# Copyright 2014 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import("//build/config/features.gni")
declare_args() {
compile_suid_client = is_linux
compile_credentials = is_linux
compile_seccomp_bpf_demo =
(is_linux && (cpu_arch == "x86" || cpu_arch == "x64"))
}
# We have two principal targets: sandbox and sandbox_linux_unittests
# All other targets are listed as dependencies.
# There is one notable exception: for historical reasons, chrome_sandbox is
# the setuid sandbox and is its own target.
group("sandbox") {
deps = [
":sandbox_services",
]
if (compile_suid_client) {
deps += [ ":suid_sandbox_client" ]
}
if (use_seccomp_bpf) {
deps += [
":seccomp_bpf",
":seccomp_bpf_helpers",
]
}
}
source_set("sandbox_linux_test_utils") {
sources = [
"tests/sandbox_test_runner.cc",
"tests/sandbox_test_runner.h",
"tests/sandbox_test_runner_function_pointer.cc",
"tests/sandbox_test_runner_function_pointer.h",
"tests/test_utils.cc",
"tests/test_utils.h",
"tests/unit_tests.cc",
"tests/unit_tests.h",
]
deps = [
"//testing/gtest",
]
if (use_seccomp_bpf) {
sources += [
"seccomp-bpf/bpf_tester_compatibility_delegate.h",
"seccomp-bpf/bpf_tests.h",
"seccomp-bpf/sandbox_bpf_test_runner.cc",
"seccomp-bpf/sandbox_bpf_test_runner.h",
]
deps += [
":seccomp_bpf",
]
}
}
# The main sandboxing test target.
test("sandbox_linux_unittests") {
sources = [
"tests/main.cc",
"tests/unit_tests_unittest.cc",
"services/broker_process_unittest.cc",
"services/scoped_process_unittest.cc",
"services/thread_helpers_unittests.cc",
"services/yama_unittests.cc",
]
deps = [
":sandbox",
":sandbox_linux_test_utils",
"//base",
"//base/test:test_support",
"//testing/gtest",
]
if (compile_suid_client) {
sources += [
"suid/client/setuid_sandbox_client_unittest.cc",
]
}
if (use_seccomp_bpf) {
sources += [
"seccomp-bpf-helpers/baseline_policy_unittest.cc",
"seccomp-bpf/bpf_tests_unittest.cc",
"seccomp-bpf/codegen_unittest.cc",
"seccomp-bpf/errorcode_unittest.cc",
"seccomp-bpf/sandbox_bpf_unittest.cc",
"seccomp-bpf/syscall_iterator_unittest.cc",
"seccomp-bpf/syscall_unittest.cc",
]
}
if (compile_credentials) {
sources += [
"services/credentials_unittest.cc",
"services/unix_domain_socket_unittest.cc",
]
}
}
# TODO(GYP) Android version of this test.
# {
# # This target is the shared library used by Android APK (i.e.
# # JNI-friendly) tests.
# "target_name": "sandbox_linux_jni_unittests",
# "includes": [
# "sandbox_linux_test_sources.gypi",
# ],
# "type": "shared_library",
# "conditions": [
# [ "OS == "android"", {
# "dependencies": [
# "../testing/android/native_test.gyp:native_test_native_code",
# ],
# }],
# ],
# },
component("seccomp_bpf") {
sources = [
"seccomp-bpf/basicblock.cc",
"seccomp-bpf/basicblock.h",
"seccomp-bpf/codegen.cc",
"seccomp-bpf/codegen.h",
"seccomp-bpf/die.cc",
"seccomp-bpf/die.h",
"seccomp-bpf/errorcode.cc",
"seccomp-bpf/errorcode.h",
"seccomp-bpf/instruction.h",
"seccomp-bpf/linux_seccomp.h",
"seccomp-bpf/sandbox_bpf.cc",
"seccomp-bpf/sandbox_bpf.h",
"seccomp-bpf/sandbox_bpf_compatibility_policy.h",
"seccomp-bpf/sandbox_bpf_policy.cc",
"seccomp-bpf/sandbox_bpf_policy.h",
"seccomp-bpf/syscall.cc",
"seccomp-bpf/syscall.h",
"seccomp-bpf/syscall_iterator.cc",
"seccomp-bpf/syscall_iterator.h",
"seccomp-bpf/trap.cc",
"seccomp-bpf/trap.h",
"seccomp-bpf/verifier.cc",
"seccomp-bpf/verifier.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
":sandbox_services_headers",
"//base",
]
}
component("seccomp_bpf_helpers") {
sources = [
"seccomp-bpf-helpers/baseline_policy.cc",
"seccomp-bpf-helpers/baseline_policy.h",
"seccomp-bpf-helpers/sigsys_handlers.cc",
"seccomp-bpf-helpers/sigsys_handlers.h",
"seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
"seccomp-bpf-helpers/syscall_parameters_restrictions.h",
"seccomp-bpf-helpers/syscall_sets.cc",
"seccomp-bpf-helpers/syscall_sets.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
"//base",
":seccomp_bpf",
]
