1# Copyright 2014 The Chromium Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import("//build/config/features.gni") 6 7declare_args() { 8 compile_suid_client = is_linux 9 10 compile_credentials = is_linux 11 12 compile_seccomp_bpf_demo = 13 (is_linux && (cpu_arch == "x86" || cpu_arch == "x64")) 14} 15 16# We have two principal targets: sandbox and sandbox_linux_unittests 17# All other targets are listed as dependencies. 18# There is one notable exception: for historical reasons, chrome_sandbox is 19# the setuid sandbox and is its own target. 20 21group("sandbox") { 22 deps = [ 23 ":sandbox_services", 24 ] 25 26 if (compile_suid_client) { 27 deps += [ ":suid_sandbox_client" ] 28 } 29 if (use_seccomp_bpf) { 30 deps += [ 31 ":seccomp_bpf", 32 ":seccomp_bpf_helpers", 33 ] 34 } 35} 36 37source_set("sandbox_linux_test_utils") { 38 sources = [ 39 "tests/sandbox_test_runner.cc", 40 "tests/sandbox_test_runner.h", 41 "tests/sandbox_test_runner_function_pointer.cc", 42 "tests/sandbox_test_runner_function_pointer.h", 43 "tests/test_utils.cc", 44 "tests/test_utils.h", 45 "tests/unit_tests.cc", 46 "tests/unit_tests.h", 47 ] 48 49 deps = [ 50 "//testing/gtest", 51 ] 52 53 if (use_seccomp_bpf) { 54 sources += [ 55 "seccomp-bpf/bpf_tester_compatibility_delegate.h", 56 "seccomp-bpf/bpf_tests.h", 57 "seccomp-bpf/sandbox_bpf_test_runner.cc", 58 "seccomp-bpf/sandbox_bpf_test_runner.h", 59 ] 60 deps += [ 61 ":seccomp_bpf", 62 ] 63 } 64} 65 66# The main sandboxing test target. 67test("sandbox_linux_unittests") { 68 sources = [ 69 "tests/main.cc", 70 "tests/unit_tests_unittest.cc", 71 "services/broker_process_unittest.cc", 72 "services/scoped_process_unittest.cc", 73 "services/thread_helpers_unittests.cc", 74 "services/yama_unittests.cc", 75 ] 76 77 deps = [ 78 ":sandbox", 79 ":sandbox_linux_test_utils", 80 "//base", 81 "//base/test:test_support", 82 "//testing/gtest", 83 ] 84 85 if (compile_suid_client) { 86 sources += [ 87 "suid/client/setuid_sandbox_client_unittest.cc", 88 ] 89 } 90 if (use_seccomp_bpf) { 91 sources += [ 92 "seccomp-bpf-helpers/baseline_policy_unittest.cc", 93 "seccomp-bpf/bpf_tests_unittest.cc", 94 "seccomp-bpf/codegen_unittest.cc", 95 "seccomp-bpf/errorcode_unittest.cc", 96 "seccomp-bpf/sandbox_bpf_unittest.cc", 97 "seccomp-bpf/syscall_iterator_unittest.cc", 98 "seccomp-bpf/syscall_unittest.cc", 99 ] 100 } 101 if (compile_credentials) { 102 sources += [ 103 "services/credentials_unittest.cc", 104 "services/unix_domain_socket_unittest.cc", 105 ] 106 } 107} 108 109# TODO(GYP) Android version of this test. 110# { 111# # This target is the shared library used by Android APK (i.e. 112# # JNI-friendly) tests. 113# "target_name": "sandbox_linux_jni_unittests", 114# "includes": [ 115# "sandbox_linux_test_sources.gypi", 116# ], 117# "type": "shared_library", 118# "conditions": [ 119# [ "OS == "android"", { 120# "dependencies": [ 121# "../testing/android/native_test.gyp:native_test_native_code", 122# ], 123# }], 124# ], 125# }, 126 127component("seccomp_bpf") { 128 sources = [ 129 "seccomp-bpf/basicblock.cc", 130 "seccomp-bpf/basicblock.h", 131 "seccomp-bpf/codegen.cc", 132 "seccomp-bpf/codegen.h", 133 "seccomp-bpf/die.cc", 134 "seccomp-bpf/die.h", 135 "seccomp-bpf/errorcode.cc", 136 "seccomp-bpf/errorcode.h", 137 "seccomp-bpf/instruction.h", 138 "seccomp-bpf/linux_seccomp.h", 139 "seccomp-bpf/sandbox_bpf.cc", 140 "seccomp-bpf/sandbox_bpf.h", 141 "seccomp-bpf/sandbox_bpf_compatibility_policy.h", 142 "seccomp-bpf/sandbox_bpf_policy.cc", 143 "seccomp-bpf/sandbox_bpf_policy.h", 144 "seccomp-bpf/syscall.cc", 145 "seccomp-bpf/syscall.h", 146 "seccomp-bpf/syscall_iterator.cc", 147 "seccomp-bpf/syscall_iterator.h", 148 "seccomp-bpf/trap.cc", 149 "seccomp-bpf/trap.h", 150 "seccomp-bpf/verifier.cc", 151 "seccomp-bpf/verifier.h", 152 ] 153 defines = [ "SANDBOX_IMPLEMENTATION" ] 154 155 deps = [ 156 ":sandbox_services_headers", 157 "//base", 158 ] 159} 160 161component("seccomp_bpf_helpers") { 162 sources = [ 163 "seccomp-bpf-helpers/baseline_policy.cc", 164 "seccomp-bpf-helpers/baseline_policy.h", 165 "seccomp-bpf-helpers/sigsys_handlers.cc", 166 "seccomp-bpf-helpers/sigsys_handlers.h", 167 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", 168 "seccomp-bpf-helpers/syscall_parameters_restrictions.h", 169 "seccomp-bpf-helpers/syscall_sets.cc", 170 "seccomp-bpf-helpers/syscall_sets.h", 171 ] 172 defines = [ "SANDBOX_IMPLEMENTATION" ] 173 174 deps = [ 175 "//base", 176 ":seccomp_bpf", 177 ] 178} 179 180if (compile_seccomp_bpf_demo) { 181 # A demonstration program for the seccomp-bpf sandbox. 182 executable("seccomp_bpf_demo") { 183 sources = [ 184 "seccomp-bpf/demo.cc", 185 ] 186 deps = [ 187 ":seccomp_bpf", 188 ] 189 } 190} 191 192# The setuid sandbox for Linux. 193executable("chrome_sandbox") { 194 sources = [ 195 "suid/common/sandbox.h", 196 "suid/common/suid_unsafe_environment_variables.h", 197 "suid/linux_util.c", 198 "suid/linux_util.h", 199 "suid/process_util.h", 200 "suid/process_util_linux.c", 201 "suid/sandbox.c", 202 ] 203 204 cflags = [ 205 # For ULLONG_MAX 206 "-std=gnu99", 207 # These files have a suspicious comparison. 208 # TODO fix this and re-enable this warning. 209 "-Wno-sign-compare", 210 ] 211} 212 213component("sandbox_services") { 214 sources = [ 215 "services/broker_process.cc", 216 "services/broker_process.h", 217 "services/init_process_reaper.cc", 218 "services/init_process_reaper.h", 219 "services/scoped_process.cc", 220 "services/scoped_process.h", 221 "services/thread_helpers.cc", 222 "services/thread_helpers.h", 223 "services/yama.h", 224 "services/yama.cc", 225 ] 226 227 defines = [ "SANDBOX_IMPLEMENTATION" ] 228 229 if (compile_credentials) { 230 sources += [ 231 "services/credentials.cc", 232 "services/credentials.h", 233 ] 234 # For capabilities.cc. 235 configs += [ "//build/config/linux:libcap" ] 236 } 237 238 deps = [ 239 "//base", 240 ] 241} 242 243source_set("sandbox_services_headers") { 244 sources = [ 245 "services/android_arm_ucontext.h", 246 "services/android_futex.h", 247 "services/android_ucontext.h", 248 "services/android_i386_ucontext.h", 249 "services/arm_linux_syscalls.h", 250 "services/linux_syscalls.h", 251 "services/x86_32_linux_syscalls.h", 252 "services/x86_64_linux_syscalls.h", 253 ] 254} 255 256# We make this its own target so that it does not interfere with our tests. 257source_set("libc_urandom_override") { 258 sources = [ 259 "services/libc_urandom_override.cc", 260 "services/libc_urandom_override.h", 261 ] 262 deps = [ 263 "//base", 264 ] 265} 266 267component("suid_sandbox_client") { 268 sources = [ 269 "suid/common/sandbox.h", 270 "suid/common/suid_unsafe_environment_variables.h", 271 "suid/client/setuid_sandbox_client.cc", 272 "suid/client/setuid_sandbox_client.h", 273 ] 274 defines = [ "SANDBOX_IMPLEMENTATION" ] 275 276 deps = [ 277 ":sandbox_services", 278 "//base", 279 ] 280} 281 282if (is_android) { 283 # TODO(GYP) enable this. Needs an android_strip wrapper python script. 284 #action("sandbox_linux_unittests_stripped") { 285 # script = "android_stip.py" 286 # 287 # in_file = "$root_out_dir/sandbox_linux_unittests" 288 # 289 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped" 290 # outputs = [ out_file ] 291 # 292 # args = [ 293 # rebase_path(in_file, root_build_dir), 294 # "-o", rebase_path(out_file, root_build_dir), 295 # ] 296 # 297 # deps = [ 298 # ":sandbox_linux_unittests", 299 # ] 300 #} 301 302 # TODO(GYP) convert this. 303 # { 304 # 'target_name': 'sandbox_linux_jni_unittests_apk', 305 # 'type': 'none', 306 # 'variables': { 307 # 'test_suite_name': 'sandbox_linux_jni_unittests', 308 # }, 309 # 'dependencies': [ 310 # 'sandbox_linux_jni_unittests', 311 # ], 312 # 'includes': [ '../../build/apk_test.gypi' ], 313 # } 314} 315