1# Copyright 2012 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5BASE_VER=0 6include common.mk 7 8LIBDIR ?= /lib 9PRELOADNAME = libminijailpreload.so 10PRELOADPATH = "$(LIBDIR)/$(PRELOADNAME)" 11CPPFLAGS += -DPRELOADPATH='$(PRELOADPATH)' 12 13# We don't build static libs by default. 14BUILD_STATIC_LIBS ?= no 15 16# Defines the pivot root path used by the minimalistic-mountns profile. 17DEFAULT_PIVOT_ROOT ?= /var/empty 18CPPFLAGS += -DDEFAULT_PIVOT_ROOT='"$(DEFAULT_PIVOT_ROOT)"' 19 20# These are configurable strictness settings. Not every use case for Minijail 21# has the same requirements. 22 23# Allow seccomp to fail without a warning. You probably don't want this. 24ifeq ($(USE_seccomp),no) 25CPPFLAGS += -DUSE_SECCOMP_SOFTFAIL 26endif 27 28# Prevent Minijail configuration files from residing in a noexec 29# filesystem. 30# 31# The rationale here is that a configuration file that controls how a program 32# executes should be subject to the same restrictions as the executable it 33# controls. In essence, a configuration file should be considered to have as 34# much power as an executable. Files can only be executed from filesystems *not* 35# mounted as noexec, so configuration files should not reside in noexec 36# filesystems. 37# 38# For example, on ChromeOS executable filesystems are mounted read-only. Noexec 39# filesystems are allowed to be mounted read-write. If a configuration file 40# were allowed to reside in a noexec filesystem, an attacker would be able to 41# influence how a program is executed by modifying the configuration file. 42BLOCK_NOEXEC_CONF ?= no 43ifeq ($(BLOCK_NOEXEC_CONF),yes) 44CPPFLAGS += -DBLOCK_NOEXEC_CONF 45endif 46 47# Prevent Minijail configuration files from residing in a partition different 48# from the partition mounted at /. This is primarily used in ChromeOS. 49ENFORCE_ROOTFS_CONF ?= no 50ifeq ($(ENFORCE_ROOTFS_CONF),yes) 51CPPFLAGS += -DENFORCE_ROOTFS_CONF 52endif 53 54# Allow people to use -L and related flags. 55ALLOW_DEBUG_LOGGING ?= yes 56ifeq ($(ALLOW_DEBUG_LOGGING),yes) 57CPPFLAGS += -DALLOW_DEBUG_LOGGING 58ifeq ($(SECCOMP_DEFAULT_RET_LOG),yes) 59CPPFLAGS += -DSECCOMP_DEFAULT_RET_LOG 60endif 61endif 62 63# Prevent Minijail from following symlinks when performing bind mounts. 64# BINDMOUNT_ALLOWED_PREFIXES allows some flexibility. This is especially useful 65# for directories that are not normally modifiable by non-root users. 66# If a process can modify these directories, they probably don't need to mess 67# with Minijail bind mounts to gain root privileges. 68BINDMOUNT_ALLOWED_PREFIXES ?= /dev,/sys 69CPPFLAGS += -DBINDMOUNT_ALLOWED_PREFIXES='"$(BINDMOUNT_ALLOWED_PREFIXES)"' 70BLOCK_SYMLINKS_IN_BINDMOUNT_PATHS ?= no 71ifeq ($(BLOCK_SYMLINKS_IN_BINDMOUNT_PATHS),yes) 72CPPFLAGS += -DBLOCK_SYMLINKS_IN_BINDMOUNT_PATHS 73endif 74 75# Prevents symlinks from being followed in the /tmp folder. 76# Symlinks could be followed to modify arbitrary files when a process 77# had access to the /tmp folder. 78BLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP ?= no 79ifeq ($(BLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP),yes) 80CPPFLAGS += -DBLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP 81endif 82 83ifeq ($(USE_ASAN),yes) 84CPPFLAGS += -fsanitize=address -fno-omit-frame-pointer 85LDFLAGS += -fsanitize=address -fno-omit-frame-pointer 86USE_EXIT_ON_DIE = yes 87endif 88 89# Setting this flag can be useful for both AddressSanitizer builds and running 90# fuzzing tools, which do not expect crashes on gracefully-handled malformed 91# inputs. 92ifeq ($(USE_EXIT_ON_DIE),yes) 93CPPFLAGS += -DUSE_EXIT_ON_DIE 94endif 95 96# Setting this flag allows duplicate syscalls definitions for seccomp filters. 