1 # Copyright 2014 The Chromium Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 import("//build/config/features.gni") 6 import("//build/config/nacl/config.gni") 7 import("//testing/test.gni") 8 9 if (is_android) { 10 import("//build/config/android/rules.gni") 11 } 12 13 declare_args() { 14 compile_suid_client = is_linux 15 16 compile_credentials = is_linux 17 18 # On Android, use plain GTest. 19 use_base_test_suite = is_linux 20 } 21 22 if (is_nacl_nonsfi) { 23 config("nacl_nonsfi_warnings") { 24 # There are number of platform specific functions in 25 # seccomp-bpf syscall helpers, which are not being used. 26 cflags = [ "-Wno-unused-function" ] 27 } 28 } 29 30 # We have two principal targets: sandbox and sandbox_linux_unittests 31 # All other targets are listed as dependencies. 32 # There is one notable exception: for historical reasons, chrome_sandbox is 33 # the setuid sandbox and is its own target. 34 35 group("sandbox") { 36 public_deps = [ 37 ":sandbox_services", 38 ] 39 40 if (compile_suid_client || is_nacl_nonsfi) { 41 public_deps += [ ":suid_sandbox_client" ] 42 } 43 if (use_seccomp_bpf || is_nacl_nonsfi) { 44 public_deps += [ 45 ":seccomp_bpf", 46 ":seccomp_bpf_helpers", 47 ] 48 } 49 } 50 51 source_set("sandbox_linux_test_utils") { 52 testonly = true 53 sources = [ 54 "tests/sandbox_test_runner.cc", 55 "tests/sandbox_test_runner.h", 56 "tests/sandbox_test_runner_function_pointer.cc", 57 "tests/sandbox_test_runner_function_pointer.h", 58 "tests/unit_tests.cc", 59 "tests/unit_tests.h", 60 ] 61 62 deps = [ 63 "//testing/gtest", 64 ] 65 66 if (!is_nacl_nonsfi) { 67 sources += [ 68 "tests/test_utils.cc", 69 "tests/test_utils.h", 70 ] 71 } 72 73 if (use_seccomp_bpf || is_nacl_nonsfi) { 74 sources += [ 75 "seccomp-bpf/bpf_tester_compatibility_delegate.h", 76 "seccomp-bpf/bpf_tests.h", 77 "seccomp-bpf/sandbox_bpf_test_runner.cc", 78 "seccomp-bpf/sandbox_bpf_test_runner.h", 79 ] 80 deps += [ ":seccomp_bpf" ] 81 } 82 83 if (use_base_test_suite) { 84 deps += [ "//base/test:test_support" ] 85 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] 86 } 87 } 88 89 # Sources for sandbox_linux_unittests. 90 source_set("sandbox_linux_unittests_sources") { 91 testonly = true 92 93 sources = [ 94 "services/proc_util_unittest.cc", 95 "services/resource_limits_unittests.cc", 96 "services/scoped_process_unittest.cc", 97 "services/syscall_wrappers_unittest.cc", 98 "services/thread_helpers_unittests.cc", 99 "services/yama_unittests.cc", 100 "syscall_broker/broker_file_permission_unittest.cc", 101 "syscall_broker/broker_process_unittest.cc", 102 "tests/main.cc", 103 "tests/scoped_temporary_file.cc", 104 "tests/scoped_temporary_file.h", 105 "tests/scoped_temporary_file_unittest.cc", 106 "tests/test_utils_unittest.cc", 107 "tests/unit_tests_unittest.cc", 108 ] 109 110 deps = [ 111 ":sandbox", 112 ":sandbox_linux_test_utils", 113 "//base", 114 "//testing/gtest", 115 ] 116 117 if (use_base_test_suite) { 118 deps += [ "//base/test:test_support" ] 119 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] 120 } 121 122 if (compile_suid_client) { 123 sources += [ 124 "suid/client/setuid_sandbox_client_unittest.cc", 125 "suid/client/setuid_sandbox_host_unittest.cc", 126 ] 127 } 128 if (use_seccomp_bpf) { 129 sources += [ 130 "bpf_dsl/bpf_dsl_unittest.cc", 131 "bpf_dsl/codegen_unittest.cc", 132 "bpf_dsl/cons_unittest.cc", 133 "bpf_dsl/dump_bpf.cc", 134 "bpf_dsl/dump_bpf.h", 135 "bpf_dsl/syscall_set_unittest.cc", 136 "bpf_dsl/test_trap_registry.cc", 137 "bpf_dsl/test_trap_registry.h", 138 "bpf_dsl/test_trap_registry_unittest.cc", 139 "bpf_dsl/verifier.cc", 140 "bpf_dsl/verifier.h", 141 "integration_tests/bpf_dsl_seccomp_unittest.cc", 142 "integration_tests/seccomp_broker_process_unittest.cc", 143 "seccomp-bpf-helpers/baseline_policy_unittest.cc", 144 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc", 145 "seccomp-bpf/bpf_tests_unittest.cc", 146 "seccomp-bpf/sandbox_bpf_unittest.cc", 147 "seccomp-bpf/syscall_unittest.cc", 148 "seccomp-bpf/trap_unittest.cc", 149 ] 150 deps += [ ":bpf_dsl_golden" ] 151 } 152 if (compile_credentials) { 153 sources += [ 154 "integration_tests/namespace_unix_domain_socket_unittest.cc", 155 "services/credentials_unittest.cc", 156 "services/namespace_utils_unittest.cc", 157 ] 158 159 if (use_base_test_suite) { 160 # Tests that use advanced features not available in stock GTest. 161 sources += [ "services/namespace_sandbox_unittest.cc" ] 162 } 163 164 # For credentials_unittest.cc 165 configs += [ "//build/config/linux:libcap" ] 166 } 167 } 168 169 action("bpf_dsl_golden") { 170 script = "bpf_dsl/golden/generate.py" 171 inputs = [ 172 "bpf_dsl/golden/i386/ArgSizePolicy.txt", 173 "bpf_dsl/golden/i386/BasicPolicy.txt", 174 "bpf_dsl/golden/i386/ElseIfPolicy.txt", 175 "bpf_dsl/golden/i386/MaskingPolicy.txt", 176 "bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt", 177 "bpf_dsl/golden/i386/NegativeConstantsPolicy.txt", 178 "bpf_dsl/golden/i386/SwitchPolicy.txt", 179 "bpf_dsl/golden/x86-64/ArgSizePolicy.txt", 180 "bpf_dsl/golden/x86-64/BasicPolicy.txt", 181 "bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt", 182 "bpf_dsl/golden/x86-64/ElseIfPolicy.txt", 183 "bpf_dsl/golden/x86-64/MaskingPolicy.txt", 184 "bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt", 185 "bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt", 186 "bpf_dsl/golden/x86-64/SwitchPolicy.txt", 187 ] 188 outputs = [ 189 "$target_gen_dir/bpf_dsl/golden/golden_files.h", 190 ] 191 args = 192 rebase_path(outputs, root_build_dir) + rebase_path(inputs, root_build_dir) 193 } 194 195 # TODO(GYP): Delete this after we've converted everything to GN. 196 # The _run targets exist only for compatibility w/ GYP. 197 group("sandbox_linux_unittests_run") { 198 testonly = true 199 deps = [ 200 ":sandbox_linux_unittests", 201 ] 202 } 203 204 # The main sandboxing test target. "sandbox_linux_unittests" cannot use the 205 # test() template because the test is run as an executable not as an APK on 206 # Android. 207 executable("sandbox_linux_unittests") { 208 testonly = true 209 deps = [ 210 ":sandbox_linux_unittests_sources", 211 "//build/config/sanitizers:deps", 212 ] 213 } 214 215 component("seccomp_bpf") { 216 sources = [ 217 "bpf_dsl/bpf_dsl.cc", 218 "bpf_dsl/bpf_dsl.h", 219 "bpf_dsl/bpf_dsl_forward.h", 220 "bpf_dsl/bpf_dsl_impl.h", 221 "bpf_dsl/codegen.cc", 222 "bpf_dsl/codegen.h", 223 "bpf_dsl/cons.h", 224 "bpf_dsl/errorcode.h", 225 "bpf_dsl/linux_syscall_ranges.h", 226 "bpf_dsl/policy.cc", 227 "bpf_dsl/policy.h", 228 "bpf_dsl/policy_compiler.cc", 229 "bpf_dsl/policy_compiler.h", 230 "bpf_dsl/seccomp_macros.h", 231 "bpf_dsl/syscall_set.cc", 232 "bpf_dsl/syscall_set.h", 233 "bpf_dsl/trap_registry.h", 234 "seccomp-bpf/die.cc", 235 "seccomp-bpf/die.h", 236 "seccomp-bpf/sandbox_bpf.cc", 237 "seccomp-bpf/sandbox_bpf.h", 238 "seccomp-bpf/syscall.cc", 239 "seccomp-bpf/syscall.h", 240 "seccomp-bpf/trap.cc", 241 "seccomp-bpf/trap.h", 242 ] 243 defines = [ "SANDBOX_IMPLEMENTATION" ] 244 245 deps = [ 246 ":sandbox_services", 247 ":sandbox_services_headers", 248 "//base", 249 ] 250 251 if (is_nacl_nonsfi) { 252 cflags = [ "-fgnu-inline-asm" ] 253 sources -= [ 254 "bpf_dsl/bpf_dsl_forward.h", 255 "bpf_dsl/bpf_dsl_impl.h", 256 "bpf_dsl/cons.h", 257 "bpf_dsl/errorcode.h", 258 "bpf_dsl/linux_syscall_ranges.h", 259 "bpf_dsl/seccomp_macros.h", 260 "bpf_dsl/trap_registry.h", 261 ] 262 } 263 } 264 265 component("seccomp_bpf_helpers") { 266 sources = [ 267 "seccomp-bpf-helpers/baseline_policy.cc", 268 "seccomp-bpf-helpers/baseline_policy.h", 269 "seccomp-bpf-helpers/sigsys_handlers.cc", 270 "seccomp-bpf-helpers/sigsys_handlers.h", 271 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", 272 "seccomp-bpf-helpers/syscall_parameters_restrictions.h", 273 "seccomp-bpf-helpers/syscall_sets.cc", 274 "seccomp-bpf-helpers/syscall_sets.h", 275 ] 276 defines = [ "SANDBOX_IMPLEMENTATION" ] 277 278 deps = [ 279 ":sandbox_services", 280 ":seccomp_bpf", 281 "//base", 282 ] 283 284 if (is_nacl_nonsfi) { 285 sources -= [ 286 "seccomp-bpf-helpers/baseline_policy.cc", 287 "seccomp-bpf-helpers/baseline_policy.h", 288 "seccomp-bpf-helpers/syscall_sets.cc", 289 "seccomp-bpf-helpers/syscall_sets.h", 290 ] 291 configs += [ ":nacl_nonsfi_warnings" ] 292 } 293 } 294 295 if (is_linux) { 296 # The setuid sandbox for Linux. 297 executable("chrome_sandbox") { 298 sources = [ 299 "suid/common/sandbox.h", 300 "suid/common/suid_unsafe_environment_variables.h", 301 "suid/process_util.h", 302 "suid/process_util_linux.c", 303 "suid/sandbox.c", 304 ] 305 306 cflags = [ 307 # For ULLONG_MAX 308 "-std=gnu99", 309 310 # These files have a suspicious comparison. 311 # TODO fix this and re-enable this warning. 312 "-Wno-sign-compare", 313 ] 314 315 deps = [ 316 "//build/config/sanitizers:deps", 317 ] 318 } 319 } 320 321 component("sandbox_services") { 322 sources = [ 323 "services/init_process_reaper.cc", 324 "services/init_process_reaper.h", 325 "services/proc_util.cc", 326 "services/proc_util.h", 327 "services/resource_limits.cc", 328 "services/resource_limits.h", 329 "services/scoped_process.cc", 330 "services/scoped_process.h", 331 "services/syscall_wrappers.cc", 332 "services/syscall_wrappers.h", 333 "services/thread_helpers.cc", 334 "services/thread_helpers.h", 335 "services/yama.cc", 336 "services/yama.h", 337 "syscall_broker/broker_channel.cc", 338 "syscall_broker/broker_channel.h", 339 "syscall_broker/broker_client.cc", 340 "syscall_broker/broker_client.h", 341 "syscall_broker/broker_common.h", 342 "syscall_broker/broker_file_permission.cc", 343 "syscall_broker/broker_file_permission.h", 344 "syscall_broker/broker_host.cc", 345 "syscall_broker/broker_host.h", 346 "syscall_broker/broker_policy.cc", 347 "syscall_broker/broker_policy.h", 348 "syscall_broker/broker_process.cc", 