1 # Copyright 2014 The Chromium Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 import("//build/config/features.gni")
6 import("//testing/test.gni")
9 compile_suid_client = is_linux
11 compile_credentials = is_linux
13 compile_seccomp_bpf_demo =
14 is_linux && (current_cpu == "x86" || current_cpu == "x64")
17 # We have two principal targets: sandbox and sandbox_linux_unittests
18 # All other targets are listed as dependencies.
19 # There is one notable exception: for historical reasons, chrome_sandbox is
20 # the setuid sandbox and is its own target.
27 if (compile_suid_client) {
28 deps += [ ":suid_sandbox_client" ]
30 if (use_seccomp_bpf) {
33 ":seccomp_bpf_helpers",
38 source_set("sandbox_linux_test_utils") {
41 "tests/sandbox_test_runner.cc",
42 "tests/sandbox_test_runner.h",
43 "tests/sandbox_test_runner_function_pointer.cc",
44 "tests/sandbox_test_runner_function_pointer.h",
45 "tests/test_utils.cc",
47 "tests/unit_tests.cc",
55 if (use_seccomp_bpf) {
57 "seccomp-bpf/bpf_tester_compatibility_delegate.h",
58 "seccomp-bpf/bpf_tests.h",
59 "seccomp-bpf/sandbox_bpf_test_runner.cc",
60 "seccomp-bpf/sandbox_bpf_test_runner.h",
62 deps += [ ":seccomp_bpf" ]
66 # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
67 source_set("sandbox_linux_unittests_sources") {
71 "services/proc_util_unittest.cc",
72 "services/resource_limits_unittests.cc",
73 "services/scoped_process_unittest.cc",
74 "services/syscall_wrappers_unittest.cc",
75 "services/thread_helpers_unittests.cc",
76 "services/yama_unittests.cc",
77 "syscall_broker/broker_file_permission_unittest.cc",
78 "syscall_broker/broker_process_unittest.cc",
80 "tests/scoped_temporary_file.cc",
81 "tests/scoped_temporary_file.h",
82 "tests/scoped_temporary_file_unittest.cc",
83 "tests/test_utils_unittest.cc",
84 "tests/unit_tests_unittest.cc",
89 ":sandbox_linux_test_utils",
91 "//base/test:test_support",
96 # Don't use this on Android.
100 if (compile_suid_client) {
102 "suid/client/setuid_sandbox_client_unittest.cc",
103 "suid/client/setuid_sandbox_host_unittest.cc",
106 if (use_seccomp_bpf) {
108 "bpf_dsl/bpf_dsl_unittest.cc",
109 "bpf_dsl/codegen_unittest.cc",
110 "bpf_dsl/cons_unittest.cc",
111 "bpf_dsl/syscall_set_unittest.cc",
112 "integration_tests/bpf_dsl_seccomp_unittest.cc",
113 "integration_tests/seccomp_broker_process_unittest.cc",
114 "seccomp-bpf-helpers/baseline_policy_unittest.cc",
115 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
116 "seccomp-bpf/bpf_tests_unittest.cc",
117 "seccomp-bpf/errorcode_unittest.cc",
118 "seccomp-bpf/sandbox_bpf_unittest.cc",
119 "seccomp-bpf/syscall_unittest.cc",
120 "seccomp-bpf/trap_unittest.cc",
123 if (compile_credentials) {
125 "integration_tests/namespace_unix_domain_socket_unittest.cc",
126 "services/credentials_unittest.cc",
127 "services/namespace_sandbox_unittest.cc",
128 "services/namespace_utils_unittest.cc",
131 # For credentials_unittest.cc
132 configs += [ "//build/config/linux:libcap" ]
136 # The main sandboxing test target.
137 test("sandbox_linux_unittests") {
139 ":sandbox_linux_unittests_sources",
143 # This target is the shared library used by Android APK (i.e.
144 # JNI-friendly) tests.
145 shared_library("sandbox_linux_jni_unittests") {
148 ":sandbox_linux_unittests_sources",
151 deps += [ "//testing/android/native_test:native_test_native_code" ]
155 component("seccomp_bpf") {
157 "bpf_dsl/bpf_dsl.cc",
159 "bpf_dsl/bpf_dsl_forward.h",
160 "bpf_dsl/bpf_dsl_impl.h",
161 "bpf_dsl/codegen.cc",
164 "bpf_dsl/dump_bpf.cc",
165 "bpf_dsl/dump_bpf.h",
166 "bpf_dsl/linux_syscall_ranges.h",
169 "bpf_dsl/policy_compiler.cc",
170 "bpf_dsl/policy_compiler.h",
171 "bpf_dsl/seccomp_macros.h",
172 "bpf_dsl/syscall_set.cc",
173 "bpf_dsl/syscall_set.h",
174 "bpf_dsl/trap_registry.h",
175 "bpf_dsl/verifier.cc",
176 "bpf_dsl/verifier.h",
177 "seccomp-bpf/die.cc",
179 "seccomp-bpf/errorcode.cc",
180 "seccomp-bpf/errorcode.h",
181 "seccomp-bpf/sandbox_bpf.cc",
182 "seccomp-bpf/sandbox_bpf.h",
183 "seccomp-bpf/syscall.cc",
184 "seccomp-bpf/syscall.h",
185 "seccomp-bpf/trap.cc",
186 "seccomp-bpf/trap.h",
188 defines = [ "SANDBOX_IMPLEMENTATION" ]
192 ":sandbox_services_headers",
197 component("seccomp_bpf_helpers") {
199 "seccomp-bpf-helpers/baseline_policy.cc",
200 "seccomp-bpf-helpers/baseline_policy.h",
201 "seccomp-bpf-helpers/sigsys_handlers.cc",
202 "seccomp-bpf-helpers/sigsys_handlers.h",
203 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
204 "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
205 "seccomp-bpf-helpers/syscall_sets.cc",
206 "seccomp-bpf-helpers/syscall_sets.h",
208 defines = [ "SANDBOX_IMPLEMENTATION" ]
218 # The setuid sandbox for Linux.
