1# Copyright (c) 2012 The Chromium Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5{ 6 'variables': { 7 'conditions': [ 8 ['OS=="linux"', { 9 'compile_suid_client': 1, 10 'compile_credentials': 1, 11 'use_base_test_suite': 1, 12 }, { 13 'compile_suid_client': 0, 14 'compile_credentials': 0, 15 'use_base_test_suite': 0, 16 }], 17 ['OS=="linux" and (target_arch=="ia32" or target_arch=="x64" or ' 18 'target_arch=="mipsel")', { 19 'compile_seccomp_bpf_demo': 1, 20 }, { 21 'compile_seccomp_bpf_demo': 0, 22 }], 23 ], 24 }, 25 'target_defaults': { 26 'target_conditions': [ 27 # All linux/ files will automatically be excluded on Android 28 # so make sure we re-include them explicitly. 29 ['OS == "android"', { 30 'sources/': [ 31 ['include', '^linux/'], 32 ], 33 }], 34 ], 35 }, 36 'targets': [ 37 # We have two principal targets: sandbox and sandbox_linux_unittests 38 # All other targets are listed as dependencies. 39 # There is one notable exception: for historical reasons, chrome_sandbox is 40 # the setuid sandbox and is its own target. 41 { 42 'target_name': 'sandbox', 43 'type': 'none', 44 'dependencies': [ 45 'sandbox_services', 46 ], 47 'conditions': [ 48 [ 'compile_suid_client==1', { 49 'dependencies': [ 50 'suid_sandbox_client', 51 ], 52 }], 53 # Compile seccomp BPF when we support it. 54 [ 'use_seccomp_bpf==1', { 55 'dependencies': [ 56 'seccomp_bpf', 57 'seccomp_bpf_helpers', 58 ], 59 }], 60 ], 61 }, 62 { 63 'target_name': 'sandbox_linux_test_utils', 64 'type': 'static_library', 65 'dependencies': [ 66 '../testing/gtest.gyp:gtest', 67 ], 68 'include_dirs': [ 69 '../..', 70 ], 71 'sources': [ 72 'tests/sandbox_test_runner.cc', 73 'tests/sandbox_test_runner.h', 74 'tests/sandbox_test_runner_function_pointer.cc', 75 'tests/sandbox_test_runner_function_pointer.h', 76 'tests/test_utils.cc', 77 'tests/test_utils.h', 78 'tests/unit_tests.cc', 79 'tests/unit_tests.h', 80 ], 81 'conditions': [ 82 [ 'use_seccomp_bpf==1', { 83 'sources': [ 84 'seccomp-bpf/bpf_tester_compatibility_delegate.h', 85 'seccomp-bpf/bpf_tests.h', 86 'seccomp-bpf/sandbox_bpf_test_runner.cc', 87 'seccomp-bpf/sandbox_bpf_test_runner.h', 88 ], 89 'dependencies': [ 90 'seccomp_bpf', 91 ] 92 }], 93 [ 'use_base_test_suite==1', { 94 'dependencies': [ 95 '../base/base.gyp:test_support_base', 96 ], 97 'defines': [ 98 'SANDBOX_USES_BASE_TEST_SUITE', 99 ], 100 }], 101 ], 102 }, 103 { 104 # The main sandboxing test target. 105 'target_name': 'sandbox_linux_unittests', 106 'includes': [ 107 'sandbox_linux_test_sources.gypi', 108 ], 109 'type': 'executable', 110 'conditions': [ 111 [ 'OS == "android"', { 112 'variables': { 113 'test_type': 'gtest', 114 'test_suite_name': '<(_target_name)', 115 }, 116 'includes': [ 117 '../../build/android/test_runner.gypi', 118 ], 119 }] 120 ] 121 }, 122 { 123 'target_name': 'seccomp_bpf', 124 'type': '<(component)', 125 'sources': [ 126 'bpf_dsl/bpf_dsl.cc', 127 'bpf_dsl/bpf_dsl.h', 128 'bpf_dsl/bpf_dsl_forward.h', 129 'bpf_dsl/bpf_dsl_impl.h', 130 'bpf_dsl/codegen.cc', 131 'bpf_dsl/codegen.h', 132 