src/sandbox/linux/BUILD.gn

   1 # Copyright 2014 The Chromium Authors. All rights reserved.
   2 # Use of this source code is governed by a BSD-style license that can be
   3 # found in the LICENSE file.
   4
   5 import("//build/config/features.gni")
   6
   7 declare_args() {
   8   compile_suid_client = is_linux
   9
  10   compile_credentials = is_linux
  11
  12   compile_seccomp_bpf_demo =
  13     (is_linux && (cpu_arch == "x86" || cpu_arch == "x64"))
  14 }
  15
  16 # We have two principal targets: sandbox and sandbox_linux_unittests
  17 # All other targets are listed as dependencies.
  18 # There is one notable exception: for historical reasons, chrome_sandbox is
  19 # the setuid sandbox and is its own target.
  20
  21 group("sandbox") {
  22   deps = [
  23     ":sandbox_services",
  24   ]
  25
  26   if (compile_suid_client) {
  27     deps += [ ":suid_sandbox_client" ]
  28   }
  29   if (use_seccomp_bpf) {
  30     deps += [
  31       ":seccomp_bpf",
  32       ":seccomp_bpf_helpers",
  33     ]
  34   }
  35 }
  36
  37 source_set("sandbox_linux_test_utils") {
  38   sources = [
  39     "tests/sandbox_test_runner.cc",
  40     "tests/sandbox_test_runner.h",
  41     "tests/sandbox_test_runner_function_pointer.cc",
  42     "tests/sandbox_test_runner_function_pointer.h",
  43     "tests/test_utils.cc",
  44     "tests/test_utils.h",
  45     "tests/unit_tests.cc",
  46     "tests/unit_tests.h",
  47   ]
  48
  49   deps = [
  50     "//testing/gtest",
  51   ]
  52
  53   if (use_seccomp_bpf) {
  54     sources += [
  55       "seccomp-bpf/bpf_tester_compatibility_delegate.h",
  56       "seccomp-bpf/bpf_tests.h",
  57       "seccomp-bpf/sandbox_bpf_test_runner.cc",
  58       "seccomp-bpf/sandbox_bpf_test_runner.h",
  59     ]
  60     deps += [
  61       ":seccomp_bpf",
  62     ]
  63   }
  64 }
  65
  66 # The main sandboxing test target.
  67 test("sandbox_linux_unittests") {
  68   sources = [
  69     "services/broker_process_unittest.cc",
  70     "services/scoped_process_unittest.cc",
  71     "services/thread_helpers_unittests.cc",
  72     "services/yama_unittests.cc",
  73     "tests/main.cc",
  74     "tests/scoped_temporary_file.cc",
  75     "tests/scoped_temporary_file.h",
  76     "tests/scoped_temporary_file_unittest.cc",
  77     "tests/unit_tests_unittest.cc",
  78   ]
  79
  80   deps = [
  81     ":sandbox",
  82     ":sandbox_linux_test_utils",
  83     "//base",
  84     "//base/test:test_support",
  85     "//testing/gtest",
  86   ]
  87
  88   if (compile_suid_client) {
  89     sources += [
  90       "suid/client/setuid_sandbox_client_unittest.cc",
  91     ]
  92   }
  93   if (use_seccomp_bpf) {
  94     sources += [
  95       "bpf_dsl/bpf_dsl_unittest.cc",
  96       "bpf_dsl/cons_unittest.cc",
  97       "seccomp-bpf-helpers/baseline_policy_unittest.cc",
  98       "seccomp-bpf/bpf_tests_unittest.cc",
  99       "seccomp-bpf/codegen_unittest.cc",
 100       "seccomp-bpf/errorcode_unittest.cc",
 101       "seccomp-bpf/sandbox_bpf_unittest.cc",
 102       "seccomp-bpf/syscall_iterator_unittest.cc",
 103       "seccomp-bpf/syscall_unittest.cc",
 104     ]
 105   }
 106   if (compile_credentials) {
 107     sources += [
 108       "services/credentials_unittest.cc",
 109       "services/unix_domain_socket_unittest.cc",
 110     ]
 111   }
 112 }
 113
 114 # TODO(GYP) Android version of this test.
