1 # Copyright 2014 The Chromium Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 import("//build/config/features.gni") 6 7 declare_args() { 8 compile_suid_client = is_linux 9 10 compile_credentials = is_linux 11 12 compile_seccomp_bpf_demo = 13 (is_linux && (cpu_arch == "x86" || cpu_arch == "x64")) 14 } 15 16 # We have two principal targets: sandbox and sandbox_linux_unittests 17 # All other targets are listed as dependencies. 18 # There is one notable exception: for historical reasons, chrome_sandbox is 19 # the setuid sandbox and is its own target. 20 21 group("sandbox") { 22 deps = [ 23 ":sandbox_services", 24 ] 25 26 if (compile_suid_client) { 27 deps += [ ":suid_sandbox_client" ] 28 } 29 if (use_seccomp_bpf) { 30 deps += [ 31 ":seccomp_bpf", 32 ":seccomp_bpf_helpers", 33 ] 34 } 35 } 36 37 source_set("sandbox_linux_test_utils") { 38 testonly = true 39 sources = [ 40 "tests/sandbox_test_runner.cc", 41 "tests/sandbox_test_runner.h", 42 "tests/sandbox_test_runner_function_pointer.cc", 43 "tests/sandbox_test_runner_function_pointer.h", 44 "tests/test_utils.cc", 45 "tests/test_utils.h", 46 "tests/unit_tests.cc", 47 "tests/unit_tests.h", 48 ] 49 50 deps = [ 51 "//testing/gtest", 52 ] 53 54 if (use_seccomp_bpf) { 55 sources += [ 56 "seccomp-bpf/bpf_tester_compatibility_delegate.h", 57 "seccomp-bpf/bpf_tests.h", 58 "seccomp-bpf/sandbox_bpf_test_runner.cc", 59 "seccomp-bpf/sandbox_bpf_test_runner.h", 60 ] 61 deps += [ 62 ":seccomp_bpf", 63 ] 64 } 65 } 66 67 # The main sandboxing test target. 68 test("sandbox_linux_unittests") { 69 sources = [ 70 "services/broker_process_unittest.cc", 71 "services/scoped_process_unittest.cc", 72 "services/thread_helpers_unittests.cc", 73 "services/yama_unittests.cc", 74 "tests/main.cc", 75 "tests/scoped_temporary_file.cc", 76 "tests/scoped_temporary_file.h", 77 "tests/scoped_temporary_file_unittest.cc", 78 "tests/unit_tests_unittest.cc", 79 ] 80 81 deps = [ 82 ":sandbox", 83 ":sandbox_linux_test_utils", 84 "//base", 85 "//base/test:test_support", 86 "//testing/gtest", 87 ] 88 89 if (is_linux) { 90 # Don't use this on Android. 91 libs = [ "rt" ] 92 } 93 94 if (compile_suid_client) { 95 sources += [ 96 "suid/client/setuid_sandbox_client_unittest.cc", 97 ] 98 } 99 if (use_seccomp_bpf) { 100 sources += [ 101 "bpf_dsl/bpf_dsl_more_unittest.cc", 102 "bpf_dsl/bpf_dsl_unittest.cc", 103 "bpf_dsl/cons_unittest.cc", 104 "seccomp-bpf-helpers/baseline_policy_unittest.cc", 105 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc", 106 "seccomp-bpf/bpf_tests_unittest.cc", 107 "seccomp-bpf/codegen_unittest.cc", 108 "seccomp-bpf/errorcode_unittest.cc", 109 "seccomp-bpf/syscall_iterator_unittest.cc", 110 "seccomp-bpf/syscall_unittest.cc", 111 ] 112 } 113 if (compile_credentials) { 114 sources += [ 115 "services/credentials_unittest.cc", 116 "services/unix_domain_socket_unittest.cc", 117 ] 118 } 119 } 120 121 # TODO(GYP) Android version of this test. 122 # { 123 # # This target is the shared library used by Android APK (i.e. 124 # # JNI-friendly) tests. 125 # "target_name": "sandbox_linux_jni_unittests", 126 # "includes": [ 127 # "sandbox_linux_test_sources.gypi", 128 # ], 129 # "type": "shared_library", 130 # "conditions": [ 131 # [ "OS == "android"", { 132 # "dependencies": [ 133 # "../testing/android/native_test.gyp:native_test_native_code", 134 # ], 135 # }], 136 # ], 137 # }, 138 139 component("seccomp_bpf") { 140 sources = [ 141 "bpf_dsl/bpf_dsl.cc", 142 "bpf_dsl/bpf_dsl.h", 143 "bpf_dsl/cons.h", 144 "seccomp-bpf/basicblock.cc", 145 "seccomp-bpf/basicblock.h", 146 "seccomp-bpf/codegen.cc", 147 "seccomp-bpf/codegen.h", 148 "seccomp-bpf/die.cc", 149 "seccomp-bpf/die.h", 150 "seccomp-bpf/errorcode.cc", 151 "seccomp-bpf/errorcode.h", 152 "seccomp-bpf/instruction.h", 153 "seccomp-bpf/linux_seccomp.h", 154 "seccomp-bpf/sandbox_bpf.cc", 155 "seccomp-bpf/sandbox_bpf.h", 156 "seccomp-bpf/sandbox_bpf_policy.cc", 157 "seccomp-bpf/sandbox_bpf_policy.h", 158 "seccomp-bpf/syscall.cc", 159 "seccomp-bpf/syscall.h", 160 "seccomp-bpf/syscall_iterator.cc", 161 "seccomp-bpf/syscall_iterator.h", 162 "seccomp-bpf/trap.cc", 163 "seccomp-bpf/trap.h", 164 "seccomp-bpf/verifier.cc", 165 "seccomp-bpf/verifier.h", 166 ] 167 defines = [ "SANDBOX_IMPLEMENTATION" ] 168 169 deps = [ 170 ":sandbox_services_headers", 171 "//base", 172 ] 173 } 174 175 component("seccomp_bpf_helpers") { 176 sources = [ 177 "seccomp-bpf-helpers/baseline_policy.cc", 178 "seccomp-bpf-helpers/baseline_policy.h", 179 "seccomp-bpf-helpers/sigsys_handlers.cc", 180 "seccomp-bpf-helpers/sigsys_handlers.h", 181 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", 182 "seccomp-bpf-helpers/syscall_parameters_restrictions.h", 183 "seccomp-bpf-helpers/syscall_sets.cc", 184 "seccomp-bpf-helpers/syscall_sets.h", 185 ] 186 defines = [ "SANDBOX_IMPLEMENTATION" ] 187 188 deps = [ 189 "//base", 190 ":seccomp_bpf", 191 ] 192 } 193 194 if (is_linux) { 195 # The setuid sandbox for Linux. 196 executable("chrome_sandbox") { 197 sources = [ 198 "suid/common/sandbox.h", 199 "suid/common/suid_unsafe_environment_variables.h", 200 "suid/process_util.h", 201 "suid/process_util_linux.c", 202 "suid/sandbox.c", 203 ] 204 205 cflags = [ 206 # For ULLONG_MAX 207 "-std=gnu99", 208 # These files have a suspicious comparison. 209 # TODO fix this and re-enable this warning. 210 "-Wno-sign-compare", 211 ] 212 } 213 } 214 215 component("sandbox_services") { 216 sources = [ 217 "services/broker_process.cc", 218 "services/broker_process.h", 219 "services/init_process_reaper.cc", 220 "services/init_process_reaper.h", 221 "services/scoped_process.cc", 222 "services/scoped_process.h", 223 "services/thread_helpers.cc", 224 "services/thread_helpers.h", 225 "services/yama.h", 226 "services/yama.cc", 227 ] 228 229 defines = [ "SANDBOX_IMPLEMENTATION" ] 230 231 if (compile_credentials) { 232 sources += [ 233 "services/credentials.cc", 234 "services/credentials.h", 235 ] 236 # For capabilities.cc. 237 configs += [ "//build/config/linux:libcap" ] 238 } 239 240 deps = [ 241 "//base", 242 ] 243 } 244 245 source_set("sandbox_services_headers") { 246 sources = [ 247 "services/android_arm_ucontext.h", 248 "services/android_arm64_ucontext.h", 249 "services/android_futex.h", 250 "services/android_ucontext.h", 251 "services/android_i386_ucontext.h", 252 "services/arm_linux_syscalls.h", 253 "services/arm64_linux_syscalls.h", 254 "services/linux_syscalls.h", 255 "services/x86_32_linux_syscalls.h", 256 "services/x86_64_linux_syscalls.h", 257 ] 258 } 259 260 # We make this its own target so that it does not interfere with our tests. 261 source_set("libc_urandom_override") { 262 sources = [ 263 "services/libc_urandom_override.cc", 264 "services/libc_urandom_override.h", 265 ] 266 deps = [ 267 "//base", 268 ] 269 } 270 271 if (compile_suid_client) { 272 component("suid_sandbox_client") { 273 sources = [ 274 "suid/common/sandbox.h", 275 "suid/common/suid_unsafe_environment_variables.h", 276 "suid/client/setuid_sandbox_client.cc", 277 "suid/client/setuid_sandbox_client.h", 278 ] 279 defines = [ "SANDBOX_IMPLEMENTATION" ] 280 281 deps = [ 282 ":sandbox_services", 283 "//base", 284 ] 285 } 286 } 287 288 if (is_android) { 289 # TODO(GYP) enable this. Needs an android_strip wrapper python script. 290 #action("sandbox_linux_unittests_stripped") { 291 # script = "android_stip.py" 292 # 293 # in_file = "$root_out_dir/sandbox_linux_unittests" 294 # 295 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped" 296 # outputs = [ out_file ] 297 # 298 # args = [ 299 # rebase_path(in_file, root_build_dir), 300 # "-o", rebase_path(out_file, root_build_dir), 301 # ] 302 # 303 # deps = [ 304 # ":sandbox_linux_unittests", 305 # ] 306 #} 307 308 # TODO(GYP) convert this. 309 # { 310 # 'target_name': 'sandbox_linux_jni_unittests_apk', 311 # 'type': 'none', 312 # 'variables': { 313 # 'test_suite_name': 'sandbox_linux_jni_unittests', 314 # }, 315 # 'dependencies': [ 316 # 'sandbox_linux_jni_unittests', 317 # ], 318 # 'includes': [ '../../build/apk_test.gypi' ], 319 # } 320 } 321
