1 # Copyright 2014 The Chromium Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 import("//build/config/features.gni") 6 import("//build/config/nacl/config.gni") 7 import("//testing/test.gni") 8 9 if (is_android) { 10 import("//build/config/android/rules.gni") 11 } 12 13 declare_args() { 14 compile_suid_client = is_linux 15 16 compile_credentials = is_linux 17 18 # On Android, use plain GTest. 19 use_base_test_suite = is_linux 20 } 21 22 if (is_nacl_nonsfi) { 23 config("nacl_nonsfi_warnings") { 24 # There are number of platform specific functions in 25 # seccomp-bpf syscall helpers, which are not being used. 26 cflags = [ "-Wno-unused-function" ] 27 } 28 } 29 30 # We have two principal targets: sandbox and sandbox_linux_unittests 31 # All other targets are listed as dependencies. 32 # There is one notable exception: for historical reasons, chrome_sandbox is 33 # the setuid sandbox and is its own target. 34 35 group("sandbox") { 36 public_deps = [ 37 ":sandbox_services", 38 ] 39 40 if (compile_suid_client || is_nacl_nonsfi) { 41 public_deps += [ ":suid_sandbox_client" ] 42 } 43 if (use_seccomp_bpf || is_nacl_nonsfi) { 44 public_deps += [ 45 ":seccomp_bpf", 46 ":seccomp_bpf_helpers", 47 ] 48 } 49 } 50 51 source_set("sandbox_linux_test_utils") { 52 testonly = true 53 sources = [ 54 "tests/sandbox_test_runner.cc", 55 "tests/sandbox_test_runner.h", 56 "tests/sandbox_test_runner_function_pointer.cc", 57 "tests/sandbox_test_runner_function_pointer.h", 58 "tests/unit_tests.cc", 59 "tests/unit_tests.h", 60 ] 61 62 deps = [ 63 "//testing/gtest", 64 ] 65 66 if (!is_nacl_nonsfi) { 67 sources += [ 68 "tests/test_utils.cc", 69 "tests/test_utils.h", 70 ] 71 } 72 73 if (use_seccomp_bpf || is_nacl_nonsfi) { 74 sources += [ 75 "seccomp-bpf/bpf_tester_compatibility_delegate.h", 76 "seccomp-bpf/bpf_tests.h", 77 "seccomp-bpf/sandbox_bpf_test_runner.cc", 78 "seccomp-bpf/sandbox_bpf_test_runner.h", 79 ] 80 deps += [ ":seccomp_bpf" ] 81 } 82 83 if (use_base_test_suite) { 84 deps += [ "//base/test:test_support" ] 85 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] 86 } 87 } 88 89 # Sources for sandbox_linux_unittests. 90 source_set("sandbox_linux_unittests_sources") { 91 testonly = true 92 93 sources = [ 94 "services/proc_util_unittest.cc", 95 "services/resource_limits_unittests.cc", 96 "services/scoped_process_unittest.cc", 97 "services/syscall_wrappers_unittest.cc", 98 "services/thread_helpers_unittests.cc", 99 "services/yama_unittests.cc", 100 "syscall_broker/broker_file_permission_unittest.cc", 101 "syscall_broker/broker_process_unittest.cc", 102 "tests/main.cc", 103 "tests/scoped_temporary_file.cc", 104 "tests/scoped_temporary_file.h", 105 "tests/scoped_temporary_file_unittest.cc", 106 "tests/test_utils_unittest.cc", 107 "tests/unit_tests_unittest.cc", 108 ] 109 110 deps = [ 111 ":sandbox", 112 ":sandbox_linux_test_utils", 113 "//base", 114 "//testing/gtest", 115 ] 116 117 if (use_base_test_suite) { 118 deps += [ "//base/test:test_support" ] 119 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] 120 } 121 122 if (compile_suid_client) { 123 sources += [ 124 "suid/client/setuid_sandbox_client_unittest.cc", 125 "suid/client/setuid_sandbox_host_unittest.cc", 126 ] 127 } 128 if (use_seccomp_bpf) { 129 sources += [ 130 "bpf_dsl/bpf_dsl_unittest.cc", 131 "bpf_dsl/codegen_unittest.cc", 132 "bpf_dsl/cons_unittest.cc", 133 "bpf_dsl/dump_bpf.cc", 134 "bpf_dsl/dump_bpf.h", 135 "bpf_dsl/syscall_set_unittest.cc", 136 "bpf_dsl/test_trap_registry.cc", 137 "bpf_dsl/test_trap_registry.h", 138 "bpf_dsl/test_trap_registry_unittest.cc", 139 "bpf_dsl/verifier.cc", 140 "bpf_dsl/verifier.h", 141 "integration_tests/bpf_dsl_seccomp_unittest.cc", 142 "integration_tests/seccomp_broker_process_unittest.cc", 143 "seccomp-bpf-helpers/baseline_policy_unittest.cc", 144 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc", 145 "seccomp-bpf/bpf_tests_unittest.cc", 146 "seccomp-bpf/sandbox_bpf_unittest.cc", 147 "seccomp-bpf/syscall_unittest.cc", 148 "seccomp-bpf/trap_unittest.cc", 149 ] 150 deps += [ ":bpf_dsl_golden" ] 151 } 152 if (compile_credentials) { 153 sources += [ 154 "integration_tests/namespace_unix_domain_socket_unittest.cc", 155 "services/credentials_unittest.cc", 156 "services/namespace_utils_unittest.cc", 157 ] 158 159 if (use_base_test_suite) { 160 # Tests that use advanced features not available in stock GTest. 161 sources += [ "services/namespace_sandbox_unittest.cc" ] 162 } 163 164 # For credentials_unittest.cc 165 configs += [ "//build/config/linux:libcap" ] 166 } 167 } 168 169 action("bpf_dsl_golden") { 170 script = "bpf_dsl/golden/generate.py" 171 inputs = [ 172 "bpf_dsl/golden/i386/ArgSizePolicy.txt", 173 "bpf_dsl/golden/i386/BasicPolicy.txt", 174 "bpf_dsl/golden/i386/ElseIfPolicy.txt", 175 "bpf_dsl/golden/i386/MaskingPolicy.txt", 176 "bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt", 177 "bpf_dsl/golden/i386/NegativeConstantsPolicy.txt", 178 "bpf_dsl/golden/i386/SwitchPolicy.txt", 179 "bpf_dsl/golden/x86-64/ArgSizePolicy.txt", 180 "bpf_dsl/golden/x86-64/BasicPolicy.txt", 181 "bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt", 182 "bpf_dsl/golden/x86-64/ElseIfPolicy.txt", 183 "bpf_dsl/golden/x86-64/MaskingPolicy.txt", 184 "bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt", 185 "bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt", 186 "bpf_dsl/golden/x86-64/SwitchPolicy.txt", 187 ] 188 outputs = [ 189 "$target_gen_dir/bpf_dsl/golden/golden_files.h", 190 ] 191 args = 192 rebase_path(outputs, root_build_dir) + rebase_path(inputs, root_build_dir) 193 } 194 195 196 test("sandbox_linux_unittests") { 197 deps = [ 198 ":sandbox_linux_unittests_sources", 199 "//build/config/sanitizers:deps", 200 ] 201 if (is_android) { 202 use_raw_android_executable = true 203 } 204 } 205 206 component("seccomp_bpf") { 207 sources = [ 208 "bpf_dsl/bpf_dsl.cc", 209 "bpf_dsl/bpf_dsl.h", 210 "bpf_dsl/bpf_dsl_forward.h", 211 "bpf_dsl/bpf_dsl_impl.h", 212 "bpf_dsl/codegen.cc", 213 "bpf_dsl/codegen.h", 214 "bpf_dsl/cons.h", 215 "bpf_dsl/errorcode.h", 216 "bpf_dsl/linux_syscall_ranges.h", 217 "bpf_dsl/policy.cc", 218 "bpf_dsl/policy.h", 219 "bpf_dsl/policy_compiler.cc", 220 "bpf_dsl/policy_compiler.h", 221 "bpf_dsl/seccomp_macros.h", 222 "bpf_dsl/syscall_set.cc", 223 "bpf_dsl/syscall_set.h", 224 "bpf_dsl/trap_registry.h", 225 "seccomp-bpf/die.cc", 226 "seccomp-bpf/die.h", 227 "seccomp-bpf/sandbox_bpf.cc", 228 "seccomp-bpf/sandbox_bpf.h", 229 "seccomp-bpf/syscall.cc", 230 "seccomp-bpf/syscall.h", 231 "seccomp-bpf/trap.cc", 232 "seccomp-bpf/trap.h", 233 ] 