1# Copyright 2014 The Chromium Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import("//build/config/features.gni") 6import("//build/config/nacl/config.gni") 7import("//sandbox/features.gni") 8import("//testing/test.gni") 9 10if (is_android) { 11 import("//build/config/android/rules.gni") 12} 13 14declare_args() { 15 compile_suid_client = is_linux || is_chromeos 16 17 compile_credentials = is_linux || is_chromeos 18 19 # On Android, use plain GTest. 20 use_base_test_suite = is_linux || is_chromeos 21} 22 23if (is_nacl_nonsfi) { 24 config("nacl_nonsfi_warnings") { 25 # There are number of platform specific functions in 26 # seccomp-bpf syscall helpers, which are not being used. 27 cflags = [ "-Wno-unused-function" ] 28 } 29} 30 31# We have two principal targets: sandbox and sandbox_linux_unittests 32# All other targets are listed as dependencies. 33# There is one notable exception: for historical reasons, chrome_sandbox is 34# the setuid sandbox and is its own target. 35 36group("sandbox") { 37 public_deps = [ ":sandbox_services" ] 38 if (compile_suid_client || is_nacl_nonsfi) { 39 public_deps += [ ":suid_sandbox_client" ] 40 } 41 if (use_seccomp_bpf || is_nacl_nonsfi) { 42 public_deps += [ ":seccomp_bpf" ] 43 } 44 if (is_android) { 45 public_deps += [ ":seccomp_starter_android" ] 46 } 47} 48 49source_set("sandbox_linux_test_utils") { 50 testonly = true 51 sources = [ 52 "tests/sandbox_test_runner.cc", 53 "tests/sandbox_test_runner.h", 54 "tests/sandbox_test_runner_function_pointer.cc", 55 "tests/sandbox_test_runner_function_pointer.h", 56 "tests/unit_tests.cc", 57 "tests/unit_tests.h", 58 ] 59 60 deps = [ "//testing/gtest" ] 61 62 if (!is_nacl_nonsfi) { 63 sources += [ 64 "tests/test_utils.cc", 65 "tests/test_utils.h", 66 ] 67 } 68 69 if (use_seccomp_bpf || is_nacl_nonsfi) { 70 sources += [ 71 "seccomp-bpf/bpf_tester_compatibility_delegate.h", 72 "seccomp-bpf/bpf_tests.h", 73 "seccomp-bpf/sandbox_bpf_test_runner.cc", 74 "seccomp-bpf/sandbox_bpf_test_runner.h", 75 ] 76 deps += [ ":seccomp_bpf" ] 77 } 78 79 if (use_base_test_suite) { 80 deps += [ "//base/test:test_support" ] 81 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] 82 } 83} 84 85# Sources for sandbox_linux_unittests. 86source_set("sandbox_linux_unittests_sources") { 87 testonly = true 88 89 sources = [ 90 "services/proc_util_unittest.cc", 91 "services/resource_limits_unittests.cc", 92 "services/scoped_process_unittest.cc", 93 "services/syscall_wrappers_unittest.cc", 94 "services/thread_helpers_unittests.cc", 95 "services/yama_unittests.cc", 96 "syscall_broker/broker_file_permission_unittest.cc", 97 "syscall_broker/broker_process_unittest.cc", 98 "syscall_broker/broker_simple_message_unittest.cc", 99 "syscall_broker/remote_syscall_arg_handler_unittest.cc", 100 "tests/main.cc", 101 "tests/scoped_temporary_file.cc", 102 "tests/scoped_temporary_file.h", 103 "tests/scoped_temporary_file_unittest.cc", 104 "tests/test_utils_unittest.cc", 105 "tests/unit_tests_unittest.cc", 106 ] 107 108 deps = [ 109 ":sandbox", 110 ":sandbox_linux_test_utils", 111 "//base", 112 "//base/third_party/dynamic_annotations", 113 "//build:chromeos_buildflags", 114 "//testing/gtest", 115 ] 116 117 if (use_base_test_suite) { 118 deps += [ "//base/test:test_support" ] 119 defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] 120 } 121 122 if (compile_suid_client) { 123 sources += [ 124 "suid/client/setuid_sandbox_client_unittest.cc", 125 "suid/client/setuid_sandbox_host_unittest.cc", 126 ] 127 } 128 if (use_seccomp_bpf) { 129 sources += [ 130 "bpf_dsl/bpf_dsl_unittest.cc", 