219 executable("chrome_sandbox") {
221 "suid/common/sandbox.h",
222 "suid/common/suid_unsafe_environment_variables.h",
223 "suid/process_util.h",
224 "suid/process_util_linux.c",
232 # These files have a suspicious comparison.
233 # TODO fix this and re-enable this warning.
239 component("sandbox_services") {
241 "services/init_process_reaper.cc",
242 "services/init_process_reaper.h",
243 "services/proc_util.cc",
244 "services/proc_util.h",
245 "services/resource_limits.cc",
246 "services/resource_limits.h",
247 "services/scoped_process.cc",
248 "services/scoped_process.h",
249 "services/syscall_wrappers.cc",
250 "services/syscall_wrappers.h",
251 "services/thread_helpers.cc",
252 "services/thread_helpers.h",
255 "syscall_broker/broker_channel.cc",
256 "syscall_broker/broker_channel.h",
257 "syscall_broker/broker_client.cc",
258 "syscall_broker/broker_client.h",
259 "syscall_broker/broker_common.h",
260 "syscall_broker/broker_file_permission.cc",
261 "syscall_broker/broker_file_permission.h",
262 "syscall_broker/broker_host.cc",
263 "syscall_broker/broker_host.h",
264 "syscall_broker/broker_policy.cc",
265 "syscall_broker/broker_policy.h",
266 "syscall_broker/broker_process.cc",
267 "syscall_broker/broker_process.h",
270 defines = [ "SANDBOX_IMPLEMENTATION" ]
276 if (compile_credentials) {
278 "services/credentials.cc",
279 "services/credentials.h",
280 "services/namespace_sandbox.cc",
281 "services/namespace_sandbox.h",
282 "services/namespace_utils.cc",
283 "services/namespace_utils.h",
286 deps += [ ":sandbox_services_headers" ]
290 source_set("sandbox_services_headers") {
292 "system_headers/arm64_linux_syscalls.h",
293 "system_headers/arm64_linux_ucontext.h",
294 "system_headers/arm_linux_syscalls.h",
295 "system_headers/arm_linux_ucontext.h",
296 "system_headers/i386_linux_ucontext.h",
297 "system_headers/linux_futex.h",
298 "system_headers/linux_seccomp.h",
299 "system_headers/linux_signal.h",
300 "system_headers/linux_syscalls.h",
301 "system_headers/linux_ucontext.h",
302 "system_headers/x86_32_linux_syscalls.h",
303 "system_headers/x86_64_linux_syscalls.h",
307 # We make this its own target so that it does not interfere with our tests.
308 source_set("libc_urandom_override") {
310 "services/libc_urandom_override.cc",
311 "services/libc_urandom_override.h",
318 if (compile_suid_client) {
319 component("suid_sandbox_client") {
321 "suid/client/setuid_sandbox_client.cc",
322 "suid/client/setuid_sandbox_client.h",
323 "suid/client/setuid_sandbox_host.cc",
324 "suid/client/setuid_sandbox_host.h",
325 "suid/common/sandbox.h",
326 "suid/common/suid_unsafe_environment_variables.h",
328 defines = [ "SANDBOX_IMPLEMENTATION" ]
338 # TODO(GYP) enable this. Needs an android_strip wrapper python script.
339 #action("sandbox_linux_unittests_stripped") {
340 # script = "android_stip.py"
342 # in_file = "$root_out_dir/sandbox_linux_unittests"
344 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
345 # outputs = [ out_file ]
348 # rebase_path(in_file, root_build_dir),
349 # "-o", rebase_path(out_file, root_build_dir),
353 # ":sandbox_linux_unittests",
356 # TODO(GYP) convert this.
358 # 'target_name': 'sandbox_linux_jni_unittests_apk',
361 # 'test_suite_name': 'sandbox_linux_jni_unittests',
364 # 'sandbox_linux_jni_unittests',
366 # 'includes': [ '../../build/apk_test.gypi' ],