sandbox/linux/BUILD.gn

   1 # Copyright 2014 The Chromium Authors. All rights reserved.
   2 # Use of this source code is governed by a BSD-style license that can be
   3 # found in the LICENSE file.
   4
   5 import("//build/config/features.gni")
   6 import("//testing/test.gni")
   7
   8 declare_args() {
   9   compile_suid_client = is_linux
  10
  11   compile_credentials = is_linux
  12
  13   # On Android, use plain GTest.
  14   use_base_test_suite = is_linux
  15 }
  16
  17 # We have two principal targets: sandbox and sandbox_linux_unittests
  18 # All other targets are listed as dependencies.
  19 # There is one notable exception: for historical reasons, chrome_sandbox is
  20 # the setuid sandbox and is its own target.
  21
  22 group("sandbox") {
  23   deps = [
  24     ":sandbox_services",
  25   ]
  26
  27   if (compile_suid_client) {
  28     deps += [ ":suid_sandbox_client" ]
  29   }
  30   if (use_seccomp_bpf) {
  31     deps += [
  32       ":seccomp_bpf",
  33       ":seccomp_bpf_helpers",
  34     ]
  35   }
  36 }
  37
  38 source_set("sandbox_linux_test_utils") {
  39   testonly = true
  40   sources = [
  41     "tests/sandbox_test_runner.cc",
  42     "tests/sandbox_test_runner.h",
  43     "tests/sandbox_test_runner_function_pointer.cc",
  44     "tests/sandbox_test_runner_function_pointer.h",
  45     "tests/test_utils.cc",
  46     "tests/test_utils.h",
  47     "tests/unit_tests.cc",
  48     "tests/unit_tests.h",
  49   ]
  50
  51   deps = [
  52     "//testing/gtest",
  53   ]
  54
  55   if (use_seccomp_bpf) {
  56     sources += [
  57       "seccomp-bpf/bpf_tester_compatibility_delegate.h",
  58       "seccomp-bpf/bpf_tests.h",
  59       "seccomp-bpf/sandbox_bpf_test_runner.cc",
  60       "seccomp-bpf/sandbox_bpf_test_runner.h",
  61     ]
  62     deps += [ ":seccomp_bpf" ]
  63   }
  64
  65   if (use_base_test_suite) {
  66     deps += [ "//base/test:test_support" ]
  67     defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
  68   }
  69 }
  70
  71 # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
  72 source_set("sandbox_linux_unittests_sources") {
  73   testonly = true
  74
  75   sources = [
  76     "services/proc_util_unittest.cc",
  77     "services/resource_limits_unittests.cc",
  78     "services/scoped_process_unittest.cc",
  79     "services/syscall_wrappers_unittest.cc",
  80     "services/thread_helpers_unittests.cc",
  81     "services/yama_unittests.cc",
  82     "syscall_broker/broker_file_permission_unittest.cc",
  83     "syscall_broker/broker_process_unittest.cc",
  84     "tests/main.cc",
  85     "tests/scoped_temporary_file.cc",
  86     "tests/scoped_temporary_file.h",
  87     "tests/scoped_temporary_file_unittest.cc",
  88     "tests/test_utils_unittest.cc",
  89     "tests/unit_tests_unittest.cc",
  90   ]
  91
  92   deps = [
  93     ":sandbox",
  94     ":sandbox_linux_test_utils",
  95     "//base",
  96     "//testing/gtest",
  97   ]
  98
  99   if (use_base_test_suite) {
 100     deps += [ "//base/test:test_support" ]
 101     defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
 102   }
 103
 104   if (is_linux) {
 105     # Don't use this on Android.
 106     libs = [ "rt" ]
 107   }
 108
 109   if (compile_suid_client) {
 110     sources += [
 111       "suid/client/setuid_sandbox_client_unittest.cc",
 112       "suid/client/setuid_sandbox_host_unittest.cc",
 113     ]
 114   }
 115   if (use_seccomp_bpf) {
 116     sources += [
 117       "bpf_dsl/bpf_dsl_unittest.cc",
 118       "bpf_dsl/codegen_unittest.cc",
 119       "bpf_dsl/cons_unittest.cc",
 120       "bpf_dsl/syscall_set_unittest.cc",
 121       "integration_tests/bpf_dsl_seccomp_unittest.cc",
 122       "integration_tests/seccomp_broker_process_unittest.cc",
 123       "seccomp-bpf-helpers/baseline_policy_unittest.cc",
 124       "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
 125       "seccomp-bpf/bpf_tests_unittest.cc",
 126       "seccomp-bpf/errorcode_unittest.cc",
 127       "seccomp-bpf/sandbox_bpf_unittest.cc",
 128       "seccomp-bpf/syscall_unittest.cc",
 129       "seccomp-bpf/trap_unittest.cc",
 130     ]
 131   }
 132   if (compile_credentials) {
 133     sources += [
 134       "integration_tests/namespace_unix_domain_socket_unittest.cc",
 135       "services/credentials_unittest.cc",
 136       "services/namespace_utils_unittest.cc",
 137     ]
 138
 139     if (use_base_test_suite) {
 140       # Tests that use advanced features not available in stock GTest.
