• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2014 The Chromium Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import("//build/config/features.gni")
6import("//build/config/nacl/config.gni")
7import("//testing/test.gni")
8
9if (is_android) {
10  import("//build/config/android/rules.gni")
11}
12
13declare_args() {
14  compile_suid_client = is_linux
15
16  compile_credentials = is_linux
17
18  # On Android, use plain GTest.
19  use_base_test_suite = is_linux
20}
21
22if (is_nacl_nonsfi) {
23  config("nacl_nonsfi_warnings") {
24    # There are number of platform specific functions in
25    # seccomp-bpf syscall helpers, which are not being used.
26    cflags = [ "-Wno-unused-function" ]
27  }
28}
29
30# We have two principal targets: sandbox and sandbox_linux_unittests
31# All other targets are listed as dependencies.
32# There is one notable exception: for historical reasons, chrome_sandbox is
33# the setuid sandbox and is its own target.
34
35group("sandbox") {
36  public_deps = [
37    ":sandbox_services",
38  ]
39
40  if (compile_suid_client || is_nacl_nonsfi) {
41    public_deps += [ ":suid_sandbox_client" ]
42  }
43  if (use_seccomp_bpf || is_nacl_nonsfi) {
44    public_deps += [
45      ":seccomp_bpf",
46      ":seccomp_bpf_helpers",
47    ]
48  }
49}
50
51source_set("sandbox_linux_test_utils") {
52  testonly = true
53  sources = [
54    "tests/sandbox_test_runner.cc",
55    "tests/sandbox_test_runner.h",
56    "tests/sandbox_test_runner_function_pointer.cc",
57    "tests/sandbox_test_runner_function_pointer.h",
58    "tests/unit_tests.cc",
59    "tests/unit_tests.h",
60  ]
61
62  deps = [
63    "//testing/gtest",
64  ]
65
66  if (!is_nacl_nonsfi) {
67    sources += [
68      "tests/test_utils.cc",
69      "tests/test_utils.h",
70    ]
71  }
72
73  if (use_seccomp_bpf || is_nacl_nonsfi) {
74    sources += [
75      "seccomp-bpf/bpf_tester_compatibility_delegate.h",
76      "seccomp-bpf/bpf_tests.h",
77      "seccomp-bpf/sandbox_bpf_test_runner.cc",
78      "seccomp-bpf/sandbox_bpf_test_runner.h",
79    ]
80    deps += [ ":seccomp_bpf" ]
81  }
82
83  if (use_base_test_suite) {
84    deps += [ "//base/test:test_support" ]
85    defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
86  }
87}
88
89# Sources for sandbox_linux_unittests.
90source_set("sandbox_linux_unittests_sources") {
91  testonly = true
92
93  sources = [
94    "services/proc_util_unittest.cc",
95    "services/resource_limits_unittests.cc",
96    "services/scoped_process_unittest.cc",
97    "services/syscall_wrappers_unittest.cc",
98    "services/thread_helpers_unittests.cc",
99    "services/yama_unittests.cc",
100    "syscall_broker/broker_file_permission_unittest.cc",
101    "syscall_broker/broker_process_unittest.cc",
102    "tests/main.cc",
103    "tests/scoped_temporary_file.cc",
104    "tests/scoped_temporary_file.h",
105    "tests/scoped_temporary_file_unittest.cc",
106    "tests/test_utils_unittest.cc",
107    "tests/unit_tests_unittest.cc",
108  ]
109
110  deps = [
111    ":sandbox",
112    ":sandbox_linux_test_utils",
113    "//base",
114    "//testing/gtest",
115  ]
116
117  if (use_base_test_suite) {
118    deps += [ "//base/test:test_support" ]
