| blob | 84966854cec7762df3530489d16dfacb818f14ed |
1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
6 import("//testing/test.gni")
8 declare_args() {
9 compile_suid_client = is_linux
11 compile_credentials = is_linux
13 compile_seccomp_bpf_demo =
14 is_linux && (current_cpu == "x86" || current_cpu == "x64")
15 }
17 # We have two principal targets: sandbox and sandbox_linux_unittests
18 # All other targets are listed as dependencies.
19 # There is one notable exception: for historical reasons, chrome_sandbox is
20 # the setuid sandbox and is its own target.
22 group("sandbox") {
23 deps = [
24 ":sandbox_services",
25 ]
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
29 }
30 if (use_seccomp_bpf) {
31 deps += [
32 ":seccomp_bpf",
33 ":seccomp_bpf_helpers",
34 ]
35 }
36 }
38 source_set("sandbox_linux_test_utils") {
39 testonly = true
40 sources = [
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
46 "tests/test_utils.h",
47 "tests/unit_tests.cc",
48 "tests/unit_tests.h",
49 ]
51 deps = [
52 "//testing/gtest",
53 ]
55 if (use_seccomp_bpf) {
56 sources += [
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
61 ]
62 deps += [ ":seccomp_bpf" ]
63 }
64 }
66 # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
67 source_set("sandbox_linux_unittests_sources") {
68 testonly = true
70 sources = [
71 "services/proc_util_unittest.cc",
72 "services/resource_limits_unittests.cc",
73 "services/scoped_process_unittest.cc",
74 "services/syscall_wrappers_unittest.cc",
75 "services/thread_helpers_unittests.cc",
76 "services/yama_unittests.cc",
77 "syscall_broker/broker_file_permission_unittest.cc",
78 "syscall_broker/broker_process_unittest.cc",
79 "tests/main.cc",
80 "tests/scoped_temporary_file.cc",
81 "tests/scoped_temporary_file.h",
82 "tests/scoped_temporary_file_unittest.cc",
83 "tests/test_utils_unittest.cc",
84 "tests/unit_tests_unittest.cc",
85 ]
87 deps = [
88 ":sandbox",
89 ":sandbox_linux_test_utils",
90 "//base",
91 "//base/test:test_support",
92 "//testing/gtest",
93 ]
95 if (is_linux) {
96 # Don't use this on Android.
97 libs = [ "rt" ]
98 }
100 if (compile_suid_client) {
101 sources += [
102 "suid/client/setuid_sandbox_client_unittest.cc",
103 "suid/client/setuid_sandbox_host_unittest.cc",
104 ]
105 }
106 if (use_seccomp_bpf) {
107 sources += [
108 "bpf_dsl/bpf_dsl_unittest.cc",
109 "bpf_dsl/codegen_unittest.cc",
110 "bpf_dsl/cons_unittest.cc",
111 "bpf_dsl/syscall_set_unittest.cc",
112 "integration_tests/bpf_dsl_seccomp_unittest.cc",
113 "integration_tests/seccomp_broker_process_unittest.cc",
114 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
115 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
116 "seccomp-bpf/bpf_tests_unittest.cc",
117 "seccomp-bpf/errorcode_unittest.cc",
118 "seccomp-bpf/sandbox_bpf_unittest.cc",
119 "seccomp-bpf/syscall_unittest.cc",
120 "seccomp-bpf/trap_unittest.cc",
121 ]
122 }
123 if (compile_credentials) {
124 sources += [
125 "integration_tests/namespace_unix_domain_socket_unittest.cc",
126 "services/credentials_unittest.cc",
127 "services/namespace_sandbox_unittest.cc",
128 "services/namespace_utils_unittest.cc",
129 ]
131 # For credentials_unittest.cc
132 configs += [ "//build/config/linux:libcap" ]
133 }
134 }
136 # The main sandboxing test target.
