1# Copyright 2012 The ChromiumOS Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5include common.mk 6 7LIBDIR ?= /lib 8PRELOADNAME = libminijailpreload.so 9PRELOADPATH = "$(LIBDIR)/$(PRELOADNAME)" 10CPPFLAGS += -DPRELOADPATH='$(PRELOADPATH)' 11 12# We don't build static libs by default. 13BUILD_STATIC_LIBS ?= no 14 15# Defines the pivot root path used by the minimalistic-mountns profile. 16DEFAULT_PIVOT_ROOT ?= /var/empty 17CPPFLAGS += -DDEFAULT_PIVOT_ROOT='"$(DEFAULT_PIVOT_ROOT)"' 18 19# These are configurable strictness settings. Not every use case for Minijail 20# has the same requirements. 21 22# Allow seccomp to fail without a warning. You probably don't want this. 23ifeq ($(USE_seccomp),no) 24CPPFLAGS += -DUSE_SECCOMP_SOFTFAIL 25endif 26 27# Prevent Minijail configuration files from residing in a noexec 28# filesystem. 29# 30# The rationale here is that a configuration file that controls how a program 31# executes should be subject to the same restrictions as the executable it 32# controls. In essence, a configuration file should be considered to have as 33# much power as an executable. Files can only be executed from filesystems *not* 34# mounted as noexec, so configuration files should not reside in noexec 35# filesystems. 36# 37# For example, on ChromeOS executable filesystems are mounted read-only. Noexec 38# filesystems are allowed to be mounted read-write. If a configuration file 39# were allowed to reside in a noexec filesystem, an attacker would be able to 40# influence how a program is executed by modifying the configuration file. 41BLOCK_NOEXEC_CONF ?= no 42ifeq ($(BLOCK_NOEXEC_CONF),yes) 43CPPFLAGS += -DBLOCK_NOEXEC_CONF 44endif 45 46# Prevent Minijail configuration files from residing in a partition different 47# from the partition mounted at /. This is primarily used in ChromeOS. 48ENFORCE_ROOTFS_CONF ?= no 49ifeq ($(ENFORCE_ROOTFS_CONF),yes) 50CPPFLAGS += -DENFORCE_ROOTFS_CONF 51endif 52 53# Allow people to use -L and related flags. 54ALLOW_DEBUG_LOGGING ?= yes 55ifeq ($(ALLOW_DEBUG_LOGGING),yes) 56CPPFLAGS += -DALLOW_DEBUG_LOGGING 57ifeq ($(SECCOMP_DEFAULT_RET_LOG),yes) 58CPPFLAGS += -DSECCOMP_DEFAULT_RET_LOG 59endif 60endif 61 62# Prevent Minijail from following symlinks when performing bind mounts. 63# BINDMOUNT_ALLOWED_PREFIXES allows some flexibility. This is especially useful 64# for directories that are not normally modifiable by non-root users. 65# If a process can modify these directories, they probably don't need to mess 66# with Minijail bind mounts to gain root privileges. 67BINDMOUNT_ALLOWED_PREFIXES ?= /dev,/sys 68CPPFLAGS += -DBINDMOUNT_ALLOWED_PREFIXES='"$(BINDMOUNT_ALLOWED_PREFIXES)"' 69BLOCK_SYMLINKS_IN_BINDMOUNT_PATHS ?= no 70ifeq ($(BLOCK_SYMLINKS_IN_BINDMOUNT_PATHS),yes) 71CPPFLAGS += -DBLOCK_SYMLINKS_IN_BINDMOUNT_PATHS 72endif 73 74# Prevents symlinks from being followed in the /tmp folder. 