 115 #    {
 116 #      # This target is the shared library used by Android APK (i.e.
 117 #      # JNI-friendly) tests.
 118 #      "target_name": "sandbox_linux_jni_unittests",
 119 #      "includes": [
 120 #        "sandbox_linux_test_sources.gypi",
 121 #      ],
 122 #      "type": "shared_library",
 123 #      "conditions": [
 124 #        [ "OS == "android"", {
 125 #          "dependencies": [
 126 #            "../testing/android/native_test.gyp:native_test_native_code",
 127 #          ],
 128 #        }],
 129 #      ],
 130 #    },
 131
 132 component("seccomp_bpf") {
 133   sources = [
 134     "bpf_dsl/bpf_dsl.cc",
 135     "bpf_dsl/bpf_dsl.h",
 136     "bpf_dsl/cons.h",
 137     "seccomp-bpf/basicblock.cc",
 138     "seccomp-bpf/basicblock.h",
 139     "seccomp-bpf/codegen.cc",
 140     "seccomp-bpf/codegen.h",
 141     "seccomp-bpf/die.cc",
 142     "seccomp-bpf/die.h",
 143     "seccomp-bpf/errorcode.cc",
 144     "seccomp-bpf/errorcode.h",
 145     "seccomp-bpf/instruction.h",
 146     "seccomp-bpf/linux_seccomp.h",
 147     "seccomp-bpf/sandbox_bpf.cc",
 148     "seccomp-bpf/sandbox_bpf.h",
 149     "seccomp-bpf/sandbox_bpf_compatibility_policy.h",
 150     "seccomp-bpf/sandbox_bpf_policy.cc",
 151     "seccomp-bpf/sandbox_bpf_policy.h",
 152     "seccomp-bpf/syscall.cc",
 153     "seccomp-bpf/syscall.h",
 154     "seccomp-bpf/syscall_iterator.cc",
 155     "seccomp-bpf/syscall_iterator.h",
 156     "seccomp-bpf/trap.cc",
 157     "seccomp-bpf/trap.h",
 158     "seccomp-bpf/verifier.cc",
 159     "seccomp-bpf/verifier.h",
 160   ]
 161   defines = [ "SANDBOX_IMPLEMENTATION" ]
 162
 163   deps = [
 164     ":sandbox_services_headers",
 165     "//base",
 166   ]
 167 }
 168
 169 component("seccomp_bpf_helpers") {
 170   sources = [
 171     "seccomp-bpf-helpers/baseline_policy.cc",
 172     "seccomp-bpf-helpers/baseline_policy.h",
 173     "seccomp-bpf-helpers/sigsys_handlers.cc",
 174     "seccomp-bpf-helpers/sigsys_handlers.h",
 175     "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
 176     "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
 177     "seccomp-bpf-helpers/syscall_sets.cc",
 178     "seccomp-bpf-helpers/syscall_sets.h",
 179   ]
 180   defines = [ "SANDBOX_IMPLEMENTATION" ]
 181
 182   deps = [
 183     "//base",
 184     ":seccomp_bpf",
 185   ]
 186 }
 187
 188 if (compile_seccomp_bpf_demo) {
 189   # A demonstration program for the seccomp-bpf sandbox.
 190   executable("seccomp_bpf_demo") {
 191     sources = [
 192       "seccomp-bpf/demo.cc",
 193     ]
 194     deps = [
 195       ":seccomp_bpf",
 196     ]
 197   }
 198 }
 199
 200 # The setuid sandbox for Linux.