 141       sources += [ "services/namespace_sandbox_unittest.cc" ]
 142     }
 143
 144     # For credentials_unittest.cc
 145     configs += [ "//build/config/linux:libcap" ]
 146   }
 147 }
 148
 149 # TODO(GYP): Delete this after we've converted everything to GN.
 150 # The _run targets exist only for compatibility w/ GYP.
 151 group("sandbox_linux_unittests_run") {
 152   testonly = true
 153   deps = [
 154     ":sandbox_linux_unittests",
 155   ]
 156 }
 157
 158 # The main sandboxing test target.
 159 test("sandbox_linux_unittests") {
 160   deps = [
 161     ":sandbox_linux_unittests_sources",
 162   ]
 163 }
 164
 165 # This target is the shared library used by Android APK (i.e.
 166 # JNI-friendly) tests.
 167 shared_library("sandbox_linux_jni_unittests") {
 168   testonly = true
 169   deps = [
 170     ":sandbox_linux_unittests_sources",
 171   ]
 172   if (is_android) {
 173     deps += [ "//testing/android/native_test:native_test_native_code" ]
 174   }
 175 }
 176
 177 component("seccomp_bpf") {
 178   sources = [
 179     "bpf_dsl/bpf_dsl.cc",
 180     "bpf_dsl/bpf_dsl.h",
 181     "bpf_dsl/bpf_dsl_forward.h",
 182     "bpf_dsl/bpf_dsl_impl.h",
 183     "bpf_dsl/codegen.cc",
 184     "bpf_dsl/codegen.h",
 185     "bpf_dsl/cons.h",
 186     "bpf_dsl/dump_bpf.cc",
 187     "bpf_dsl/dump_bpf.h",
 188     "bpf_dsl/linux_syscall_ranges.h",
 189     "bpf_dsl/policy.cc",
 190     "bpf_dsl/policy.h",
 191     "bpf_dsl/policy_compiler.cc",
 192     "bpf_dsl/policy_compiler.h",
 193     "bpf_dsl/seccomp_macros.h",
 194     "bpf_dsl/syscall_set.cc",
 195     "bpf_dsl/syscall_set.h",
 196     "bpf_dsl/trap_registry.h",
 197     "bpf_dsl/verifier.cc",
 198     "bpf_dsl/verifier.h",
 199     "seccomp-bpf/die.cc",
 200     "seccomp-bpf/die.h",
 201     "seccomp-bpf/errorcode.cc",
 202     "seccomp-bpf/errorcode.h",
 203     "seccomp-bpf/sandbox_bpf.cc",
 204     "seccomp-bpf/sandbox_bpf.h",
 205     "seccomp-bpf/syscall.cc",
 206     "seccomp-bpf/syscall.h",
 207     "seccomp-bpf/trap.cc",
 208     "seccomp-bpf/trap.h",
 209   ]
 210   defines = [ "SANDBOX_IMPLEMENTATION" ]
 211
 212   deps = [
 213     ":sandbox_services",
 214     ":sandbox_services_headers",
 215     "//base",
 216   ]
 217 }
 218
 219 component("seccomp_bpf_helpers") {
 220   sources = [
 221     "seccomp-bpf-helpers/baseline_policy.cc",
 222     "seccomp-bpf-helpers/baseline_policy.h",
 223     "seccomp-bpf-helpers/sigsys_handlers.cc",
 224     "seccomp-bpf-helpers/sigsys_handlers.h",
 225     "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
 226     "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
 227     "seccomp-bpf-helpers/syscall_sets.cc",
 228     "seccomp-bpf-helpers/syscall_sets.h",
 229   ]
 230   defines = [ "SANDBOX_IMPLEMENTATION" ]
 231
 232   deps = [
 233     "//base",
 234     ":sandbox_services",
 235     ":seccomp_bpf",
 236   ]
 237 }
 238
 239 if (is_linux) {
 240   # The setuid sandbox for Linux.
 241   executable("chrome_sandbox") {
 242     sources = [
 243       "suid/common/sandbox.h",
 244       "suid/common/suid_unsafe_environment_variables.h",
 245       "suid/process_util.h",
 246       "suid/process_util_linux.c",
 247       "suid/sandbox.c",
 248     ]
 249
 250     cflags = [
 251       # For ULLONG_MAX
 252       "-std=gnu99",
 253
 254       # These files have a suspicious comparison.
 255       # TODO fix this and re-enable this warning.
