• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6#     http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14import("//build/config/python.gni")
15import("//build/ohos.gni")
16
17template("ohos_prebuilt_seccomp") {
18  assert(defined(invoker.sources), "source must be defined for ${target_name}.")
19  assert(defined(invoker.filtername),
20         "source must be defined for ${target_name}.")
21  assert(
22      defined(invoker.process_type) &&
23          (invoker.process_type == "app" || invoker.process_type == "system"),
24      "process_type must be defined for ${target_name}, and the type must be app or system")
25
26  _seccomp_filter_target = "gen_${target_name}"
27  _output_name = "${invoker.filtername}_filter"
28  _seccomp_filter_file = target_gen_dir + "/${_output_name}.c"
29  _syscall_to_nr_arm_name = "${target_name}_syscall_to_nr_arm"
30  _syscall_to_nr_arm64_name = "${target_name}_syscall_to_nr_arm64"
31  _blocklist_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/${invoker.process_type}.blocklist.seccomp.policy"
32  _key_process_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/privileged_process.seccomp.policy"
33
34  action(_syscall_to_nr_arm_name) {
35    script = "${clang_base_path}/bin/clang"
36    output_dir =
37        target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm"
38    args = [
39      "-I",
40      rebase_path(
41          "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
42      "-I",
43      rebase_path(
44          "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
45      "-dD",
46      "-E",
47      "-Wall",
48      "-nostdinc",
49      "-o",
50      rebase_path(output_dir),
51      rebase_path(
52          "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
53    ]
54
55    outputs = [ output_dir ]
56  }
57
58  action(_syscall_to_nr_arm64_name) {
59    script = "${clang_base_path}/bin/clang"
60    output_dir =
61        target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm64"
62    args = [
63      "-I",
64      rebase_path(
65          "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
66      "-I",
67      rebase_path(
68          "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
69      "-dD",
70      "-E",
71      "-Wall",
72      "-nostdinc",
73      "-o",
74      rebase_path(output_dir),
75      rebase_path(
76          "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"),
77    ]
78
79    outputs = [ output_dir ]
80  }
81
82  action(_seccomp_filter_target) {
83    script = "//base/startup/init/services/modules/seccomp/scripts/generate_code_from_policy.py"
84
85    sources = invoker.sources
86    sources += get_target_outputs(":${_syscall_to_nr_arm_name}")
87    sources += get_target_outputs(":${_syscall_to_nr_arm64_name}")
88
89    uid_is_root = false
90    if (defined(invoker.uid_is_root)) {
91      uid_is_root = invoker.uid_is_root
92    } else {
93      uid_is_root = false
94    }
95    if (invoker.process_type == "system" && invoker.filtername != "appspawn" &&
96        invoker.filtername != "nwebspawn" && uid_is_root == false) {
97      sources += [ "//base/startup/init/services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ]
98    }
99
100    deps = [
101      ":${_syscall_to_nr_arm64_name}",
102      ":${_syscall_to_nr_arm_name}",
103    ]
104
105    if (build_variant == "root") {
106      seccomp_is_debug = "true"
107    } else {
108      seccomp_is_debug = "false"
109    }
110
111    args = []
112    foreach(source, sources) {
113      args += [
114        "--src-files",
115        rebase_path(source),
116      ]
117    }
118    args += [
119      "--blocklist-file",
120      rebase_path(_blocklist_file_name),
121      "--dst-file",
122      rebase_path(_seccomp_filter_file),
123      "--filter-name",
124      invoker.filtername,
125      "--target-cpu",
126      invoker.target_cpu,
127      "--keyprocess-file",
128      rebase_path(_key_process_file_name),
129      "--is-debug",
130      seccomp_is_debug,
131    ]
132
133    outputs = [ _seccomp_filter_file ]
134  }
135
136  ohos_shared_library(target_name) {
137    output_name = _output_name
138    deps = [ ":${_seccomp_filter_target}" ]
139    sources = get_target_outputs(":${_seccomp_filter_target}")
140
141    relative_install_dir = "seccomp"
142
143    if (defined(invoker.include_dirs)) {
144      include_dirs = invoker.include_dirs
145    }
146
147    if (defined(invoker.install_enable)) {
148      install_enable = invoker.install_enable
149    }
150
151    if (defined(invoker.part_name)) {
152      part_name = invoker.part_name
153    }
154
155    if (defined(invoker.subsystem_name)) {
156      subsystem_name = invoker.subsystem_name
157    }
158
159    if (defined(invoker.install_images)) {
160      install_images = invoker.install_images
161    }
162  }
163}
164