131 "bpf_dsl/codegen_unittest.cc", 132 "bpf_dsl/cons_unittest.cc", 133 "bpf_dsl/dump_bpf.cc", 134 "bpf_dsl/dump_bpf.h", 135 "bpf_dsl/syscall_set_unittest.cc", 136 "bpf_dsl/test_trap_registry.cc", 137 "bpf_dsl/test_trap_registry.h", 138 "bpf_dsl/test_trap_registry_unittest.cc", 139 "bpf_dsl/verifier.cc", 140 "bpf_dsl/verifier.h", 141 "integration_tests/bpf_dsl_seccomp_unittest.cc", 142 "integration_tests/seccomp_broker_process_unittest.cc", 143 "seccomp-bpf-helpers/baseline_policy_unittest.cc", 144 "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc", 145 "seccomp-bpf/bpf_tests_unittest.cc", 146 "seccomp-bpf/sandbox_bpf_unittest.cc", 147 "seccomp-bpf/syscall_unittest.cc", 148 "seccomp-bpf/trap_unittest.cc", 149 ] 150 deps += [ ":bpf_dsl_golden" ] 151 152 if (is_android) { 153 sources += [ "seccomp-bpf-helpers/baseline_policy_android_unittest.cc" ] 154 } 155 } 156 if (compile_credentials) { 157 sources += [ 158 "integration_tests/namespace_unix_domain_socket_unittest.cc", 159 "services/credentials_unittest.cc", 160 "services/namespace_utils_unittest.cc", 161 ] 162 163 if (use_base_test_suite) { 164 # Tests that use advanced features not available in stock GTest. 165 sources += [ "services/namespace_sandbox_unittest.cc" ] 166 } 167 168 # For credentials_unittest.cc 169 configs += [ "//build/config/linux:libcap" ] 170 } 171} 172 173action("bpf_dsl_golden") { 174 script = "bpf_dsl/golden/generate.py" 175 inputs = [ 176 "bpf_dsl/golden/i386/ArgSizePolicy.txt", 177 "bpf_dsl/golden/i386/BasicPolicy.txt", 178 "bpf_dsl/golden/i386/ElseIfPolicy.txt", 179 "bpf_dsl/golden/i386/MaskingPolicy.txt", 180 "bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt", 181 "bpf_dsl/golden/i386/NegativeConstantsPolicy.txt", 182 "bpf_dsl/golden/i386/SwitchPolicy.txt", 183 "bpf_dsl/golden/x86-64/ArgSizePolicy.txt", 184 "bpf_dsl/golden/x86-64/BasicPolicy.txt", 185 "bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt", 186 "bpf_dsl/golden/x86-64/ElseIfPolicy.txt", 187 "bpf_dsl/golden/x86-64/MaskingPolicy.txt", 188 "bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt", 189 "bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt", 190 "bpf_dsl/golden/x86-64/SwitchPolicy.txt", 191 ] 192 outputs = [ "$target_gen_dir/bpf_dsl/golden/golden_files.h" ] 193 args = 194 rebase_path(outputs, root_build_dir) + rebase_path(inputs, root_build_dir) 195} 196 197test("sandbox_linux_unittests") { 198 deps = [ 199 ":sandbox_linux_unittests_sources", 200 "//sandbox/policy:tests", 201 ] 202 data_deps = [ "//testing/buildbot/filters:sandbox_linux_unittests_filters" ] 203 if (is_android) { 204 use_raw_android_executable = true 205 } 206} 207 208component("seccomp_bpf") { 209 sources = [ 210 "bpf_dsl/bpf_dsl.cc", 211 "bpf_dsl/bpf_dsl.h", 212 "bpf_dsl/bpf_dsl_forward.h", 213 "bpf_dsl/bpf_dsl_impl.h", 214 "bpf_dsl/codegen.cc", 215 "bpf_dsl/codegen.h", 216 "bpf_dsl/cons.h", 217 "bpf_dsl/errorcode.h", 218 "bpf_dsl/linux_syscall_ranges.h", 219 "bpf_dsl/policy.cc", 220 "bpf_dsl/policy.h", 221 "bpf_dsl/policy_compiler.cc", 222 "bpf_dsl/policy_compiler.h", 223 "bpf_dsl/seccomp_macros.h", 224 "bpf_dsl/syscall_set.cc", 225 "bpf_dsl/syscall_set.h", 226 "bpf_dsl/trap_registry.h", 227 "seccomp-bpf-helpers/baseline_policy.cc", 228 "seccomp-bpf-helpers/baseline_policy.h", 229 "seccomp-bpf-helpers/sigsys_handlers.cc", 230 "seccomp-bpf-helpers/sigsys_handlers.h", 231 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", 232 "seccomp-bpf-helpers/syscall_parameters_restrictions.h", 233 "seccomp-bpf-helpers/syscall_sets.cc", 234 "seccomp-bpf-helpers/syscall_sets.h", 235 "seccomp-bpf/die.cc", 236 "seccomp-bpf/die.h", 237 "seccomp-bpf/sandbox_bpf.cc", 238 "seccomp-bpf/sandbox_bpf.h", 239 "seccomp-bpf/syscall.cc", 240 "seccomp-bpf/syscall.h", 241 "seccomp-bpf/trap.cc", 242 "seccomp-bpf/trap.h", 243 ] 244 defines = [ "SANDBOX_IMPLEMENTATION" ] 245 246 public_deps = [ 247 ":sandbox_services_headers", 248 "//sandbox:sandbox_export", 249 ] 250 deps = [ 251 ":sandbox_services", 252 "//base", 253 "//base/third_party/dynamic_annotations", 254 "//build:chromeos_buildflags", 255 "//sandbox:sandbox_buildflags", 256 ] 257 258 if (is_android) { 259 sources += [ 260 "seccomp-bpf-helpers/baseline_policy_android.cc", 261 "seccomp-bpf-helpers/baseline_policy_android.h", 262 ] 263 } 264 265 if (is_nacl_nonsfi) { 266 cflags = [ "-fgnu-inline-asm" ] 267 sources -= [ 268 "bpf_dsl/bpf_dsl_forward.h", 269 "bpf_dsl/bpf_dsl_impl.h", 270 "bpf_dsl/cons.h", 271 "bpf_dsl/errorcode.h", 272 "bpf_dsl/linux_syscall_ranges.h", 273 "bpf_dsl/seccomp_macros.h", 274 "bpf_dsl/trap_registry.h", 275 "seccomp-bpf-helpers/baseline_policy.cc", 276 "seccomp-bpf-helpers/baseline_policy.h", 277 "seccomp-bpf-helpers/syscall_sets.cc", 278 "seccomp-bpf-helpers/syscall_sets.h", 279 ] 280 configs += [ ":nacl_nonsfi_warnings" ] 281 } 282} 283 284if (is_android) { 285 # This target is available even if use_seccomp_bpf is disabled, but it also 286 # works when it is enabled. 287 component("seccomp_starter_android") { 288 sources = [ 289 "seccomp-bpf-helpers/seccomp_starter_android.cc", 290 "seccomp-bpf-helpers/seccomp_starter_android.h", 291 ] 292 293 defines = [ "SANDBOX_IMPLEMENTATION" ] 294 295 deps = [ 296 "//base", 297 "//sandbox:sandbox_buildflags", 298 ] 299 300 if (use_seccomp_bpf) { 301 deps += [ ":seccomp_bpf" ] 302 } 303 304 visibility = [ ":*" ] 305 } 306} 307 308if (is_linux || is_chromeos) { 309 # The setuid sandbox for Linux. 310 executable("chrome_sandbox") { 311 sources = [ 312 "suid/common/sandbox.h", 313 "suid/common/suid_unsafe_environment_variables.h", 314 "suid/process_util.h", 315 "suid/process_util_linux.c", 316 "suid/sandbox.c", 317 ] 318 319 cflags = [ 320 # For ULLONG_MAX 321 "-std=gnu99", 322 323 # These files have a suspicious comparison. 324 # TODO fix this and re-enable this warning. 325 "-Wno-sign-compare", 326 ] 327 } 328} 329 330component("sandbox_services") { 331 sources = [ 332 "services/init_process_reaper.cc", 333 "services/init_process_reaper.h", 334 "services/proc_util.cc", 335 "services/proc_util.h", 336 "services/resource_limits.cc", 337 "services/resource_limits.h", 338 "services/scoped_process.cc", 339 "services/scoped_process.h", 340 "services/syscall_wrappers.cc", 341 "services/syscall_wrappers.h", 342 "services/thread_helpers.cc", 343 "services/thread_helpers.h", 344 "services/yama.cc", 345 "services/yama.h", 346 "syscall_broker/broker_channel.cc", 347 "syscall_broker/broker_channel.h", 348 "syscall_broker/broker_client.cc", 349 "syscall_broker/broker_client.h", 350 "syscall_broker/broker_command.cc", 351 "syscall_broker/broker_command.h", 352 "syscall_broker/broker_file_permission.cc", 353 "syscall_broker/broker_file_permission.h", 354 "syscall_broker/broker_host.cc", 355 "syscall_broker/broker_host.h", 356 "syscall_broker/broker_permission_list.cc", 357 "syscall_broker/broker_permission_list.h", 358 "syscall_broker/broker_process.cc", 359 "syscall_broker/broker_process.h", 360 "syscall_broker/broker_simple_message.cc", 361 "syscall_broker/broker_simple_message.h", 362 "syscall_broker/remote_syscall_arg_handler.cc", 363 "syscall_broker/remote_syscall_arg_handler.h", 