'bpf_dsl/cons.h', 133 'bpf_dsl/errorcode.h', 134 'bpf_dsl/linux_syscall_ranges.h', 135 'bpf_dsl/policy.cc', 136 'bpf_dsl/policy.h', 137 'bpf_dsl/policy_compiler.cc', 138 'bpf_dsl/policy_compiler.h', 139 'bpf_dsl/seccomp_macros.h', 140 'bpf_dsl/seccomp_macros.h', 141 'bpf_dsl/syscall_set.cc', 142 'bpf_dsl/syscall_set.h', 143 'bpf_dsl/trap_registry.h', 144 'seccomp-bpf/die.cc', 145 'seccomp-bpf/die.h', 146 'seccomp-bpf/sandbox_bpf.cc', 147 'seccomp-bpf/sandbox_bpf.h', 148 'seccomp-bpf/syscall.cc', 149 'seccomp-bpf/syscall.h', 150 'seccomp-bpf/trap.cc', 151 'seccomp-bpf/trap.h', 152 ], 153 'dependencies': [ 154 '../base/base.gyp:base', 155 'sandbox_services', 156 'sandbox_services_headers', 157 ], 158 'defines': [ 159 'SANDBOX_IMPLEMENTATION', 160 ], 161 'includes': [ 162 # Disable LTO due to compiler bug 163 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57703 164 '../../build/android/disable_gcc_lto.gypi', 165 ], 166 'include_dirs': [ 167 '../..', 168 ], 169 }, 170 { 171 'target_name': 'seccomp_bpf_helpers', 172 'type': '<(component)', 173 'sources': [ 174 'seccomp-bpf-helpers/baseline_policy.cc', 175 'seccomp-bpf-helpers/baseline_policy.h', 176 'seccomp-bpf-helpers/sigsys_handlers.cc', 177 'seccomp-bpf-helpers/sigsys_handlers.h', 178 'seccomp-bpf-helpers/syscall_parameters_restrictions.cc', 179 'seccomp-bpf-helpers/syscall_parameters_restrictions.h', 180 'seccomp-bpf-helpers/syscall_sets.cc', 181 'seccomp-bpf-helpers/syscall_sets.h', 182 ], 183 'dependencies': [ 184 '../base/base.gyp:base', 185 'sandbox_services', 186 'seccomp_bpf', 187 ], 188 'defines': [ 189 'SANDBOX_IMPLEMENTATION', 190 ], 191 'include_dirs': [ 192 '../..', 193 ], 194 }, 195 { 196 # The setuid sandbox, for Linux 197 'target_name': 'chrome_sandbox', 198 'type': 'executable', 199 'sources': [ 200 'suid/common/sandbox.h', 201 'suid/common/suid_unsafe_environment_variables.h', 202 'suid/process_util.h', 203 'suid/process_util_linux.c', 204 'suid/sandbox.c', 205 ], 206 'cflags': [ 207 # For ULLONG_MAX 208 '-std=gnu99', 209 ], 210 'include_dirs': [ 211 '../..', 212 ], 213 # Do not use any sanitizer tools with this binary. http://crbug.com/382766 214 'cflags/': [ 215 ['exclude', '-fsanitize'], 216 ], 217 'ldflags/': [ 218 ['exclude', '-fsanitize'], 219 ], 220 }, 221 { 'target_name': 'sandbox_services', 222 'type': '<(component)', 223 'sources': [ 224 'services/init_process_reaper.cc', 225 'services/init_process_reaper.h', 226 'services/proc_util.cc', 227 'services/proc_util.h', 228 'services/resource_limits.cc', 229 'services/resource_limits.h', 230 'services/scoped_process.cc', 231 'services/scoped_process.h', 232 'services/syscall_wrappers.cc', 233 'services/syscall_wrappers.h', 234 'services/thread_helpers.cc', 235 'services/thread_helpers.h', 236 'services/yama.cc', 237 'services/yama.h', 238 'syscall_broker/broker_channel.cc', 239 'syscall_broker/broker_channel.h', 240 'syscall_broker/broker_client.cc', 241 'syscall_broker/broker_client.h', 242 'syscall_broker/broker_common.h', 243 'syscall_broker/broker_file_permission.cc', 244 