• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6# http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14import("//base/startup/init/begetd.gni")
15import(
16    "//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni")
17import("//build/config/clang/clang.gni")
18import("//build/ohos.gni")
19import("//build/ohos/kernel/kernel.gni")
20
21INIT_PART = "init"
22
23action("syscall_to_nr_arm") {
24  script = "${clang_base_path}/bin/clang"
25  output_dir = target_gen_dir + "/libsyscall_to_nr_arm"
26  args = [
27    "-I",
28    rebase_path(
29        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
30    "-I",
31    rebase_path(
32        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
33    "-dD",
34    "-E",
35    "-Wall",
36    "-nostdinc",
37    "-o",
38    rebase_path(output_dir),
39    rebase_path("gen_syscall_name_nrs.c"),
40  ]
41
42  outputs = [ output_dir ]
43}
44
45action("syscall_to_nr_arm64") {
46  script = "${clang_base_path}/bin/clang"
47  output_dir = target_gen_dir + "/libsyscall_to_nr_arm64"
48  args = [
49    "-I",
50    rebase_path(
51        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
52    "-I",
53    rebase_path(
54        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
55    "-dD",
56    "-E",
57    "-Wall",
58    "-nostdinc",
59    "-o",
60    rebase_path(output_dir),
61    rebase_path("gen_syscall_name_nrs.c"),
62  ]
63
64  outputs = [ output_dir ]
65}
66
67ohos_prebuilt_seccomp("system_filter") {
68  sources = []
69  if (target_cpu == "arm") {
70    sources += [ "seccomp_policy/system_arm.seccomp.policy" ]
71  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
72    sources += [
73      # 64-bit machine also need check use 32-bit syscall
74      "seccomp_policy/system_arm.seccomp.policy",
75      "seccomp_policy/system_arm64.seccomp.policy",
76    ]
77  }
78
79  filtername = "g_systemSeccompFilter"
80  part_name = INIT_PART
81  subsystem_name = "startup"
82
83  install_enable = true
84  install_images = [ "system" ]
85}
86
87ohos_prebuilt_seccomp("appspawn_filter") {
88  sources = []
89  if (target_cpu == "arm") {
90    sources += [ "seccomp_policy/spawn_arm.seccomp.policy" ]
91  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
92    sources += [
93      # 64-bit machine also need check use 32-bit syscall
94      "seccomp_policy/spawn_arm.seccomp.policy",
95      "seccomp_policy/spawn_arm64.seccomp.policy",
96    ]
97  }
98
99  filtername = "g_appspawnSeccompFilter"
100  part_name = INIT_PART
101  subsystem_name = "startup"
102
103  install_enable = true
104  install_images = [ "system" ]
105}
106
107ohos_prebuilt_seccomp("nwebspawn_filter") {
108  if (target_cpu == "arm") {
109    sources = [ "seccomp_policy/renderer_arm.seccomp.policy" ]
110  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
111    sources = [ "seccomp_policy/renderer_arm64.seccomp.policy" ]
112  }
113
114  filtername = "g_nwebspawnSeccompFilter"
115  part_name = INIT_PART
116  subsystem_name = "startup"
117
118  install_enable = true
119  install_images = [ "system" ]
120}
121
122ohos_prebuilt_seccomp("app_filter") {
123  sources = []
124  if (target_cpu == "arm") {
125    sources += [ "seccomp_policy/app_arm.seccomp.policy" ]
126  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
127    sources += [
128      # 64-bit machine also need check use 32-bit syscall
129      "seccomp_policy/app_arm.seccomp.policy",
130      "seccomp_policy/app_arm64.seccomp.policy",
131    ]
132  }
133
134  filtername = "g_appSeccompFilter"
135  part_name = INIT_PART
136  subsystem_name = "startup"
137
138  install_enable = true
139  install_images = [ "system" ]
140}
141
142config("libseccomp_static_config") {
143  include_dirs = [
144    "//base/startup/init/services/modules",
145    "//base/startup/init/interfaces/innerkits/seccomp/include",
146    "//third_party/bounds_checking_function/include",
147  ]
148}
149
150ohos_source_set("libseccomp_static") {
151  sources = [
152    "seccomp_policy.c",
153    "seccomp_policy_static.c",
154  ]
155  public_configs = [
156    ":libseccomp_static_config",
157    "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config",
158  ]
159}
160
161group("seccomp_filter") {
162  deps = [
163    ":app_filter",
164    ":appspawn_filter",
165    ":nwebspawn_filter",
166    ":system_filter",
167  ]
168}
169