75# Symlinks could be followed to modify arbitrary files when a process 76# had access to the /tmp folder. 77BLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP ?= no 78ifeq ($(BLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP),yes) 79CPPFLAGS += -DBLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP 80endif 81 82# If specified, the `libc_compatibility_syscalls` list will be silently added to 83# all allowlists. Intended for use when upgrading core libraries (mainly libc), 84# which can lead to new syscalls being introduced in many places. 85USE_LIBC_COMPATIBILITY_ALLOWLIST ?= no 86ifeq ($(USE_LIBC_COMPATIBILITY_ALLOWLIST),yes) 87CPPFLAGS += -DALLOW_LIBC_COMPATIBILITY_SYSCALLS 88endif 89 90ifeq ($(USE_ASAN),yes) 91CPPFLAGS += -fsanitize=address -fno-omit-frame-pointer 92LDFLAGS += -fsanitize=address -fno-omit-frame-pointer 93USE_EXIT_ON_DIE = yes 94endif 95 96# Setting this flag can be useful for both AddressSanitizer builds and running 97# fuzzing tools, which do not expect crashes on gracefully-handled malformed 98# inputs. 99ifeq ($(USE_EXIT_ON_DIE),yes) 100CPPFLAGS += -DUSE_EXIT_ON_DIE 101endif 102 103# Setting this flag allows duplicate syscalls definitions for seccomp filters. 104ifeq ($(ALLOW_DUPLICATE_SYSCALLS),yes) 105CPPFLAGS += -DALLOW_DUPLICATE_SYSCALLS 106endif 107 108MJ_COMMON_FLAGS = -Wunused-parameter -Wextra -Wno-missing-field-initializers 109CFLAGS += $(MJ_COMMON_FLAGS) 110CXXFLAGS += $(MJ_COMMON_FLAGS) 111 112# Dependencies that all gtest based unittests should have. 113UNITTEST_LIBS := -lcap 114UNITTEST_DEPS := testrunner.o test_util.o 115 116USE_SYSTEM_GTEST ?= no 117ifeq ($(USE_SYSTEM_GTEST),no) 118GTEST_CXXFLAGS := -std=gnu++20 119GTEST_LIBS := gtest.a 120UNITTEST_DEPS += $(GTEST_LIBS) 121else 122GTEST_CXXFLAGS := $(shell gtest-config --cxxflags 2>/dev/null || \ 123 echo "-pthread") 124GTEST_LIBS := $(shell gtest-config --libs 2>/dev/null || \ 125 echo "-lgtest -pthread -lpthread") 126endif 127GTEST_CXXFLAGS += -DGTEST_REMOVE_LEGACY_TEST_CASEAPI_ 128UNITTEST_LIBS += $(GTEST_LIBS) 129 130CORE_OBJECT_FILES := libminijail.o syscall_filter.o signal_handler.o \ 131 bpf.o landlock_util.o util.o system.o syscall_wrapper.o \ 132 config_parser.o libconstants.gen.o libsyscalls.gen.o 133UNITTEST_DEPS += $(CORE_OBJECT_FILES) 134 135all: CC_BINARY(minijail0) CC_LIBRARY(libminijail.so) \ 136 CC_LIBRARY(libminijailpreload.so) 137 138parse_seccomp_policy: CXX_BINARY(parse_seccomp_policy) 139dump_constants: CXX_STATIC_BINARY(dump_constants) 140 141tests: TEST(CXX_BINARY(libminijail_unittest)) \ 142 TEST(CXX_BINARY(minijail0_cli_unittest)) \ 143 TEST(CXX_BINARY(syscall_filter_unittest)) \ 144 TEST(CXX_BINARY(system_unittest)) \ 145 TEST(CXX_BINARY(util_unittest)) \ 146 TEST(CXX_BINARY(config_parser_unittest)) 147 148CC_BINARY(minijail0): LDLIBS += -lcap -ldl 149CC_BINARY(minijail0): $(CORE_OBJECT_FILES) \ 150 elfparse.o minijail0.o minijail0_cli.o 151clean: CLEAN(minijail0) 152 153 154CC_LIBRARY(libminijail.so): LDLIBS += -lcap 155CC_LIBRARY(libminijail.so): $(CORE_OBJECT_FILES) 156clean: CLEAN(libminijail.so) 157 158CC_STATIC_LIBRARY(libminijail.pic.a): $(CORE_OBJECT_FILES) 159CC_STATIC_LIBRARY(libminijail.pie.a): $(CORE_OBJECT_FILES) 160clean: CLEAN(libminijail.