'syscall_broker/broker_file_permission.h', 245 'syscall_broker/broker_host.cc', 246 'syscall_broker/broker_host.h', 247 'syscall_broker/broker_policy.cc', 248 'syscall_broker/broker_policy.h', 249 'syscall_broker/broker_process.cc', 250 'syscall_broker/broker_process.h', 251 ], 252 'dependencies': [ 253 '../base/base.gyp:base', 254 ], 255 'defines': [ 256 'SANDBOX_IMPLEMENTATION', 257 ], 258 'conditions': [ 259 ['compile_credentials==1', { 260 'sources': [ 261 'services/credentials.cc', 262 'services/credentials.h', 263 'services/namespace_sandbox.cc', 264 'services/namespace_sandbox.h', 265 'services/namespace_utils.cc', 266 'services/namespace_utils.h', 267 ], 268 'dependencies': [ 269 # for capability.h. 270 'sandbox_services_headers', 271 ], 272 }], 273 ], 274 'include_dirs': [ 275 '..', 276 ], 277 }, 278 { 'target_name': 'sandbox_services_headers', 279 'type': 'none', 280 'sources': [ 281 'system_headers/arm64_linux_syscalls.h', 282 'system_headers/arm64_linux_ucontext.h', 283 'system_headers/arm_linux_syscalls.h', 284 'system_headers/arm_linux_ucontext.h', 285 'system_headers/capability.h', 286 'system_headers/i386_linux_ucontext.h', 287 'system_headers/linux_futex.h', 288 'system_headers/linux_seccomp.h', 289 'system_headers/linux_syscalls.h', 290 'system_headers/linux_time.h', 291 'system_headers/linux_ucontext.h', 292 'system_headers/mips_linux_syscalls.h', 293 'system_headers/mips_linux_ucontext.h', 294 'system_headers/x86_32_linux_syscalls.h', 295 'system_headers/x86_64_linux_syscalls.h', 296 ], 297 'include_dirs': [ 298 '..', 299 ], 300 }, 301 { 302 'target_name': 'suid_sandbox_client', 303 'type': '<(component)', 304 'sources': [ 305 'suid/common/sandbox.h', 306 'suid/common/suid_unsafe_environment_variables.h', 307 'suid/client/setuid_sandbox_client.cc', 308 'suid/client/setuid_sandbox_client.h', 309 'suid/client/setuid_sandbox_host.cc', 310 'suid/client/setuid_sandbox_host.h', 311 ], 312 'defines': [ 313 'SANDBOX_IMPLEMENTATION', 314 ], 315 'dependencies': [ 316 '../base/base.gyp:base', 317 'sandbox_services', 318 ], 319 'include_dirs': [ 320 '..', 321 ], 322 }, 323 { 324 'target_name': 'bpf_dsl_golden', 325 'type': 'none', 326 'actions': [ 327 { 328 'action_name': 'generate', 329 'inputs': [ 330 'bpf_dsl/golden/generate.py', 331 'bpf_dsl/golden/i386/ArgSizePolicy.txt', 332 'bpf_dsl/golden/i386/BasicPolicy.txt', 333 'bpf_dsl/golden/i386/ElseIfPolicy.txt', 334 'bpf_dsl/golden/i386/MaskingPolicy.txt', 335 'bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt', 336 'bpf_dsl/golden/i386/NegativeConstantsPolicy.txt', 337 'bpf_dsl/golden/i386/SwitchPolicy.txt', 338 'bpf_dsl/golden/x86-64/ArgSizePolicy.txt', 339 'bpf_dsl/golden/x86-64/BasicPolicy.txt', 340 'bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt', 341 'bpf_dsl/golden/x86-64/ElseIfPolicy.txt', 342 'bpf_dsl/golden/x86-64/MaskingPolicy.txt', 343 'bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt', 344 'bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt', 345 'bpf_dsl/golden/x86-64/SwitchPolicy.txt', 346 ], 