119    defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
120  }
121
122  if (compile_suid_client) {
123    sources += [
124      "suid/client/setuid_sandbox_client_unittest.cc",
125      "suid/client/setuid_sandbox_host_unittest.cc",
126    ]
127  }
128  if (use_seccomp_bpf) {
129    sources += [
130      "bpf_dsl/bpf_dsl_unittest.cc",
131      "bpf_dsl/codegen_unittest.cc",
132      "bpf_dsl/cons_unittest.cc",
133      "bpf_dsl/dump_bpf.cc",
134      "bpf_dsl/dump_bpf.h",
135      "bpf_dsl/syscall_set_unittest.cc",
136      "bpf_dsl/test_trap_registry.cc",
137      "bpf_dsl/test_trap_registry.h",
138      "bpf_dsl/test_trap_registry_unittest.cc",
139      "bpf_dsl/verifier.cc",
140      "bpf_dsl/verifier.h",
141      "integration_tests/bpf_dsl_seccomp_unittest.cc",
142      "integration_tests/seccomp_broker_process_unittest.cc",
143      "seccomp-bpf-helpers/baseline_policy_unittest.cc",
144      "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
145      "seccomp-bpf/bpf_tests_unittest.cc",
146      "seccomp-bpf/sandbox_bpf_unittest.cc",
147      "seccomp-bpf/syscall_unittest.cc",
148      "seccomp-bpf/trap_unittest.cc",
149    ]
150    deps += [ ":bpf_dsl_golden" ]
151  }
152  if (compile_credentials) {
153    sources += [
154      "integration_tests/namespace_unix_domain_socket_unittest.cc",
155      "services/credentials_unittest.cc",
156      "services/namespace_utils_unittest.cc",
157    ]
158
159    if (use_base_test_suite) {
160      # Tests that use advanced features not available in stock GTest.
161      sources += [ "services/namespace_sandbox_unittest.cc" ]
162    }
163
164    # For credentials_unittest.cc
165    configs += [ "//build/config/linux:libcap" ]
166  }
167}
168
169action("bpf_dsl_golden") {
170  script = "bpf_dsl/golden/generate.py"
171  inputs = [
172    "bpf_dsl/golden/i386/ArgSizePolicy.txt",
173    "bpf_dsl/golden/i386/BasicPolicy.txt",
174    "bpf_dsl/golden/i386/ElseIfPolicy.txt",
175    "bpf_dsl/golden/i386/MaskingPolicy.txt",
176    "bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt",
177    "bpf_dsl/golden/i386/NegativeConstantsPolicy.txt",
178    "bpf_dsl/golden/i386/SwitchPolicy.txt",
179    "bpf_dsl/golden/x86-64/ArgSizePolicy.txt",
180    "bpf_dsl/golden/x86-64/BasicPolicy.txt",
181    "bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt",
182    "bpf_dsl/golden/x86-64/ElseIfPolicy.txt",
183    "bpf_dsl/golden/x86-64/MaskingPolicy.txt",
184    "bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt",
185    "bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt",
186    "bpf_dsl/golden/x86-64/SwitchPolicy.txt",
187  ]
188  outputs = [
189    "$target_gen_dir/bpf_dsl/golden/golden_files.h",
190  ]
191  args =
192      rebase_path(outputs, root_build_dir) + rebase_path(inputs, root_build_dir)
193}
194
195# TODO(GYP): Delete this after we've converted everything to GN.
196# The _run targets exist only for compatibility w/ GYP.
197group("sandbox_linux_unittests_run") {
198  testonly = true
199  deps = [
200    ":sandbox_linux_unittests",
201  ]
202}
203
204# The main sandboxing test target. "sandbox_linux_unittests" cannot use the
205# test() template because the test is run as an executable not as an APK on
206# Android.
