• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2022 Huawei Device Co., Ltd.
2# Licensed under the Apache License, Version 2.0 (the "License");
3# you may not use this file except in compliance with the License.
4# You may obtain a copy of the License at
5#
6# http://www.apache.org/licenses/LICENSE-2.0
7#
8# Unless required by applicable law or agreed to in writing, software
9# distributed under the License is distributed on an "AS IS" BASIS,
10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11# See the License for the specific language governing permissions and
12# limitations under the License.
13
14import("//base/startup/init/begetd.gni")
15import(
16    "//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni")
17import("//build/config/clang/clang.gni")
18import("//build/ohos.gni")
19import("//build/ohos/kernel/kernel.gni")
20
21INIT_PART = "init"
22declare_args() {
23  appspawn_featrue = false
24
25  if (defined(global_parts_info) &&
26      defined(global_parts_info.startup_appspawn)) {
27    appspawn_featrue = true
28  }
29}
30
31if (build_variant == "root") {
32  seccomp_enable_debug = true
33} else {
34  seccomp_enable_debug = false
35}
36
37ohos_prebuilt_seccomp("system_filter") {
38  sources = [ "seccomp_policy/system.seccomp.policy" ]
39
40  filtername = "system"
41  process_type = "system"
42
43  part_name = INIT_PART
44  subsystem_name = "startup"
45
46  install_enable = true
47  install_images = [ "system" ]
48}
49
50ohos_prebuilt_seccomp("appspawn_filter") {
51  sources = [ "seccomp_policy/spawn.seccomp.policy" ]
52
53  filtername = "appspawn"
54  process_type = "system"
55
56  part_name = INIT_PART
57  subsystem_name = "startup"
58
59  include_dirs = [ "." ]
60
61  install_enable = true
62  install_images = [ "system" ]
63}
64
65ohos_prebuilt_seccomp("nwebspawn_filter") {
66  sources = [ "seccomp_policy/nwebspawn.seccomp.policy" ]
67
68  filtername = "nwebspawn"
69  process_type = "system"
70
71  part_name = INIT_PART
72  subsystem_name = "startup"
73
74  include_dirs = [ "." ]
75
76  install_enable = true
77  install_images = [ "system" ]
78}
79
80ohos_prebuilt_seccomp("app_filter") {
81  sources = [ "seccomp_policy/app.seccomp.policy" ]
82
83  filtername = "app"
84  process_type = "app"
85
86  part_name = INIT_PART
87  subsystem_name = "startup"
88
89  install_enable = true
90  install_images = [ "system" ]
91}
92
93ohos_prebuilt_seccomp("app_atomic_filter") {
94  sources = [ "seccomp_policy/app_atomic.seccomp.policy" ]
95
96  filtername = "app_atomic"
97  process_type = "app"
98  uid_is_root = true
99
100  part_name = INIT_PART
101  subsystem_name = "startup"
102
103  install_enable = true
104  install_images = [ "system" ]
105}
106
107ohos_prebuilt_seccomp("app_allow_iouring_filter") {
108  sources = [ "seccomp_policy/app_allow_iouring.seccomp.policy" ]
109
110  filtername = "app_allow_iouring"
111  process_type = "app"
112  uid_is_root = true
113
114  part_name = INIT_PART
115  subsystem_name = "startup"
116
117  install_enable = true
118  install_images = [ "system" ]
119}
120
121ohos_prebuilt_seccomp("app_privilege_filter") {
122  sources = [ "seccomp_policy/app_privilege.seccomp.policy" ]
123
124  filtername = "app_privilege"
125  process_type = "system"
126  uid_is_root = true
127
128  part_name = INIT_PART
129  subsystem_name = "startup"
130
131  install_enable = true
132  install_images = [ "system" ]
133}
134
135ohos_prebuilt_seccomp("updater_filter") {
136  sources = [ "seccomp_policy/updater.seccomp.policy" ]
137
138  filtername = "updater"
139  process_type = "system"
140  uid_is_root = true
141
142  part_name = INIT_PART
143  subsystem_name = "startup"
144
145  install_enable = true
146  install_images = [ "updater" ]
147}
148
149ohos_prebuilt_seccomp("app_custom_filter") {
150  sources = [ "seccomp_policy/app_custom.seccomp.policy" ]
151
152  filtername = "app_custom"
153  process_type = "app"
154
155  part_name = INIT_PART
156  subsystem_name = "startup"
157
158  install_enable = true
159  install_images = [ "system" ]
160}
161
162config("libseccomp_static_config") {
163  include_dirs = [
164    "..",
165    "../../../interfaces/innerkits/seccomp/include",
166  ]
167
168  if (seccomp_enable_debug) {
169    include_dirs += [
170      "../../../interfaces/innerkits/include",
171      "../../../interfaces/innerkits/include/param",
172    ]
173
174    defines = [ "WITH_SECCOMP_DEBUG" ]
175  }
176}
177
178ohos_source_set("libseccomp_static") {
179  sources = [
180    "seccomp_policy.c",
181    "seccomp_policy_static.c",
182  ]
183  public_configs = [
184    ":libseccomp_static_config",
185    "../../../interfaces/innerkits/init_module_engine:init_module_engine_exported_config",
186  ]
187
188  external_deps = [
189    "bounds_checking_function:libsec_shared",
190    "cJSON:cjson",
191    "config_policy:configpolicy_util",
192  ]
193
194  part_name = INIT_PART
195  subsystem_name = "startup"
196}
197
198group("seccomp_filter") {
199  deps = [
200    ":app_allow_iouring_filter",
201    ":app_atomic_filter",
202    ":app_filter",
203    ":system_filter",
204    ":updater_filter",
205  ]
206  if (appspawn_featrue) {
207    deps += [
208      ":appspawn_filter",
209      ":nwebspawn_filter",
210    ]
211    if (init_feature_custom_sandbox) {
212      deps += [ ":app_custom_filter" ]
213    }
214    if (init_feature_seccomp_privilege) {
215      deps += [ ":app_privilege_filter" ]
216    }
217  }
218}
219