 "seccomp-bpf-helpers/sigsys_handlers.cc",
188 "seccomp-bpf-helpers/sigsys_handlers.h",
189 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
190 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
191 "seccomp-bpf-helpers/syscall_sets.cc",
192 "seccomp-bpf-helpers/syscall_sets.h",
193 ]
194 defines = [ "SANDBOX_IMPLEMENTATION" ]
196 deps = [
197 "//base",
198 ":sandbox_services",
199 ":seccomp_bpf",
200 ]
201 }
203 if (is_linux) {
204 # The setuid sandbox for Linux.
205 executable("chrome_sandbox") {
206 sources = [
207 "suid/common/sandbox.h",
208 "suid/common/suid_unsafe_environment_variables.h",
209 "suid/process_util.h",
210 "suid/process_util_linux.c",
211 "suid/sandbox.c",
212 ]
214 cflags = [
215 # For ULLONG_MAX
216 "-std=gnu99",
218 # These files have a suspicious comparison.
219 # TODO fix this and re-enable this warning.
220 "-Wno-sign-compare",
221 ]
222 }
223 }
225 component("sandbox_services") {
226 sources = [
227 "services/init_process_reaper.cc",
228 "services/init_process_reaper.h",
229 "services/scoped_process.cc",
230 "services/scoped_process.h",
231 "services/syscall_wrappers.cc",
232 "services/syscall_wrappers.h",
233 "services/thread_helpers.cc",
234 "services/thread_helpers.h",
235 "services/yama.h",
236 "services/yama.cc",
237 "syscall_broker/broker_channel.cc",
238 "syscall_broker/broker_channel.h",
239 "syscall_broker/broker_client.cc",
240 "syscall_broker/broker_client.h",
241 "syscall_broker/broker_common.h",
242 "syscall_broker/broker_file_permission.cc",
243 "syscall_broker/broker_file_permission.h",
244 "syscall_broker/broker_host.cc",
245 "syscall_broker/broker_host.h",
246 "syscall_broker/broker_policy.cc",
247 "syscall_broker/broker_policy.h",
248 "syscall_broker/broker_process.cc",
249 "syscall_broker/broker_process.h",
250 ]
252 defines = [ "SANDBOX_IMPLEMENTATION" ]
254 if (compile_credentials) {
255 sources += [
256 "services/credentials.cc",
257 "services/credentials.h",
258 "services/namespace_utils.cc",
259 "services/namespace_utils.h",
260 "services/proc_util.cc",
261 "services/proc_util.h",
262 ]
264 # For capabilities.cc.
265 configs += [ "//build/config/linux:libcap" ]
266 }
268 deps = [
269 "//base",
270 ]
271 }
273 source_set("sandbox_services_headers") {
274 sources = [
275 "services/android_arm_ucontext.h",
276 "services/android_arm64_ucontext.h",
277 "services/android_futex.h",
278 "services/android_ucontext.h",
279 "services/android_i386_ucontext.h",
280 "services/arm_linux_syscalls.h",
281 "services/arm64_linux_syscalls.h",
282 "services/linux_syscalls.h",
283 "services/x86_32_linux_syscalls.h",
284 "services/x86_64_linux_syscalls.h",
285 ]
286 }
288 # We make this its own target so that it does not interfere with our tests.
289 source_set("libc_urandom_override") {
290 sources = [
291 "services/libc_urandom_override.cc",
292 "services/libc_urandom_override.h",
293 ]
294 deps = [
295 "//base",
296 ]
297 }
299 if (compile_suid_client) {
300 component("suid_sandbox_client") {
301 sources = [
302 "suid/common/sandbox.h",
303 "suid/common/suid_unsafe_environment_variables.h",
304 "suid/client/setuid_sandbox_client.cc",
305 "suid/client/setuid_sandbox_client.h",
306 ]
307 defines = [ "SANDBOX_IMPLEMENTATION" ]
309 deps = [
310 ":sandbox_services",
311 "//base",
312 ]
313 }
314 }
316 if (is_android) {
317 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
318 #action("sandbox_linux_unittests_stripped") {
319 # script = "android_stip.py"
320 #
321 # in_file = "$root_out_dir/sandbox_linux_unittests"
322 #
323 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
324 # outputs = [ out_file ]
325 #
326 # args = [
327 # rebase_path(in_file, root_build_dir),
328 # "-o", rebase_path(out_file, root_build_dir),
329 # ]
330 #
331 # deps = [
332 # ":sandbox_linux_unittests",
333 # ]
334 #}
335 # TODO(GYP) convert this.
336 # {
337 # 'target_name': 'sandbox_linux_jni_unittests_apk',
338 # 'type': 'none',
339 # 'variables': {
340 # 'test_suite_name': 'sandbox_linux_jni_unittests',
341 # },
342 # 'dependencies': [
343 # 'sandbox_linux_jni_unittests',
344 # ],
345 # 'includes': [ '../../build/apk_test.gypi' ],
346 # }
347 }