347 'outputs': [ 348 '<(SHARED_INTERMEDIATE_DIR)/sandbox/linux/bpf_dsl/golden/golden_files.h', 349 ], 350 'action': [ 351 'python', 352 'linux/bpf_dsl/golden/generate.py', 353 '<(SHARED_INTERMEDIATE_DIR)/sandbox/linux/bpf_dsl/golden/golden_files.h', 354 'linux/bpf_dsl/golden/i386/ArgSizePolicy.txt', 355 'linux/bpf_dsl/golden/i386/BasicPolicy.txt', 356 'linux/bpf_dsl/golden/i386/ElseIfPolicy.txt', 357 'linux/bpf_dsl/golden/i386/MaskingPolicy.txt', 358 'linux/bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt', 359 'linux/bpf_dsl/golden/i386/NegativeConstantsPolicy.txt', 360 'linux/bpf_dsl/golden/i386/SwitchPolicy.txt', 361 'linux/bpf_dsl/golden/x86-64/ArgSizePolicy.txt', 362 'linux/bpf_dsl/golden/x86-64/BasicPolicy.txt', 363 'linux/bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt', 364 'linux/bpf_dsl/golden/x86-64/ElseIfPolicy.txt', 365 'linux/bpf_dsl/golden/x86-64/MaskingPolicy.txt', 366 'linux/bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt', 367 'linux/bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt', 368 'linux/bpf_dsl/golden/x86-64/SwitchPolicy.txt', 369 ], 370 'message': 'Generating header from golden files ...', 371 }, 372 ], 373 }, 374 ], 375 'conditions': [ 376 [ 'OS=="android"', { 377 'targets': [ 378 { 379 'target_name': 'sandbox_linux_unittests_stripped', 380 'type': 'none', 381 'dependencies': [ 'sandbox_linux_unittests' ], 382 'actions': [{ 383 'action_name': 'strip sandbox_linux_unittests', 384 'inputs': [ '<(PRODUCT_DIR)/sandbox_linux_unittests' ], 385 'outputs': [ '<(PRODUCT_DIR)/sandbox_linux_unittests_stripped' ], 386 'action': [ '<(android_strip)', '<@(_inputs)', '-o', '<@(_outputs)' ], 387 }], 388 }, 389 { 390 'target_name': 'sandbox_linux_unittests_deps', 391 'type': 'none', 392 'dependencies': [ 393 'sandbox_linux_unittests_stripped', 394 ], 395 # For the component build, ensure dependent shared libraries are 396 # stripped and put alongside sandbox_linux_unittests to simplify pushing 397 # to the device. 398 'variables': { 399 'output_dir': '<(PRODUCT_DIR)/sandbox_linux_unittests_deps/', 400 'native_binary': '<(PRODUCT_DIR)/sandbox_linux_unittests_stripped', 401 'include_main_binary': 0, 402 }, 403 'includes': [ 404 '../../build/android/native_app_dependencies.gypi' 405 ], 406 }], 407 }], 408 [ 'OS=="android"', { 409 'conditions': [ 410 ['test_isolation_mode != "noop"', { 411 'targets': [ 412 { 413 'target_name': 'sandbox_linux_unittests_android_run', 414 'type': 'none', 415 'dependencies': [ 416 'sandbox_linux_unittests', 417 ], 418 'includes': [ 419 '../../build/isolate.gypi', 420 ], 421 'sources': [ 422 '../sandbox_linux_unittests_android.isolate', 423 ], 424 }, 425 ], 426 }, 427 ], 428 ], 429 }], 430 ['test_isolation_mode != "noop"', { 431 'targets': [ 432 { 433 'target_name': 'sandbox_linux_unittests_run', 434 'type': 'none', 435 'dependencies': [ 436 'sandbox_linux_unittests', 437 ], 438 'includes': [ 439 '../../build/isolate.gypi', 440 ], 441 'sources': [ 442 '../sandbox_linux_unittests.isolate', 443 ], 444 }, 445 ], 446 }], 447 ], 448} 449