234 defines = [ "SANDBOX_IMPLEMENTATION" ] 235 236 public_deps = [ 237 ":sandbox_services_headers", 238 ] 239 deps = [ 240 ":sandbox_services", 241 "//base", 242 ] 243 244 if (is_nacl_nonsfi) { 245 cflags = [ "-fgnu-inline-asm" ] 246 sources -= [ 247 "bpf_dsl/bpf_dsl_forward.h", 248 "bpf_dsl/bpf_dsl_impl.h", 249 "bpf_dsl/cons.h", 250 "bpf_dsl/errorcode.h", 251 "bpf_dsl/linux_syscall_ranges.h", 252 "bpf_dsl/seccomp_macros.h", 253 "bpf_dsl/trap_registry.h", 254 ] 255 } 256 } 257 258 component("seccomp_bpf_helpers") { 259 sources = [ 260 "seccomp-bpf-helpers/baseline_policy.cc", 261 "seccomp-bpf-helpers/baseline_policy.h", 262 "seccomp-bpf-helpers/sigsys_handlers.cc", 263 "seccomp-bpf-helpers/sigsys_handlers.h", 264 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", 265 "seccomp-bpf-helpers/syscall_parameters_restrictions.h", 266 "seccomp-bpf-helpers/syscall_sets.cc", 267 "seccomp-bpf-helpers/syscall_sets.h", 268 ] 269 defines = [ "SANDBOX_IMPLEMENTATION" ] 270 271 deps = [ 272 ":sandbox_services", 273 ":seccomp_bpf", 274 "//base", 275 ] 276 277 if (is_nacl_nonsfi) { 278 sources -= [ 279 "seccomp-bpf-helpers/baseline_policy.cc", 280 "seccomp-bpf-helpers/baseline_policy.h", 281 "seccomp-bpf-helpers/syscall_sets.cc", 282 "seccomp-bpf-helpers/syscall_sets.h", 283 ] 284 configs += [ ":nacl_nonsfi_warnings" ] 285 } 286 } 287 288 if (is_linux) { 289 # The setuid sandbox for Linux. 290 executable("chrome_sandbox") { 291 sources = [ 292 "suid/common/sandbox.h", 293 "suid/common/suid_unsafe_environment_variables.h", 294 "suid/process_util.h", 295 "suid/process_util_linux.c", 296 "suid/sandbox.c", 297 ] 298 299 cflags = [ 300 # For ULLONG_MAX 301 "-std=gnu99", 302 303 # These files have a suspicious comparison. 304 # TODO fix this and re-enable this warning. 305 "-Wno-sign-compare", 306 ] 307 308 import("//build/config/compiler/compiler.gni") 309 import("//build/config/sanitizers/sanitizers.gni") 310 if (is_component_build || using_sanitizer) { 311 # WARNING! We remove this config so that we don't accidentally 312 # pick up the //build/config:rpath_for_built_shared_libraries 313 # sub-config. However, this means that we need to duplicate any 314 # other flags that executable_config might have. 315 configs -= [ "//build/config:executable_config" ] 316 if (!use_gold) { 317 ldflags = [ "-Wl,--disable-new-dtags" ] 318 } 319 } 320 321 # We also do not want to pick up any of the other sanitizer 322 # flags (i.e. we do not want to build w/ the sanitizers at all). 323 # This is safe to delete unconditionally, because it is part of the 324 # default configs and empty when not using the sanitizers. 325 configs -= [ "//build/config/sanitizers:default_sanitizer_flags" ] 326 } 327 } 328 329 component("sandbox_services") { 330 sources = [ 331 "services/init_process_reaper.cc", 332 "services/init_process_reaper.h", 333 "services/proc_util.cc", 334 "services/proc_util.h", 335 "services/resource_limits.cc", 336 "services/resource_limits.h", 337 "services/scoped_process.cc", 338 "services/scoped_process.h", 339 "services/syscall_wrappers.cc", 340 "services/syscall_wrappers.h", 341 "services/thread_helpers.cc", 342 "services/thread_helpers.h", 343 "services/yama.cc", 344 "services/yama.h", 345 "syscall_broker/broker_channel.cc", 346 "syscall_broker/broker_channel.h", 347 "syscall_broker/broker_client.cc", 348 "syscall_broker/broker_client.h", 349 "syscall_broker/broker_common.h", 350 "syscall_broker/broker_file_permission.cc", 351 "syscall_broker/broker_file_permission.h", 352 "syscall_broker/broker_host.cc", 353 "syscall_broker/broker_host.h", 354 "syscall_broker/broker_policy.cc", 355 "syscall_broker/broker_policy.h", 356 "syscall_broker/broker_process.cc", 357 "syscall_broker/broker_process.h", 358 ] 359 360 defines = [ "SANDBOX_IMPLEMENTATION" ] 361 362 public_deps = [] 363 deps = [ 364 "//base", 365 ] 366 367 if (compile_credentials || is_nacl_nonsfi) { 368 sources += [ 369 "services/credentials.cc", 370 "services/credentials.h", 371 "services/namespace_sandbox.cc", 372 "services/namespace_sandbox.h", 373 "services/namespace_utils.cc", 374 "services/namespace_utils.h", 375 ] 376 377 public_deps += [ ":sandbox_services_headers" ] 378 } 379 380 if (is_nacl_nonsfi) { 381 cflags = [ "-fgnu-inline-asm" ] 382 383 sources -= [ 384 "services/init_process_reaper.cc", 385 "services/init_process_reaper.h", 386 "services/scoped_process.cc", 387 "services/scoped_process.h", 388 "services/yama.cc", 389 "services/yama.h", 390 "syscall_broker/broker_channel.cc", 391 "syscall_broker/broker_channel.h", 392 "syscall_broker/broker_client.cc", 393 "syscall_broker/broker_client.h", 394 "syscall_broker/broker_common.h", 395 "syscall_broker/broker_file_permission.cc", 396 "syscall_broker/broker_file_permission.h", 397 "syscall_broker/broker_host.cc", 398 "syscall_broker/broker_host.h", 399 "syscall_broker/broker_policy.cc", 400 "syscall_broker/broker_policy.h", 401 "syscall_broker/broker_process.cc", 402 "syscall_broker/broker_process.h", 403 ] 404 } 405 } 406 407 source_set("sandbox_services_headers") { 408 sources = [ 409 "system_headers/arm64_linux_syscalls.h", 410 "system_headers/arm64_linux_ucontext.h", 411 "system_headers/arm_linux_syscalls.h", 412 "system_headers/arm_linux_ucontext.h", 413 "system_headers/i386_linux_ucontext.h", 414 "system_headers/linux_futex.h", 415 "system_headers/linux_seccomp.h", 416 "system_headers/linux_signal.h", 417 "system_headers/linux_syscalls.h", 418 "system_headers/linux_time.h", 419 "system_headers/linux_ucontext.h", 420 "system_headers/x86_32_linux_syscalls.h", 421 "system_headers/x86_64_linux_syscalls.h", 422 ] 423 } 424 425 if (compile_suid_client || is_nacl_nonsfi) { 426 component("suid_sandbox_client") { 427 sources = [ 428 "suid/client/setuid_sandbox_client.cc", 429 "suid/client/setuid_sandbox_client.h", 430 "suid/client/setuid_sandbox_host.cc", 431 "suid/client/setuid_sandbox_host.h", 432 "suid/common/sandbox.h", 433 "suid/common/suid_unsafe_environment_variables.h", 434 ] 435 defines = [ "SANDBOX_IMPLEMENTATION" ] 436 437 deps = [ 438 ":sandbox_services", 439 "//base", 440 ] 441 442 if (is_nacl_nonsfi) { 443 sources -= [ 444 "suid/client/setuid_sandbox_host.cc", 445 "suid/client/setuid_sandbox_host.h", 446 "suid/common/sandbox.h", 447 "suid/common/suid_unsafe_environment_variables.h", 448 ] 449 } 450 } 451 } 452 453 if (is_android) { 454 # TODO(GYP_GONE) Delete this after we've converted everything to GN. 455 group("sandbox_linux_unittests_deps") { 456 testonly = true 457 deps = [ 458 ":sandbox_linux_unittests", 459 ] 460 } 461 } 462