137 test("sandbox_linux_unittests") {
138 deps = [
139 ":sandbox_linux_unittests_sources",
140 ]
141 }
143 # This target is the shared library used by Android APK (i.e.
144 # JNI-friendly) tests.
145 shared_library("sandbox_linux_jni_unittests") {
146 testonly = true
147 deps = [
148 ":sandbox_linux_unittests_sources",
149 ]
150 if (is_android) {
151 deps += [ "//testing/android/native_test:native_test_native_code" ]
152 }
153 }
155 component("seccomp_bpf") {
156 sources = [
157 "bpf_dsl/bpf_dsl.cc",
158 "bpf_dsl/bpf_dsl.h",
159 "bpf_dsl/bpf_dsl_forward.h",
160 "bpf_dsl/bpf_dsl_impl.h",
161 "bpf_dsl/codegen.cc",
162 "bpf_dsl/codegen.h",
163 "bpf_dsl/cons.h",
164 "bpf_dsl/dump_bpf.cc",
165 "bpf_dsl/dump_bpf.h",
166 "bpf_dsl/linux_syscall_ranges.h",
167 "bpf_dsl/policy.cc",
168 "bpf_dsl/policy.h",
169 "bpf_dsl/policy_compiler.cc",
170 "bpf_dsl/policy_compiler.h",
171 "bpf_dsl/seccomp_macros.h",
172 "bpf_dsl/syscall_set.cc",
173 "bpf_dsl/syscall_set.h",
174 "bpf_dsl/trap_registry.h",
175 "bpf_dsl/verifier.cc",
176 "bpf_dsl/verifier.h",
177 "seccomp-bpf/die.cc",
178 "seccomp-bpf/die.h",
179 "seccomp-bpf/errorcode.cc",
180 "seccomp-bpf/errorcode.h",
181 "seccomp-bpf/sandbox_bpf.cc",
182 "seccomp-bpf/sandbox_bpf.h",
183 "seccomp-bpf/syscall.cc",
184 "seccomp-bpf/syscall.h",
185 "seccomp-bpf/trap.cc",
186 "seccomp-bpf/trap.h",
187 ]
188 defines = [ "SANDBOX_IMPLEMENTATION" ]
190 deps = [
191 ":sandbox_services",
192 ":sandbox_services_headers",
193 "//base",
194 ]
195 }
197 component("seccomp_bpf_helpers") {
198 sources = [
199 "seccomp-bpf-helpers/baseline_policy.cc",
200 "seccomp-bpf-helpers/baseline_policy.h",
201 "seccomp-bpf-helpers/sigsys_handlers.cc",
202 "seccomp-bpf-helpers/sigsys_handlers.h",
203 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
204 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
205 "seccomp-bpf-helpers/syscall_sets.cc",
206 "seccomp-bpf-helpers/syscall_sets.h",
207 ]
208 defines = [ "SANDBOX_IMPLEMENTATION" ]
210 deps = [
211 "//base",
212 ":sandbox_services",
213 ":seccomp_bpf",
214 ]
215 }
217 if (is_linux) {
218 # The setuid sandbox for Linux.
219 executable("chrome_sandbox") {
220 sources = [
221 "suid/common/sandbox.h",
222 "suid/common/suid_unsafe_environment_variables.h",
223 "suid/process_util.h",
224 "suid/process_util_linux.c",
225 "suid/sandbox.c",
226 ]
228 cflags = [
229 # For ULLONG_MAX
230 "-std=gnu99",
232 # These files have a suspicious comparison.
233 # TODO fix this and re-enable this warning.