97ifeq ($(ALLOW_DUPLICATE_SYSCALLS),yes) 98CPPFLAGS += -DALLOW_DUPLICATE_SYSCALLS 99endif 100 101MJ_COMMON_FLAGS = -Wunused-parameter -Wextra -Wno-missing-field-initializers 102CFLAGS += $(MJ_COMMON_FLAGS) 103CXXFLAGS += $(MJ_COMMON_FLAGS) 104 105# Dependencies that all gtest based unittests should have. 106UNITTEST_LIBS := -lcap 107UNITTEST_DEPS := testrunner.o test_util.o 108 109USE_SYSTEM_GTEST ?= no 110ifeq ($(USE_SYSTEM_GTEST),no) 111GTEST_CXXFLAGS := -std=gnu++14 112GTEST_LIBS := gtest.a 113UNITTEST_DEPS += $(GTEST_LIBS) 114else 115GTEST_CXXFLAGS := $(shell gtest-config --cxxflags 2>/dev/null || \ 116 echo "-pthread") 117GTEST_LIBS := $(shell gtest-config --libs 2>/dev/null || \ 118 echo "-lgtest -pthread -lpthread") 119endif 120UNITTEST_LIBS += $(GTEST_LIBS) 121 122CORE_OBJECT_FILES := libminijail.o syscall_filter.o signal_handler.o \ 123 bpf.o landlock_util.o util.o system.o syscall_wrapper.o \ 124 config_parser.o libconstants.gen.o libsyscalls.gen.o 125UNITTEST_DEPS += $(CORE_OBJECT_FILES) 126 127all: CC_BINARY(minijail0) CC_LIBRARY(libminijail.so) \ 128 CC_LIBRARY(libminijailpreload.so) 129 130parse_seccomp_policy: CXX_BINARY(parse_seccomp_policy) 131dump_constants: CXX_STATIC_BINARY(dump_constants) 132 133tests: TEST(CXX_BINARY(libminijail_unittest)) \ 134 TEST(CXX_BINARY(minijail0_cli_unittest)) \ 135 TEST(CXX_BINARY(syscall_filter_unittest)) \ 136 TEST(CXX_BINARY(system_unittest)) \ 137 TEST(CXX_BINARY(util_unittest)) \ 138 TEST(CXX_BINARY(config_parser_unittest)) 139 140CC_BINARY(minijail0): LDLIBS += -lcap -ldl 141CC_BINARY(minijail0): $(CORE_OBJECT_FILES) \ 142 elfparse.o minijail0.o minijail0_cli.o 143clean: CLEAN(minijail0) 144 145 146CC_LIBRARY(libminijail.so): LDLIBS += -lcap 147CC_LIBRARY(libminijail.so): $(CORE_OBJECT_FILES) 148clean: CLEAN(libminijail.so) 149 150CC_STATIC_LIBRARY(libminijail.pic.a): $(CORE_OBJECT_FILES) 151CC_STATIC_LIBRARY(libminijail.pie.a): $(CORE_OBJECT_FILES) 152clean: CLEAN(libminijail.*.a) 153 154ifeq ($(BUILD_STATIC_LIBS),yes) 155all: CC_STATIC_LIBRARY(libminijail.pic.a) CC_STATIC_LIBRARY(libminijail.pie.a) 156endif 157 158CXX_BINARY(libminijail_unittest): CXXFLAGS += -Wno-write-strings \ 159 $(GTEST_CXXFLAGS) 160CXX_BINARY(libminijail_unittest): LDLIBS += $(UNITTEST_LIBS) 161CXX_BINARY(libminijail_unittest): $(UNITTEST_DEPS) libminijail_unittest.o 162clean: CLEAN(libminijail_unittest) 163 164TEST(CXX_BINARY(libminijail_unittest)): CC_LIBRARY(libminijailpreload.so) 165 166 167CC_LIBRARY(libminijailpreload.so): LDLIBS += -lcap -ldl 168CC_LIBRARY(libminijailpreload.so): libminijailpreload.o $(CORE_OBJECT_FILES) 169clean: CLEAN(libminijailpreload.so) 170 171 172CXX_BINARY(minijail0_cli_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 173CXX_BINARY(minijail0_cli_unittest): LDLIBS += $(UNITTEST_LIBS) 174CXX_BINARY(minijail0_cli_unittest): $(UNITTEST_DEPS) minijail0_cli_unittest.o \ 175 minijail0_cli.o elfparse.o 176clean: CLEAN(minijail0_cli_unittest) 177 178 179CXX_BINARY(config_parser_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 180CXX_BINARY(config_parser_unittest): LDLIBS += $(UNITTEST_LIBS) 181CXX_BINARY(config_parser_unittest): $(UNITTEST_DEPS) config_parser_unittest.o 182clean: CLEAN(config_parser_unittest) 183 184CXX_BINARY(syscall_filter_unittest): CXXFLAGS += -Wno-write-strings \ 185 $(GTEST_CXXFLAGS) 186CXX_BINARY(syscall_filter_unittest): LDLIBS += $(UNITTEST_LIBS) 187CXX_BINARY(syscall_filter_unittest): $(UNITTEST_DEPS) syscall_filter_unittest.o 188clean: CLEAN(syscall_filter_unittest) 189 190 191CXX_BINARY(system_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 192CXX_BINARY(system_unittest): LDLIBS += $(UNITTEST_LIBS) 193CXX_BINARY(system_unittest): $(UNITTEST_DEPS) system_unittest.o 194clean: CLEAN(system_unittest) 195 196 197CXX_BINARY(util_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 198CXX_BINARY(util_unittest): LDLIBS += $(UNITTEST_LIBS) 199CXX_BINARY(util_unittest): $(UNITTEST_DEPS) util_unittest.o 200clean: CLEAN(util_unittest) 201 202 203CXX_BINARY(parse_seccomp_policy): parse_seccomp_policy.o syscall_filter.o \ 204 bpf.o landlock_util.o util.o libconstants.gen.o libsyscalls.gen.o 205clean: CLEAN(parse_seccomp_policy) 206 207 208# Compiling dump_constants as a static executable makes it easy to run under 209# qemu-user, which in turn simplifies cross-compiling bpf policies. 