BUILD.gn revision 116680a4aac90f2aa7413d9095a592090648e557
1# Copyright 2014 The Chromium Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import("//build/config/features.gni") 6 7declare_args() { 8 compile_suid_client = is_linux 9 10 compile_credentials = is_linux 11 12 compile_seccomp_bpf_demo = 13 (is_linux && (cpu_arch == "x86" || cpu_arch == "x64")) 14} 15 16# We have two principal targets: sandbox and sandbox_linux_unittests 17# All other targets are listed as dependencies. 18# There is one notable exception: for historical reasons, chrome_sandbox is 19# the setuid sandbox and is its own target. 20 21group("sandbox") { 22 deps = [ 23 ":sandbox_services", 24 ] 25 26 if (compile_suid_client) { 27 deps += [ ":suid_sandbox_client" ] 28 } 29 if (use_seccomp_bpf) { 30 deps += [ 31 ":seccomp_bpf", 32 ":seccomp_bpf_helpers", 33 ] 34 } 35} 36 37source_set("sandbox_linux_test_utils") { 38 sources = [ 39 "tests/sandbox_test_runner.cc", 40 "tests/sandbox_test_runner.h", 41 "tests/sandbox_test_runner_function_pointer.cc", 42 "tests/sandbox_test_runner_function_pointer.h", 43 "tests/test_utils.cc", 44 "tests/test_utils.h", 45 "tests/unit_tests.cc", 46 "tests/unit_tests.h", 47 ] 48 49 deps = [ 50 "//testing/gtest", 51 ] 52 53 if (use_seccomp_bpf) { 54 sources += [ 55 "seccomp-bpf/bpf_tester_compatibility_delegate.h", 56 "seccomp-bpf/bpf_tests.h", 57 "seccomp-bpf/sandbox_bpf_test_runner.cc", 58 "seccomp-bpf/sandbox_bpf_test_runner.h", 59 ] 60 deps += [ 61 ":seccomp_bpf", 62 ] 63 } 64} 65 66# The main sandboxing test target. 67test("sandbox_linux_unittests") { 68 sources = [ 69 "services/broker_process_unittest.cc", 70 "services/scoped_process_unittest.cc", 71 "services/thread_helpers_unittests.cc", 72 "services/yama_unittests.cc", 73 "tests/main.cc", 74 "tests/scoped_temporary_file.cc", 75 "tests/scoped_temporary_file.h", 76 "tests/scoped_temporary_file_unittest.cc", 77 "tests/unit_tests_unittest.cc", 78 ] 79 80 deps = [ 81 ":sandbox", 82 ":sandbox_linux_test_utils", 83 "//base", 84 "//base/test:test_support", 85 "//testing/gtest", 86 ] 87 88 if (compile_suid_client) { 89 sources += [ 90 "suid/client/setuid_sandbox_client_unittest.cc", 91 ] 92 } 93 if (use_seccomp_bpf) { 94 sources += [ 95 "bpf_dsl/bpf_dsl_unittest.cc", 96 "bpf_dsl/cons_unittest.cc", 97 "seccomp-bpf-helpers/baseline_policy_unittest.cc", 98 "seccomp-bpf/bpf_tests_unittest.cc", 99 "seccomp-bpf/codegen_unittest.cc", 100 "seccomp-bpf/errorcode_unittest.cc", 101 "seccomp-bpf/sandbox_bpf_unittest.cc", 102 "seccomp-bpf/syscall_iterator_unittest.cc", 103 "seccomp-bpf/syscall_unittest.cc", 104 ] 105 } 106 if (compile_credentials) { 107 sources += [ 108 "services/credentials_unittest.cc", 109 "services/unix_domain_socket_unittest.cc", 110 ] 111 } 112} 113 114# TODO(GYP) Android version of this test. 115# { 116# # This target is the shared library used by Android APK (i.e. 117# # JNI-friendly) tests. 118# "target_name": "sandbox_linux_jni_unittests", 119# "includes": [ 120# "sandbox_linux_test_sources.gypi", 121# ], 122# "type": "shared_library", 123# "conditions": [ 124# [ "OS == "android"", { 125# "dependencies": [ 126# "../testing/android/native_test.gyp:native_test_native_code", 127# ], 128# }], 129# ], 130# }, 131 132component("seccomp_bpf") { 133 sources = [ 134 "bpf_dsl/bpf_dsl.cc", 135 "bpf_dsl/bpf_dsl.h", 136 "bpf_dsl/cons.h", 137 "seccomp-bpf/basicblock.cc", 138 "seccomp-bpf/basicblock.h", 139 "seccomp-bpf/codegen.cc", 140 "seccomp-bpf/codegen.h", 141 "seccomp-bpf/die.cc", 142 "seccomp-bpf/die.h", 143 "seccomp-bpf/errorcode.cc", 144 "seccomp-bpf/errorcode.h", 145 "seccomp-bpf/instruction.h", 146 "seccomp-bpf/linux_seccomp.h", 147 "seccomp-bpf/sandbox_bpf.cc", 148 "seccomp-bpf/sandbox_bpf.h", 149 "seccomp-bpf/sandbox_bpf_compatibility_policy.h", 150 "seccomp-bpf/sandbox_bpf_policy.cc", 151 "seccomp-bpf/sandbox_bpf_policy.h", 152 "seccomp-bpf/syscall.cc", 153 "seccomp-bpf/syscall.h", 154 "seccomp-bpf/syscall_iterator.cc", 155 "seccomp-bpf/syscall_iterator.h", 156 "seccomp-bpf/trap.cc", 157 "seccomp-bpf/trap.h", 158 "seccomp-bpf/verifier.cc", 159 "seccomp-bpf/verifier.h", 160 ] 161 defines = [ "SANDBOX_IMPLEMENTATION" ] 162 163 deps = [ 164 ":sandbox_services_headers", 165 "//base", 166 ] 167} 168 169component("seccomp_bpf_helpers") { 170 sources = [ 171 "seccomp-bpf-helpers/baseline_policy.cc", 172 "seccomp-bpf-helpers/baseline_policy.h", 173 "seccomp-bpf-helpers/sigsys_handlers.cc", 174 "seccomp-bpf-helpers/sigsys_handlers.h", 175 "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", 176 "seccomp-bpf-helpers/syscall_parameters_restrictions.h", 177 "seccomp-bpf-helpers/syscall_sets.cc", 178 "seccomp-bpf-helpers/syscall_sets.h", 179 ] 180 defines = [ "SANDBOX_IMPLEMENTATION" ] 181 182 deps = [ 183 "//base", 184 ":seccomp_bpf", 185 ] 186} 187 188if (compile_seccomp_bpf_demo) { 189 # A demonstration program for the seccomp-bpf sandbox. 190 executable("seccomp_bpf_demo") { 191 sources = [ 192 "seccomp-bpf/demo.cc", 193 ] 194 deps = [ 195 ":seccomp_bpf", 196 ] 197 } 198} 199 200# The setuid sandbox for Linux. 201executable("chrome_sandbox") { 202 sources = [ 203 "suid/common/sandbox.h", 204 "suid/common/suid_unsafe_environment_variables.h", 205 "suid/linux_util.c", 206 "suid/linux_util.h", 207 "suid/process_util.h", 208 "suid/process_util_linux.c", 209 "suid/sandbox.c", 210 ] 211 212 cflags = [ 213 # For ULLONG_MAX 214 "-std=gnu99", 215 # These files have a suspicious comparison. 216 # TODO fix this and re-enable this warning. 217 "-Wno-sign-compare", 218 ] 219} 220 221component("sandbox_services") { 222 sources = [ 223 "services/broker_process.cc", 224 "services/broker_process.h", 225 "services/init_process_reaper.cc", 226 "services/init_process_reaper.h", 227 "services/scoped_process.cc", 228 "services/scoped_process.h", 229 "services/thread_helpers.cc", 230 "services/thread_helpers.h", 231 "services/yama.h", 232 "services/yama.cc", 233 ] 234 235 defines = [ "SANDBOX_IMPLEMENTATION" ] 236 237 if (compile_credentials) { 238 sources += [ 239 "services/credentials.cc", 240 "services/credentials.h", 241 ] 242 # For capabilities.cc. 243 configs += [ "//build/config/linux:libcap" ] 244 } 245 246 deps = [ 247 "//base", 248 ] 249} 250 251source_set("sandbox_services_headers") { 252 sources = [ 253 "services/android_arm_ucontext.h", 254 "services/android_futex.h", 255 "services/android_ucontext.h", 256 "services/android_i386_ucontext.h", 257 "services/arm_linux_syscalls.h", 258 "services/linux_syscalls.h", 259 "services/x86_32_linux_syscalls.h", 260 "services/x86_64_linux_syscalls.h", 261 ] 262} 263 264# We make this its own target so that it does not interfere with our tests. 265source_set("libc_urandom_override") { 266 sources = [ 267 "services/libc_urandom_override.cc", 268 "services/libc_urandom_override.h", 269 ] 270 deps = [ 271 "//base", 272 ] 273} 274 275component("suid_sandbox_client") { 276 sources = [ 277 "suid/common/sandbox.h", 278 "suid/common/suid_unsafe_environment_variables.h", 279 "suid/client/setuid_sandbox_client.cc", 280 "suid/client/setuid_sandbox_client.h", 281 ] 282 defines = [ "SANDBOX_IMPLEMENTATION" ] 283 284 deps = [ 285 ":sandbox_services", 286 "//base", 287 ] 288} 289 290if (is_android) { 291 # TODO(GYP) enable this. Needs an android_strip wrapper python script. 292 #action("sandbox_linux_unittests_stripped") { 293 # script = "android_stip.py" 294 # 295 # in_file = "$root_out_dir/sandbox_linux_unittests" 296 # 297 # out_file = "$root_out_dir/sandbox_linux_unittests_stripped" 298 # outputs = [ out_file ] 299 # 300 # args = [ 301 # rebase_path(in_file, root_build_dir), 302 # "-o", rebase_path(out_file, root_build_dir), 303 # ] 304 # 305 # deps = [ 306 # ":sandbox_linux_unittests", 307 # ] 308 #} 309 310 # TODO(GYP) convert this. 311 # { 312 # 'target_name': 'sandbox_linux_jni_unittests_apk', 313 # 'type': 'none', 314 # 'variables': { 315 # 'test_suite_name': 'sandbox_linux_jni_unittests', 316 # }, 317 # 'dependencies': [ 318 # 'sandbox_linux_jni_unittests', 319 # ], 320 # 'includes': [ '../../build/apk_test.gypi' ], 321 # } 322} 323