349 "syscall_broker/broker_process.h", 350 ] 351 352 defines = [ "SANDBOX_IMPLEMENTATION" ] 353 354 deps = [ 355 "//base", 356 ] 357 358 if (compile_credentials || is_nacl_nonsfi) { 359 sources += [ 360 "services/credentials.cc", 361 "services/credentials.h", 362 "services/namespace_sandbox.cc", 363 "services/namespace_sandbox.h", 364 "services/namespace_utils.cc", 365 "services/namespace_utils.h", 366 ] 367 368 deps += [ ":sandbox_services_headers" ] 369 } 370 371 if (is_nacl_nonsfi) { 372 cflags = [ "-fgnu-inline-asm" ] 373 374 sources -= [ 375 "services/init_process_reaper.cc", 376 "services/init_process_reaper.h", 377 "services/scoped_process.cc", 378 "services/scoped_process.h", 379 "services/yama.cc", 380 "services/yama.h", 381 "syscall_broker/broker_channel.cc", 382 "syscall_broker/broker_channel.h", 383 "syscall_broker/broker_client.cc", 384 "syscall_broker/broker_client.h", 385 "syscall_broker/broker_common.h", 386 "syscall_broker/broker_file_permission.cc", 387 "syscall_broker/broker_file_permission.h", 388 "syscall_broker/broker_host.cc", 389 "syscall_broker/broker_host.h", 390 "syscall_broker/broker_policy.cc", 391 "syscall_broker/broker_policy.h", 392 "syscall_broker/broker_process.cc", 393 "syscall_broker/broker_process.h", 394 ] 395 } 396 } 397 398 source_set("sandbox_services_headers") { 399 sources = [ 400 "system_headers/arm64_linux_syscalls.h", 401 "system_headers/arm64_linux_ucontext.h", 402 "system_headers/arm_linux_syscalls.h", 403 "system_headers/arm_linux_ucontext.h", 404 "system_headers/i386_linux_ucontext.h", 405 "system_headers/linux_futex.h", 406 "system_headers/linux_seccomp.h", 407 "system_headers/linux_signal.h", 408 "system_headers/linux_syscalls.h", 409 "system_headers/linux_time.h", 410 "system_headers/linux_ucontext.h", 411 "system_headers/x86_32_linux_syscalls.h", 412 "system_headers/x86_64_linux_syscalls.h", 413 ] 414 } 415 416 if (compile_suid_client || is_nacl_nonsfi) { 417 component("suid_sandbox_client") { 418 sources = [ 419 "suid/client/setuid_sandbox_client.cc", 420 "suid/client/setuid_sandbox_client.h", 421 "suid/client/setuid_sandbox_host.cc", 422 "suid/client/setuid_sandbox_host.h", 423 "suid/common/sandbox.h", 424 "suid/common/suid_unsafe_environment_variables.h", 425 ] 426 defines = [ "SANDBOX_IMPLEMENTATION" ] 427 428 deps = [ 429 ":sandbox_services", 430 "//base", 431 ] 432 433 if (is_nacl_nonsfi) { 434 sources -= [ 435 "suid/client/setuid_sandbox_host.cc", 436 "suid/client/setuid_sandbox_host.h", 437 "suid/common/sandbox.h", 438 "suid/common/suid_unsafe_environment_variables.h", 439 ] 440 } 441 } 442 } 443 444 if (is_android) { 445 create_native_executable_dist("sandbox_linux_unittests_deps") { 446 testonly = true 447 dist_dir = "$root_out_dir/sandbox_linux_unittests_deps" 448 binary = "$root_out_dir/sandbox_linux_unittests" 449 deps = [ 450 ":sandbox_linux_unittests", 451 ] 452 453 if (is_component_build) { 454 deps += [ "//build/android:cpplib_stripped" ] 455 } 456 } 457 458 test_runner_script("sandbox_linux_unittests__test_runner_script") { 459 test_name = "sandbox_linux_unittests" 460 test_type = "gtest" 461 test_suite = "sandbox_linux_unittests" 462 isolate_file = "//sandbox/sandbox_linux_unittests_android.isolate" 463 } 464 } 465