}
if (compile_seccomp_bpf_demo) {
# A demonstration program for the seccomp-bpf sandbox.
executable("seccomp_bpf_demo") {
sources = [
"seccomp-bpf/demo.cc",
]
deps = [
":seccomp_bpf",
]
}
}
# The setuid sandbox for Linux.
executable("chrome_sandbox") {
sources = [
"suid/common/sandbox.h",
"suid/common/suid_unsafe_environment_variables.h",
"suid/linux_util.c",
"suid/linux_util.h",
"suid/process_util.h",
"suid/process_util_linux.c",
"suid/sandbox.c",
]
cflags = [
# For ULLONG_MAX
"-std=gnu99",
# These files have a suspicious comparison.
# TODO fix this and re-enable this warning.
"-Wno-sign-compare",
]
}
component("sandbox_services") {
sources = [
"services/broker_process.cc",
"services/broker_process.h",
"services/init_process_reaper.cc",
"services/init_process_reaper.h",
"services/scoped_process.cc",
"services/scoped_process.h",
"services/thread_helpers.cc",
"services/thread_helpers.h",
"services/yama.h",
"services/yama.cc",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
if (compile_credentials) {
sources += [
"services/credentials.cc",
"services/credentials.h",
]
# For capabilities.cc.
configs += [ "//build/config/linux:libcap" ]
}
deps = [
"//base",
]
}
source_set("sandbox_services_headers") {
sources = [
"services/android_arm_ucontext.h",
"services/android_futex.h",
"services/android_ucontext.h",
"services/android_i386_ucontext.h",
"services/arm_linux_syscalls.h",
"services/linux_syscalls.h",
"services/x86_32_linux_syscalls.h",
"services/x86_64_linux_syscalls.h",
]
}
# We make this its own target so that it does not interfere with our tests.
source_set("libc_urandom_override") {
sources = [
"services/libc_urandom_override.cc",
"services/libc_urandom_override.h",
]
deps = [
"//base",
]
}
component("suid_sandbox_client") {
sources = [
"suid/common/sandbox.h",
"suid/common/suid_unsafe_environment_variables.h",
"suid/client/setuid_sandbox_client.cc",
"suid/client/setuid_sandbox_client.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
":sandbox_services",
"//base",
]
}
if (is_android) {
# TODO(GYP) enable this. Needs an android_strip wrapper python script.
#action("sandbox_linux_unittests_stripped") {
# script = "android_stip.py"
#
# in_file = "$root_out_dir/sandbox_linux_unittests"
#
# out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
# outputs = [ out_file ]
#
# args = [
# rebase_path(in_file, root_build_dir),
# "-o", rebase_path(out_file, root_build_dir),
# ]
#
# deps = [
# ":sandbox_linux_unittests",
# ]
#}
# TODO(GYP) convert this.
# {
# 'target_name': 'sandbox_linux_jni_unittests_apk',
# 'type': 'none',
# 'variables': {
# 'test_suite_name': 'sandbox_linux_jni_unittests',
# },
# 'dependencies': [
# 'sandbox_linux_jni_unittests',
# ],
# 'includes': [ '../../build/apk_test.gypi' ],
# }
}