 256       "-Wno-sign-compare",
 257     ]
 258   }
 259 }
 260
 261 component("sandbox_services") {
 262   sources = [
 263     "services/init_process_reaper.cc",
 264     "services/init_process_reaper.h",
 265     "services/proc_util.cc",
 266     "services/proc_util.h",
 267     "services/resource_limits.cc",
 268     "services/resource_limits.h",
 269     "services/scoped_process.cc",
 270     "services/scoped_process.h",
 271     "services/syscall_wrappers.cc",
 272     "services/syscall_wrappers.h",
 273     "services/thread_helpers.cc",
 274     "services/thread_helpers.h",
 275     "services/yama.cc",
 276     "services/yama.h",
 277     "syscall_broker/broker_channel.cc",
 278     "syscall_broker/broker_channel.h",
 279     "syscall_broker/broker_client.cc",
 280     "syscall_broker/broker_client.h",
 281     "syscall_broker/broker_common.h",
 282     "syscall_broker/broker_file_permission.cc",
 283     "syscall_broker/broker_file_permission.h",
 284     "syscall_broker/broker_host.cc",
 285     "syscall_broker/broker_host.h",
 286     "syscall_broker/broker_policy.cc",
 287     "syscall_broker/broker_policy.h",
 288     "syscall_broker/broker_process.cc",
 289     "syscall_broker/broker_process.h",
 290   ]
 291
 292   defines = [ "SANDBOX_IMPLEMENTATION" ]
 293
 294   deps = [
 295     "//base",
 296   ]
 297
 298   if (compile_credentials) {
 299     sources += [
 300       "services/credentials.cc",
 301       "services/credentials.h",
 302       "services/namespace_sandbox.cc",
 303       "services/namespace_sandbox.h",
 304       "services/namespace_utils.cc",
 305       "services/namespace_utils.h",
 306     ]
 307
 308     deps += [ ":sandbox_services_headers" ]
 309   }
 310 }
 311
 312 source_set("sandbox_services_headers") {
 313   sources = [
 314     "system_headers/arm64_linux_syscalls.h",
 315     "system_headers/arm64_linux_ucontext.h",
 316     "system_headers/arm_linux_syscalls.h",
 317     "system_headers/arm_linux_ucontext.h",
 318     "system_headers/i386_linux_ucontext.h",
 319     "system_headers/linux_futex.h",
 320     "system_headers/linux_seccomp.h",
 321     "system_headers/linux_signal.h",
 322     "system_headers/linux_syscalls.h",
 323     "system_headers/linux_time.h",
 324     "system_headers/linux_ucontext.h",
 325     "system_headers/x86_32_linux_syscalls.h",
 326     "system_headers/x86_64_linux_syscalls.h",
 327   ]
 328 }
 329
 330 # We make this its own target so that it does not interfere with our tests.
 331 source_set("libc_urandom_override") {
 332   sources = [
 333     "services/libc_urandom_override.cc",
 334     "services/libc_urandom_override.h",
 335   ]
 336   deps = [
 337     "//base",
 338   ]
 339 }
 340
 341 if (compile_suid_client) {
 342   component("suid_sandbox_client") {
 343     sources = [
 344       "suid/client/setuid_sandbox_client.cc",
 345       "suid/client/setuid_sandbox_client.h",
 346       "suid/client/setuid_sandbox_host.cc",
 347       "suid/client/setuid_sandbox_host.h",
 348       "suid/common/sandbox.h",
 349       "suid/common/suid_unsafe_environment_variables.h",
 350     ]
 351     defines = [ "SANDBOX_IMPLEMENTATION" ]
 352
 353     deps = [
 354       ":sandbox_services",
 355       "//base",
 356     ]
 357   }
 358 }
 359
 360 if (is_android) {
 361   # TODO(GYP) enable this. Needs an android_strip wrapper python script.
 362   #action("sandbox_linux_unittests_stripped") {
 363   #  script = "android_stip.py"
 364   #
 365   #  in_file = "$root_out_dir/sandbox_linux_unittests"
 366   #
 367   #  out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
 368   #  outputs = [ out_file ]
 369   #
 370   #  args = [
 371   #    rebase_path(in_file, root_build_dir),
 372   #    "-o", rebase_path(out_file, root_build_dir),
 373   #  ]
 374   #
 375   #  deps = [
 376   #    ":sandbox_linux_unittests",
 377   #  ]
 378   #}
 379   # TODO(GYP) convert this.
 380   #      {
 381   #      'target_name': 'sandbox_linux_jni_unittests_apk',
 382   #      'type': 'none',
 383   #      'variables': {
 384   #        'test_suite_name': 'sandbox_linux_jni_unittests',
 385   #      },
 386   #      'dependencies': [
 387   #        'sandbox_linux_jni_unittests',
 388   #      ],
 389   #      'includes': [ '../../build/apk_test.gypi' ],
 390   #      }
 391 }