207executable("sandbox_linux_unittests") {
208  testonly = true
209  deps = [
210    ":sandbox_linux_unittests_sources",
211    "//build/config/sanitizers:deps",
212  ]
213}
214
215component("seccomp_bpf") {
216  sources = [
217    "bpf_dsl/bpf_dsl.cc",
218    "bpf_dsl/bpf_dsl.h",
219    "bpf_dsl/bpf_dsl_forward.h",
220    "bpf_dsl/bpf_dsl_impl.h",
221    "bpf_dsl/codegen.cc",
222    "bpf_dsl/codegen.h",
223    "bpf_dsl/cons.h",
224    "bpf_dsl/errorcode.h",
225    "bpf_dsl/linux_syscall_ranges.h",
226    "bpf_dsl/policy.cc",
227    "bpf_dsl/policy.h",
228    "bpf_dsl/policy_compiler.cc",
229    "bpf_dsl/policy_compiler.h",
230    "bpf_dsl/seccomp_macros.h",
231    "bpf_dsl/syscall_set.cc",
232    "bpf_dsl/syscall_set.h",
233    "bpf_dsl/trap_registry.h",
234    "seccomp-bpf/die.cc",
235    "seccomp-bpf/die.h",
236    "seccomp-bpf/sandbox_bpf.cc",
237    "seccomp-bpf/sandbox_bpf.h",
238    "seccomp-bpf/syscall.cc",
239    "seccomp-bpf/syscall.h",
240    "seccomp-bpf/trap.cc",
241    "seccomp-bpf/trap.h",
242  ]
243  defines = [ "SANDBOX_IMPLEMENTATION" ]
244
245  deps = [
246    ":sandbox_services",
247    ":sandbox_services_headers",
248    "//base",
249  ]
250
251  if (is_nacl_nonsfi) {
252    cflags = [ "-fgnu-inline-asm" ]
253    sources -= [
254      "bpf_dsl/bpf_dsl_forward.h",
255      "bpf_dsl/bpf_dsl_impl.h",
256      "bpf_dsl/cons.h",
257      "bpf_dsl/errorcode.h",
258      "bpf_dsl/linux_syscall_ranges.h",
259      "bpf_dsl/seccomp_macros.h",
260      "bpf_dsl/trap_registry.h",
261    ]
262  }
263}
264
265component("seccomp_bpf_helpers") {
266  sources = [
267    "seccomp-bpf-helpers/baseline_policy.cc",
268    "seccomp-bpf-helpers/baseline_policy.h",
269    "seccomp-bpf-helpers/sigsys_handlers.cc",
270    "seccomp-bpf-helpers/sigsys_handlers.h",
271    "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
272    "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
273    "seccomp-bpf-helpers/syscall_sets.cc",
274    "seccomp-bpf-helpers/syscall_sets.h",
275  ]
276  defines = [ "SANDBOX_IMPLEMENTATION" ]
277
278  deps = [
279    ":sandbox_services",
280    ":seccomp_bpf",
281    "//base",
282  ]
283
284  if (is_nacl_nonsfi) {
285    sources -= [
286      "seccomp-bpf-helpers/baseline_policy.cc",
287      "seccomp-bpf-helpers/baseline_policy.h",
288      "seccomp-bpf-helpers/syscall_sets.cc",
289      "seccomp-bpf-helpers/syscall_sets.h",
290    ]
291    configs += [ ":nacl_nonsfi_warnings" ]
292  }
293}
294
295if (is_linux) {
296  # The setuid sandbox for Linux.
297  executable("chrome_sandbox") {
298    sources = [
299      "suid/common/sandbox.h",
300      "suid/common/suid_unsafe_environment_variables.h",
301      "suid/process_util.h",
302      "suid/process_util_linux.c",
303      "suid/sandbox.c",
304    ]
305
306    cflags = [
307      # For ULLONG_MAX
308      "-std=gnu99",
309
310      # These files have a suspicious comparison.
311      # TODO fix this and re-enable this warning.
