1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14import("//build/config/python.gni") 15import("//build/ohos.gni") 16 17template("ohos_prebuilt_seccomp") { 18 assert(defined(invoker.sources), "source must be defined for ${target_name}.") 19 assert(defined(invoker.filtername), 20 "source must be defined for ${target_name}.") 21 assert( 22 defined(invoker.process_type) && 23 (invoker.process_type == "app" || invoker.process_type == "system"), 24 "process_type must be defined for ${target_name}, and the type must be app or system") 25 26 _seccomp_filter_target = "gen_${target_name}" 27 _output_name = "${invoker.filtername}_filter" 28 _seccomp_filter_file = target_gen_dir + "/${_output_name}.c" 29 _syscall_to_nr_arm_name = "${target_name}_syscall_to_nr_arm" 30 _syscall_to_nr_arm64_name = "${target_name}_syscall_to_nr_arm64" 31 _syscall_to_nr_riscv64_name = "${target_name}_syscall_to_nr_riscv64" 32 _blocklist_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/${invoker.process_type}.blocklist.seccomp.policy" 33 _key_process_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/privileged_process.seccomp.policy" 34 35 action(_syscall_to_nr_arm_name) { 36 script = "${clang_base_path}/bin/clang" 37 output_dir = 38 target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm" 39 args = [ 40 "-I", 41 rebase_path( 42 "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"), 43 "-I", 44 rebase_path( 45 "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"), 46 "-dD", 47 "-E", 48 "-Wall", 49 "-nostdinc", 50 "-o", 51 rebase_path(output_dir), 52 rebase_path( 53 "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"), 54 ] 55 56 outputs = [ output_dir ] 57 } 58 59 action(_syscall_to_nr_arm64_name) { 60 script = "${clang_base_path}/bin/clang" 61 output_dir = 62 target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm64" 63 args = [ 64 "-I", 65 rebase_path( 66 "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"), 67 "-I", 68 rebase_path( 69 "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"), 70 "-dD", 71 "-E", 72 "-Wall", 73 "-nostdinc", 74 "-o", 75 rebase_path(output_dir), 76 rebase_path( 77 "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"), 78 ] 79 80 outputs = [ output_dir ] 81 } 82 action(_syscall_to_nr_riscv64_name) { 83 script = "${clang_base_path}/bin/clang" 84 output_dir = 85 target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_riscv64" 86 args = [ 87 "-I", 88 rebase_path( 89 "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-riscv"), 90 "-I", 91 rebase_path( 92 "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"), 93 "-dD", 94 "-E", 95 "-Wall", 96 "-nostdinc", 97 "-o", 98 rebase_path(output_dir), 99 rebase_path( 100 "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"), 101 ] 102 outputs = [ output_dir ] 103 } 104 action(_seccomp_filter_target) { 105 script = "//base/startup/init/services/modules/seccomp/scripts/generate_code_from_policy.py" 106 107 sources = invoker.sources 108 sources += get_target_outputs(":${_syscall_to_nr_arm_name}") 109 sources += get_target_outputs(":${_syscall_to_nr_arm64_name}") 110 sources += get_target_outputs(":${_syscall_to_nr_riscv64_name}") 111 uid_is_root = false 112 if (defined(invoker.uid_is_root)) { 113 uid_is_root = invoker.uid_is_root 114 } else { 115 uid_is_root = false 116 } 117 if (invoker.process_type == "system" && invoker.filtername != "appspawn" && 118 invoker.filtername != "nwebspawn" && uid_is_root == false) { 119 sources += [ "//base/startup/init/services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ] 120 } 121 122 deps = [ 123 ":${_syscall_to_nr_arm64_name}", 124 ":${_syscall_to_nr_arm_name}", 125 ":${_syscall_to_nr_riscv64_name}", 126 ] 127 128 if (build_variant == "root") { 129 seccomp_is_debug = "true" 130 } else { 131 seccomp_is_debug = "false" 132 } 133 134 args = [] 135 foreach(source, sources) { 136 args += [ 137 "--src-files", 138 rebase_path(source), 139 ] 140 } 141 args += [ 142 "--blocklist-file", 143 rebase_path(_blocklist_file_name), 144 "--dst-file", 145 rebase_path(_seccomp_filter_file), 146 "--filter-name", 147 invoker.filtername, 148 "--target-cpu", 149 invoker.target_cpu, 150 "--keyprocess-file", 151 rebase_path(_key_process_file_name), 152 "--is-debug", 153 seccomp_is_debug, 154 ] 155 156 outputs = [ _seccomp_filter_file ] 157 } 158 159 ohos_shared_library(target_name) { 160 output_name = _output_name 161 deps = [ ":${_seccomp_filter_target}" ] 162 sources = get_target_outputs(":${_seccomp_filter_target}") 163 164 relative_install_dir = "seccomp" 165 166 if (defined(invoker.include_dirs)) { 167 include_dirs = invoker.include_dirs 168 } 169 170 if (defined(invoker.install_enable)) { 171 install_enable = invoker.install_enable 172 } 173 174 if (defined(invoker.part_name)) { 175 part_name = invoker.part_name 176 } 177 178 if (defined(invoker.subsystem_name)) { 179 subsystem_name = invoker.subsystem_name 180 } 181 182 if (defined(invoker.install_images)) { 183 install_images = invoker.install_images 184 } 185 } 186} 187