364 "syscall_broker/syscall_dispatcher.cc", 365 "syscall_broker/syscall_dispatcher.h", 366 ] 367 368 defines = [ "SANDBOX_IMPLEMENTATION" ] 369 370 public_deps = [ "//sandbox:sandbox_export" ] 371 deps = [ 372 "//base", 373 "//base/third_party/dynamic_annotations", 374 ] 375 376 if (compile_credentials || is_nacl_nonsfi) { 377 sources += [ 378 "services/credentials.cc", 379 "services/credentials.h", 380 "services/namespace_sandbox.cc", 381 "services/namespace_sandbox.h", 382 "services/namespace_utils.cc", 383 "services/namespace_utils.h", 384 ] 385 386 public_deps += [ ":sandbox_services_headers" ] 387 } 388 389 if (is_nacl_nonsfi || is_bsd) { 390 cflags = [ "-fgnu-inline-asm" ] 391 392 sources -= [ 393 "services/init_process_reaper.cc", 394 "services/init_process_reaper.h", 395 "services/scoped_process.cc", 396 "services/scoped_process.h", 397 "services/syscall_wrappers.cc", 398 "services/syscall_wrappers.h", 399 "services/yama.cc", 400 "services/yama.h", 401 "syscall_broker/broker_channel.cc", 402 "syscall_broker/broker_channel.h", 403 "syscall_broker/broker_client.cc", 404 "syscall_broker/broker_client.h", 405 "syscall_broker/broker_command.cc", 406 "syscall_broker/broker_command.h", 407 "syscall_broker/broker_file_permission.cc", 408 "syscall_broker/broker_file_permission.h", 409 "syscall_broker/broker_host.cc", 410 "syscall_broker/broker_host.h", 411 "syscall_broker/broker_permission_list.cc", 412 "syscall_broker/broker_permission_list.h", 413 "syscall_broker/broker_process.cc", 414 "syscall_broker/broker_process.h", 415 "syscall_broker/broker_simple_message.cc", 416 "syscall_broker/broker_simple_message.h", 417 "syscall_broker/remote_syscall_arg_handler.cc", 418 "syscall_broker/remote_syscall_arg_handler.h", 419 "syscall_broker/syscall_dispatcher.cc", 420 "syscall_broker/syscall_dispatcher.h", 421 ] 422 } else if (!is_android) { 423 sources += [ 424 "services/libc_interceptor.cc", 425 "services/libc_interceptor.h", 426 ] 427 } 428} 429 430source_set("sandbox_services_headers") { 431 sources = [ 432 "system_headers/arm64_linux_syscalls.h", 433 "system_headers/arm_linux_syscalls.h", 434 "system_headers/arm_linux_ucontext.h", 435 "system_headers/i386_linux_ucontext.h", 436 "system_headers/linux_filter.h", 437 "system_headers/linux_futex.h", 438 "system_headers/linux_prctl.h", 439 "system_headers/linux_ptrace.h", 440 "system_headers/linux_seccomp.h", 441 "system_headers/linux_signal.h", 442 "system_headers/linux_syscalls.h", 443 "system_headers/linux_time.h", 444 "system_headers/linux_ucontext.h", 445 "system_headers/mips64_linux_syscalls.h", 446 "system_headers/mips_linux_syscalls.h", 447 "system_headers/x86_32_linux_syscalls.h", 448 "system_headers/x86_64_linux_syscalls.h", 449 ] 450} 451 452if (compile_suid_client || is_nacl_nonsfi) { 453 component("suid_sandbox_client") { 454 sources = [ 455 "suid/client/setuid_sandbox_client.cc", 456 "suid/client/setuid_sandbox_client.h", 457 "suid/client/setuid_sandbox_host.cc", 458 "suid/client/setuid_sandbox_host.h", 459 "suid/common/sandbox.h", 460 "suid/common/suid_unsafe_environment_variables.h", 461 ] 462 defines = [ "SANDBOX_IMPLEMENTATION" ] 463 public_deps = [ "//sandbox:sandbox_export" ] 464 deps = [ 465 ":sandbox_services", 466 "//base", 467 "//base/third_party/dynamic_annotations", 468 ] 469 470 if (is_nacl_nonsfi) { 471 sources -= [ 472 "suid/client/setuid_sandbox_host.cc", 473 "suid/client/setuid_sandbox_host.h", 474 "suid/common/sandbox.h", 475 "suid/common/suid_unsafe_environment_variables.h", 476 ] 477 } 478 } 479} 480