210CXX_STATIC_BINARY(dump_constants): dump_constants.o \ 211 libconstants.gen.o libsyscalls.gen.o 212clean: CLEAN(dump_constants) 213 214 215constants.json: CXX_STATIC_BINARY(dump_constants) 216 ./dump_constants > $@ 217clean: CLEANFILE(constants.json) 218 219 220libsyscalls.gen.o: CPPFLAGS += -I$(SRC) 221 222libsyscalls.gen.o.depends: libsyscalls.gen.c 223 224# Only regenerate libsyscalls.gen.c if the Makefile or header changes. 225# NOTE! This will not detect if the file is not appropriate for the target. 226libsyscalls.gen.c: $(SRC)/libsyscalls.h $(SRC)/Makefile 227 @/bin/echo -e "GEN $(subst $(SRC)/,,$<) -> $@" 228 $(QUIET)CC="$(CC)" $(SRC)/gen_syscalls.sh "$@" 229clean: CLEAN(libsyscalls.gen.c) 230 231$(eval $(call add_object_rules,libsyscalls.gen.o,CC,c,CFLAGS)) 232 233libconstants.gen.o: CPPFLAGS += -I$(SRC) 234 235libconstants.gen.o.depends: libconstants.gen.c 236 237# Only regenerate libconstants.gen.c if the Makefile or header changes. 238# NOTE! This will not detect if the file is not appropriate for the target. 239libconstants.gen.c: $(SRC)/libconstants.h $(SRC)/Makefile 240 @/bin/echo -e "GEN $(subst $(SRC)/,,$<) -> $@" 241 $(QUIET)CC="$(CC)" $(SRC)/gen_constants.sh "$@" 242clean: CLEAN(libconstants.gen.c) 243 244$(eval $(call add_object_rules,libconstants.gen.o,CC,c,CFLAGS)) 245 246 247################################################################################ 248# Google Test 249 250ifeq ($(USE_SYSTEM_GTEST),no) 251# Points to the root of Google Test, relative to where this file is. 252# Remember to tweak this if you move this file. 253GTEST_DIR = googletest-release-1.11.0/googletest 254 255# Flags passed to the preprocessor. 256# Set Google Test's header directory as a system directory, such that 257# the compiler doesn't generate warnings in Google Test headers. 258CPPFLAGS += -isystem $(GTEST_DIR)/include 259 260# Flags passed to the C++ compiler. 261GTEST_CXXFLAGS += -pthread 262 263# All Google Test headers. Usually you shouldn't change this 264# definition. 265GTEST_HEADERS = $(GTEST_DIR)/include/gtest/*.h \ 266 $(GTEST_DIR)/include/gtest/internal/*.h 267 268# House-keeping build targets. 269clean: clean_gtest 270 271clean_gtest: 272 $(QUIET)rm -f gtest.a gtest_main.a *.o 273 274# Builds gtest.a and gtest_main.a. 275 276# Usually you shouldn't tweak such internal variables, indicated by a 277# trailing _. 278GTEST_SRCS_ = $(GTEST_DIR)/src/*.cc $(GTEST_DIR)/src/*.h $(GTEST_HEADERS) 279 280# For simplicity and to avoid depending on Google Test's 281# implementation details, the dependencies specified below are 282# conservative and not optimized. This is fine as Google Test 283# compiles fast and for ordinary users its source rarely changes. 284gtest-all.o : $(GTEST_SRCS_) 285 $(CXX) $(CPPFLAGS) -I$(GTEST_DIR) $(CXXFLAGS) $(GTEST_CXXFLAGS) -c \ 286 $(GTEST_DIR)/src/gtest-all.cc -o $@ 287 288gtest_main.o : $(GTEST_SRCS_) 289 $(CXX) $(CPPFLAGS) -I$(GTEST_DIR) $(CXXFLAGS) $(GTEST_CXXFLAGS) -c \ 290 $(GTEST_DIR)/src/gtest_main.cc -o $@ 291 292gtest.a : gtest-all.o 293 $(AR) $(ARFLAGS) $@ $^ 294 295gtest_main.a : gtest-all.o gtest_main.o 296 $(AR) $(ARFLAGS) $@ $^ 297 298endif 299################################################################################ 300