*.a) 161 162ifeq ($(BUILD_STATIC_LIBS),yes) 163all: CC_STATIC_LIBRARY(libminijail.pic.a) CC_STATIC_LIBRARY(libminijail.pie.a) 164endif 165 166CXX_BINARY(libminijail_unittest): CXXFLAGS += -Wno-write-strings \ 167 $(GTEST_CXXFLAGS) 168CXX_BINARY(libminijail_unittest): LDLIBS += $(UNITTEST_LIBS) 169CXX_BINARY(libminijail_unittest): $(UNITTEST_DEPS) libminijail_unittest.o 170clean: CLEAN(libminijail_unittest) 171 172TEST(CXX_BINARY(libminijail_unittest)): CC_LIBRARY(libminijailpreload.so) 173 174 175CC_LIBRARY(libminijailpreload.so): LDLIBS += -lcap -ldl 176CC_LIBRARY(libminijailpreload.so): libminijailpreload.o $(CORE_OBJECT_FILES) 177clean: CLEAN(libminijailpreload.so) 178 179 180CXX_BINARY(minijail0_cli_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 181CXX_BINARY(minijail0_cli_unittest): LDLIBS += $(UNITTEST_LIBS) 182CXX_BINARY(minijail0_cli_unittest): $(UNITTEST_DEPS) minijail0_cli_unittest.o \ 183 minijail0_cli.o elfparse.o 184clean: CLEAN(minijail0_cli_unittest) 185 186 187CXX_BINARY(config_parser_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 188CXX_BINARY(config_parser_unittest): LDLIBS += $(UNITTEST_LIBS) 189CXX_BINARY(config_parser_unittest): $(UNITTEST_DEPS) config_parser_unittest.o 190clean: CLEAN(config_parser_unittest) 191 192CXX_BINARY(syscall_filter_unittest): CXXFLAGS += -Wno-write-strings \ 193 $(GTEST_CXXFLAGS) 194CXX_BINARY(syscall_filter_unittest): LDLIBS += $(UNITTEST_LIBS) 195CXX_BINARY(syscall_filter_unittest): $(UNITTEST_DEPS) syscall_filter_unittest.o 196clean: CLEAN(syscall_filter_unittest) 197 198 199CXX_BINARY(system_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 200CXX_BINARY(system_unittest): LDLIBS += $(UNITTEST_LIBS) 201CXX_BINARY(system_unittest): $(UNITTEST_DEPS) system_unittest.o 202clean: CLEAN(system_unittest) 203 204 205CXX_BINARY(util_unittest): CXXFLAGS += $(GTEST_CXXFLAGS) 206CXX_BINARY(util_unittest): LDLIBS += $(UNITTEST_LIBS) 207CXX_BINARY(util_unittest): $(UNITTEST_DEPS) util_unittest.o 208clean: CLEAN(util_unittest) 209 210 211CXX_BINARY(parse_seccomp_policy): parse_seccomp_policy.o syscall_filter.o \ 212 bpf.o landlock_util.o util.o libconstants.gen.o libsyscalls.gen.o 213clean: CLEAN(parse_seccomp_policy) 214 215 216# Compiling dump_constants as a static executable makes it easy to run under 217# qemu-user, which in turn simplifies cross-compiling bpf policies. 218CXX_STATIC_BINARY(dump_constants): dump_constants.o \ 219 libconstants.gen.o libsyscalls.gen.o 220clean: CLEAN(dump_constants) 221 222 223constants.json: CXX_STATIC_BINARY(dump_constants) 224 ./dump_constants > $@ 225clean: CLEANFILE(constants.json) 226 227 228libsyscalls.gen.o: CPPFLAGS += -I$(SRC) 229 230libsyscalls.gen.o.depends: libsyscalls.gen.c 231 232# Only regenerate libsyscalls.gen.c if the Makefile or header changes. 