 201 executable("chrome_sandbox") {
 202   sources = [
 203     "suid/common/sandbox.h",
 204     "suid/common/suid_unsafe_environment_variables.h",
 205     "suid/linux_util.c",
 206     "suid/linux_util.h",
 207     "suid/process_util.h",
 208     "suid/process_util_linux.c",
 209     "suid/sandbox.c",
 210   ]
 211
 212   cflags = [
 213     # For ULLONG_MAX
 214     "-std=gnu99",
 215     # These files have a suspicious comparison.
 216     # TODO fix this and re-enable this warning.
 217     "-Wno-sign-compare",
 218   ]
 219 }
 220
 221 component("sandbox_services") {
 222   sources = [
 223     "services/broker_process.cc",
 224     "services/broker_process.h",
 225     "services/init_process_reaper.cc",
 226     "services/init_process_reaper.h",
 227     "services/scoped_process.cc",
 228     "services/scoped_process.h",
 229     "services/thread_helpers.cc",
 230     "services/thread_helpers.h",
 231     "services/yama.h",
 232     "services/yama.cc",
 233   ]
 234
 235   defines = [ "SANDBOX_IMPLEMENTATION" ]
 236
 237   if (compile_credentials) {
 238     sources += [
 239       "services/credentials.cc",
 240       "services/credentials.h",
 241     ]
 242     # For capabilities.cc.
 243     configs += [ "//build/config/linux:libcap" ]
 244   }
 245
 246   deps = [
 247     "//base",
 248   ]
 249 }
 250
 251 source_set("sandbox_services_headers") {
 252   sources = [
 253     "services/android_arm_ucontext.h",
 254     "services/android_futex.h",
 255     "services/android_ucontext.h",
 256     "services/android_i386_ucontext.h",
 257     "services/arm_linux_syscalls.h",
 258     "services/linux_syscalls.h",
 259     "services/x86_32_linux_syscalls.h",
 260     "services/x86_64_linux_syscalls.h",
 261   ]
 262 }
 263
 264 # We make this its own target so that it does not interfere with our tests.
 265 source_set("libc_urandom_override") {
 266   sources = [
 267     "services/libc_urandom_override.cc",
 268     "services/libc_urandom_override.h",
 269   ]
 270   deps = [
 271     "//base",
 272   ]
 273 }
 274
 275 component("suid_sandbox_client") {
 276   sources = [
 277     "suid/common/sandbox.h",
 278     "suid/common/suid_unsafe_environment_variables.h",
 279     "suid/client/setuid_sandbox_client.cc",
 280     "suid/client/setuid_sandbox_client.h",
 281   ]
 282   defines = [ "SANDBOX_IMPLEMENTATION" ]
 283
 284   deps = [
 285     ":sandbox_services",
 286     "//base",
 287   ]
 288 }
 289
 290 if (is_android) {
 291   # TODO(GYP) enable this. Needs an android_strip wrapper python script.
 292   #action("sandbox_linux_unittests_stripped") {
 293   #  script = "android_stip.py"
 294   #
 295   #  in_file = "$root_out_dir/sandbox_linux_unittests"
 296   #
 297   #  out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
 298   #  outputs = [ out_file ]
 299   #
 300   #  args = [
 301   #    rebase_path(in_file, root_build_dir),
 302   #    "-o", rebase_path(out_file, root_build_dir),
 303   #  ]
 304   #
 305   #  deps = [
 306   #    ":sandbox_linux_unittests",
 307   #  ]
 308   #}
 309
 310   # TODO(GYP) convert this.
 311   #      {
 312   #      'target_name': 'sandbox_linux_jni_unittests_apk',
 313   #      'type': 'none',
 314   #      'variables': {
 315   #        'test_suite_name': 'sandbox_linux_jni_unittests',
 316   #      },
 317   #      'dependencies': [
 318   #        'sandbox_linux_jni_unittests',
 319   #      ],
 320   #      'includes': [ '../../build/apk_test.gypi' ],
 321   #      }
 322 }