312      "-Wno-sign-compare",
313    ]
314
315    deps = [
316      "//build/config/sanitizers:deps",
317    ]
318  }
319}
320
321component("sandbox_services") {
322  sources = [
323    "services/init_process_reaper.cc",
324    "services/init_process_reaper.h",
325    "services/proc_util.cc",
326    "services/proc_util.h",
327    "services/resource_limits.cc",
328    "services/resource_limits.h",
329    "services/scoped_process.cc",
330    "services/scoped_process.h",
331    "services/syscall_wrappers.cc",
332    "services/syscall_wrappers.h",
333    "services/thread_helpers.cc",
334    "services/thread_helpers.h",
335    "services/yama.cc",
336    "services/yama.h",
337    "syscall_broker/broker_channel.cc",
338    "syscall_broker/broker_channel.h",
339    "syscall_broker/broker_client.cc",
340    "syscall_broker/broker_client.h",
341    "syscall_broker/broker_common.h",
342    "syscall_broker/broker_file_permission.cc",
343    "syscall_broker/broker_file_permission.h",
344    "syscall_broker/broker_host.cc",
345    "syscall_broker/broker_host.h",
346    "syscall_broker/broker_policy.cc",
347    "syscall_broker/broker_policy.h",
348    "syscall_broker/broker_process.cc",
349    "syscall_broker/broker_process.h",
350  ]
351
352  defines = [ "SANDBOX_IMPLEMENTATION" ]
353
354  deps = [
355    "//base",
356  ]
357
358  if (compile_credentials || is_nacl_nonsfi) {
359    sources += [
360      "services/credentials.cc",
361      "services/credentials.h",
362      "services/namespace_sandbox.cc",
363      "services/namespace_sandbox.h",
364      "services/namespace_utils.cc",
365      "services/namespace_utils.h",
366    ]
367
368    deps += [ ":sandbox_services_headers" ]
369  }
370
371  if (is_nacl_nonsfi) {
372    cflags = [ "-fgnu-inline-asm" ]
373
374    sources -= [
375      "services/init_process_reaper.cc",
376      "services/init_process_reaper.h",
377      "services/scoped_process.cc",
378      "services/scoped_process.h",
379      "services/yama.cc",
380      "services/yama.h",
381      "syscall_broker/broker_channel.cc",
382      "syscall_broker/broker_channel.h",
383      "syscall_broker/broker_client.cc",
384      "syscall_broker/broker_client.h",
385      "syscall_broker/broker_common.h",
386      "syscall_broker/broker_file_permission.cc",
387      "syscall_broker/broker_file_permission.h",
388      "syscall_broker/broker_host.cc",
389      "syscall_broker/broker_host.h",
390      "syscall_broker/broker_policy.cc",
391      "syscall_broker/broker_policy.h",
392      "syscall_broker/broker_process.cc",
393      "syscall_broker/broker_process.h",
394    ]
395  }
396}
397
398source_set("sandbox_services_headers") {
399  sources = [
400    "system_headers/arm64_linux_syscalls.h",
401    "system_headers/arm64_linux_ucontext.h",
402    "system_headers/arm_linux_syscalls.h",
403    "system_headers/arm_linux_ucontext.h",
404    "system_headers/i386_linux_ucontext.h",
405    "system_headers/linux_futex.h",
406    "system_headers/linux_seccomp.h",
407    "system_headers/linux_signal.h",
408    "system_headers/linux_syscalls.h",
409    "system_headers/linux_time.h",
410    "system_headers/linux_ucontext.h",
411    "system_headers/x86_32_linux_syscalls.h",
412    "system_headers/x86_64_linux_syscalls.h",
413  ]
414}
415
416if (compile_suid_client || is_nacl_nonsfi) {
417  component("suid_sandbox_client") {
418    sources = [
419      "suid/client/setuid_sandbox_client.cc",
420      "suid/client/setuid_sandbox_client.h",
421      "suid/client/setuid_sandbox_host.cc",
422      "suid/client/setuid_sandbox_host.h",
423      "suid/common/sandbox.h",
424      "suid/common/suid_unsafe_environment_variables.h",
425    ]
426    defines = [ "SANDBOX_IMPLEMENTATION" ]
427
428    deps = [
429      ":sandbox_services",
430      "//base",
431    ]
432
433    if (is_nacl_nonsfi) {
434      sources -= [
435        "suid/client/setuid_sandbox_host.cc",
436        "suid/client/setuid_sandbox_host.h",
437        "suid/common/sandbox.h",
438        "suid/common/suid_unsafe_environment_variables.h",
439      ]
440    }
441  }
442}
443
444if (is_android) {
445  create_native_executable_dist("sandbox_linux_unittests_deps") {
446    testonly = true
447    dist_dir = "$root_out_dir/sandbox_linux_unittests_deps"
448    binary = "$root_out_dir/sandbox_linux_unittests"
449    deps = [
450      ":sandbox_linux_unittests",
451    ]
452
453    if (is_component_build) {
454      deps += [ "//build/android:cpplib_stripped" ]
455    }
456  }
457
458  test_runner_script("sandbox_linux_unittests__test_runner_script") {
459    test_name = "sandbox_linux_unittests"
460    test_type = "gtest"
461    test_suite = "sandbox_linux_unittests"
462    isolate_file = "//sandbox/sandbox_linux_unittests_android.isolate"
463  }
464}
465