233# NOTE! This will not detect if the file is not appropriate for the target. 234libsyscalls.gen.c: $(SRC)/libsyscalls.h $(SRC)/Makefile 235 @/bin/echo -e "GEN $(subst $(SRC)/,,$<) -> $@" 236 $(QUIET)CC="$(CC)" $(SRC)/gen_syscalls.sh "$@" 237clean: CLEAN(libsyscalls.gen.c) 238 239$(eval $(call add_object_rules,libsyscalls.gen.o,CC,c,CFLAGS)) 240 241libconstants.gen.o: CPPFLAGS += -I$(SRC) 242 243libconstants.gen.o.depends: libconstants.gen.c 244 245# Only regenerate libconstants.gen.c if the Makefile or header changes. 246# NOTE! This will not detect if the file is not appropriate for the target. 247libconstants.gen.c: $(SRC)/libconstants.h $(SRC)/Makefile 248 @/bin/echo -e "GEN $(subst $(SRC)/,,$<) -> $@" 249 $(QUIET)CC="$(CC)" $(SRC)/gen_constants.sh "$@" 250clean: CLEAN(libconstants.gen.c) 251 252$(eval $(call add_object_rules,libconstants.gen.o,CC,c,CFLAGS)) 253 254 255################################################################################ 256# Google Test 257 258ifeq ($(USE_SYSTEM_GTEST),no) 259# Points to the root of Google Test, relative to where this file is. 260# Remember to tweak this if you move this file. 261GTEST_DIR = googletest-1.14.0/googletest 262 263# Flags passed to the preprocessor. 264# Set Google Test's header directory as a system directory, such that 265# the compiler doesn't generate warnings in Google Test headers. 266CPPFLAGS += -isystem $(GTEST_DIR)/include 267 268# Flags passed to the C++ compiler. 269GTEST_CXXFLAGS += -pthread 270 271# All Google Test headers. Usually you shouldn't change this 272# definition. 273GTEST_HEADERS = $(GTEST_DIR)/include/gtest/*.h \ 274 $(GTEST_DIR)/include/gtest/internal/*.h 275 276# House-keeping build targets. 277clean: clean_gtest 278 279clean_gtest: 280 $(QUIET)rm -f gtest.a gtest_main.a *.o 281 282# Builds gtest.a and gtest_main.a. 283 284# Usually you shouldn't tweak such internal variables, indicated by a 285# trailing _. 286GTEST_SRCS_ = $(GTEST_DIR)/src/*.cc $(GTEST_DIR)/src/*.h $(GTEST_HEADERS) 287 288# For simplicity and to avoid depending on Google Test's 289# implementation details, the dependencies specified below are 290# conservative and not optimized. This is fine as Google Test 291# compiles fast and for ordinary users its source rarely changes. 292gtest-all.o : $(GTEST_SRCS_) 293 $(CXX) $(CPPFLAGS) -I$(GTEST_DIR) $(CXXFLAGS) $(GTEST_CXXFLAGS) -c \ 294 $(GTEST_DIR)/src/gtest-all.cc -o $@ 295 296gtest_main.o : $(GTEST_SRCS_) 297 $(CXX) $(CPPFLAGS) -I$(GTEST_DIR) $(CXXFLAGS) $(GTEST_CXXFLAGS) -c \ 298 $(GTEST_DIR)/src/gtest_main.cc -o $@ 299 300gtest.a : gtest-all.o 301 $(AR) $(ARFLAGS) $@ $^ 302 303gtest_main.a : gtest-all.o gtest_main.o 304 $(AR) $(ARFLAGS) $@ $^ 305 306endif 307################################################################################ 308