234 "-Wno-sign-compare",
235 ]
236 }
237 }
239 component("sandbox_services") {
240 sources = [
241 "services/init_process_reaper.cc",
242 "services/init_process_reaper.h",
243 "services/proc_util.cc",
244 "services/proc_util.h",
245 "services/resource_limits.cc",
246 "services/resource_limits.h",
247 "services/scoped_process.cc",
248 "services/scoped_process.h",
249 "services/syscall_wrappers.cc",
250 "services/syscall_wrappers.h",
251 "services/thread_helpers.cc",
252 "services/thread_helpers.h",
253 "services/yama.cc",
254 "services/yama.h",
255 "syscall_broker/broker_channel.cc",
256 "syscall_broker/broker_channel.h",
257 "syscall_broker/broker_client.cc",
258 "syscall_broker/broker_client.h",
259 "syscall_broker/broker_common.h",
260 "syscall_broker/broker_file_permission.cc",
261 "syscall_broker/broker_file_permission.h",
262 "syscall_broker/broker_host.cc",
263 "syscall_broker/broker_host.h",
264 "syscall_broker/broker_policy.cc",
265 "syscall_broker/broker_policy.h",
266 "syscall_broker/broker_process.cc",
267 "syscall_broker/broker_process.h",
268 ]
270 defines = [ "SANDBOX_IMPLEMENTATION" ]
272 deps = [
273 "//base",
274 ]
276 if (compile_credentials) {
277 sources += [
278 "services/credentials.cc",
279 "services/credentials.h",
280 "services/namespace_sandbox.cc",
281 "services/namespace_sandbox.h",
282 "services/namespace_utils.cc",
283 "services/namespace_utils.h",
284 ]
286 deps += [ ":sandbox_services_headers" ]
287 }
288 }
290 source_set("sandbox_services_headers") {
291 sources = [
292 "system_headers/arm64_linux_syscalls.h",
293 "system_headers/arm64_linux_ucontext.h",
294 "system_headers/arm_linux_syscalls.h",
295 "system_headers/arm_linux_ucontext.h",
296 "system_headers/i386_linux_ucontext.h",
297 "system_headers/linux_futex.h",
298 "system_headers/linux_seccomp.h",
299 "system_headers/linux_signal.h",
300 "system_headers/linux_syscalls.h",
301 "system_headers/linux_ucontext.h",
302 "system_headers/x86_32_linux_syscalls.h",
303 "system_headers/x86_64_linux_syscalls.h",
304 ]
305 }
307 # We make this its own target so that it does not interfere with our tests.
308 source_set("libc_urandom_override") {
309 sources = [
310 "services/libc_urandom_override.cc",
311 "services/libc_urandom_override.h",
312 ]
313 deps = [
314 "//base",
315 ]
316 }
318 if (compile_suid_client) {
319 component("suid_sandbox_client") {
320 sources = [
321 "suid/client/setuid_sandbox_client.cc",
322 "suid/client/setuid_sandbox_client.h",
323 "suid/client/setuid_sandbox_host.cc",
324 "suid/client/setuid_sandbox_host.h",
325 "suid/common/sandbox.h",
326 "suid/common/suid_unsafe_environment_variables.h",
327 ]
328 defines = [ "SANDBOX_IMPLEMENTATION" ]
330 deps = [
331 ":sandbox_services",
332 "//base",
333 ]
334 }
335 }
337 if (is_android) {
338 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
339 #action("sandbox_linux_unittests_stripped") {
340 # script = "android_stip.py"
341 #
342 # in_file = "$root_out_dir/sandbox_linux_unittests"
343 #
344 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
345 # outputs = [ out_file ]
346 #
347 # args = [
348 # rebase_path(in_file, root_build_dir),
349 # "-o", rebase_path(out_file, root_build_dir),
350 # ]
351 #
352 # deps = [
353 # ":sandbox_linux_unittests",
354 # ]
355 #}
356 # TODO(GYP) convert this.
357 # {
358 # 'target_name': 'sandbox_linux_jni_unittests_apk',
359 # 'type': 'none',
360 # 'variables': {
361 # 'test_suite_name': 'sandbox_linux_jni_unittests',
362 # },
363 # 'dependencies': [
364 # 'sandbox_linux_jni_unittests',
365 # ],
366 # 'includes': [ '../../build/apk_test.gypi' ],
367 # }
368 }