1# Copyright 2014 The Chromium Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import("//build/config/features.gni")
6import("//build/config/nacl/config.gni")
7import("//testing/test.gni")
8
9if (is_android) {
10  import("//build/config/android/rules.gni")
11}
12
13declare_args() {
14  compile_suid_client = is_linux
15
16  compile_credentials = is_linux
17
18  # On Android, use plain GTest.
19  use_base_test_suite = is_linux
20}
21
22if (is_nacl_nonsfi) {
23  config("nacl_nonsfi_warnings") {
24    # There are number of platform specific functions in
25    # seccomp-bpf syscall helpers, which are not being used.
26    cflags = [ "-Wno-unused-function" ]
27  }
28}
29
30# We have two principal targets: sandbox and sandbox_linux_unittests
31# All other targets are listed as dependencies.
32# There is one notable exception: for historical reasons, chrome_sandbox is
33# the setuid sandbox and is its own target.
34
35group("sandbox") {
36  public_deps = [
37    ":sandbox_services",
38  ]
39
40  if (compile_suid_client || is_nacl_nonsfi) {
41    public_deps += [ ":suid_sandbox_client" ]
42  }
43  if (use_seccomp_bpf || is_nacl_nonsfi) {
44    public_deps += [
45      ":seccomp_bpf",
46      ":seccomp_bpf_helpers",
47    ]
48  }
49}
50
51source_set("sandbox_linux_test_utils") {
52  testonly = true
53  sources = [
54    "tests/sandbox_test_runner.cc",
55    "tests/sandbox_test_runner.h",
56    "tests/sandbox_test_runner_function_pointer.cc",
57    "tests/sandbox_test_runner_function_pointer.h",
58    "tests/unit_tests.cc",
59    "tests/unit_tests.h",
60  ]
61
62  deps = [
63    "//testing/gtest",
64  ]
65
66  if (!is_nacl_nonsfi) {
67    sources += [
68      "tests/test_utils.cc",
69      "tests/test_utils.h",
70    ]
71  }
72
73  if (use_seccomp_bpf || is_nacl_nonsfi) {
74    sources += [
75      "seccomp-bpf/bpf_tester_compatibility_delegate.h",
76      "seccomp-bpf/bpf_tests.h",
77      "seccomp-bpf/sandbox_bpf_test_runner.cc",
78      "seccomp-bpf/sandbox_bpf_test_runner.h",
79    ]
80    deps += [ ":seccomp_bpf" ]
81  }
82
83  if (use_base_test_suite) {
84    deps += [ "//base/test:test_support" ]
85    defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
86  }
87}
88
89# Sources for sandbox_linux_unittests.
90source_set("sandbox_linux_unittests_sources") {
91  testonly = true
92
93  sources = [
94    "services/proc_util_unittest.cc",
95    "services/resource_limits_unittests.cc",
96    "services/scoped_process_unittest.cc",
97    "services/syscall_wrappers_unittest.cc",
98    "services/thread_helpers_unittests.cc",
99    "services/yama_unittests.cc",
100    "syscall_broker/broker_file_permission_unittest.cc",
101    "syscall_broker/broker_process_unittest.cc",
102    "tests/main.cc",
103    "tests/scoped_temporary_file.cc",
104    "tests/scoped_temporary_file.h",
105    "tests/scoped_temporary_file_unittest.cc",
106    "tests/test_utils_unittest.cc",
107    "tests/unit_tests_unittest.cc",
108  ]
109
110  deps = [
111    ":sandbox",
112    ":sandbox_linux_test_utils",
113    "//base",
114    "//testing/gtest",
115  ]
116
117  if (use_base_test_suite) {
118    deps += [ "//base/test:test_support" ]
119    defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
120  }
121
122  if (compile_suid_client) {
123    sources += [
124      "suid/client/setuid_sandbox_client_unittest.cc",
125      "suid/client/setuid_sandbox_host_unittest.cc",
126    ]
127  }
128  if (use_seccomp_bpf) {
129    sources += [
130      "bpf_dsl/bpf_dsl_unittest.cc",
131      "bpf_dsl/codegen_unittest.cc",
132      "bpf_dsl/cons_unittest.cc",
133      "bpf_dsl/dump_bpf.cc",
134      "bpf_dsl/dump_bpf.h",
135      "bpf_dsl/syscall_set_unittest.cc",
136      "bpf_dsl/test_trap_registry.cc",
137      "bpf_dsl/test_trap_registry.h",
138      "bpf_dsl/test_trap_registry_unittest.cc",
139      "bpf_dsl/verifier.cc",
140      "bpf_dsl/verifier.h",
141      "integration_tests/bpf_dsl_seccomp_unittest.cc",
142      "integration_tests/seccomp_broker_process_unittest.cc",
143      "seccomp-bpf-helpers/baseline_policy_unittest.cc",
144      "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
145      "seccomp-bpf/bpf_tests_unittest.cc",
146      "seccomp-bpf/sandbox_bpf_unittest.cc",
147      "seccomp-bpf/syscall_unittest.cc",
148      "seccomp-bpf/trap_unittest.cc",
149    ]
150    deps += [ ":bpf_dsl_golden" ]
151  }
152  if (compile_credentials) {
153    sources += [
154      "integration_tests/namespace_unix_domain_socket_unittest.cc",
155      "services/credentials_unittest.cc",
156      "services/namespace_utils_unittest.cc",
157    ]
158
159    if (use_base_test_suite) {
160      # Tests that use advanced features not available in stock GTest.
161      sources += [ "services/namespace_sandbox_unittest.cc" ]
162    }
163
164    # For credentials_unittest.cc
165    configs += [ "//build/config/linux:libcap" ]
166  }
167}
168
169action("bpf_dsl_golden") {
170  script = "bpf_dsl/golden/generate.py"
171  inputs = [
172    "bpf_dsl/golden/i386/ArgSizePolicy.txt",
173    "bpf_dsl/golden/i386/BasicPolicy.txt",
174    "bpf_dsl/golden/i386/ElseIfPolicy.txt",
175    "bpf_dsl/golden/i386/MaskingPolicy.txt",
176    "bpf_dsl/golden/i386/MoreBooleanLogicPolicy.txt",
177    "bpf_dsl/golden/i386/NegativeConstantsPolicy.txt",
178    "bpf_dsl/golden/i386/SwitchPolicy.txt",
179    "bpf_dsl/golden/x86-64/ArgSizePolicy.txt",
180    "bpf_dsl/golden/x86-64/BasicPolicy.txt",
181    "bpf_dsl/golden/x86-64/BooleanLogicPolicy.txt",
182    "bpf_dsl/golden/x86-64/ElseIfPolicy.txt",
183    "bpf_dsl/golden/x86-64/MaskingPolicy.txt",
184    "bpf_dsl/golden/x86-64/MoreBooleanLogicPolicy.txt",
185    "bpf_dsl/golden/x86-64/NegativeConstantsPolicy.txt",
186    "bpf_dsl/golden/x86-64/SwitchPolicy.txt",
187  ]
188  outputs = [
189    "$target_gen_dir/bpf_dsl/golden/golden_files.h",
190  ]
191  args =
192      rebase_path(outputs, root_build_dir) + rebase_path(inputs, root_build_dir)
193}
194
195
196test("sandbox_linux_unittests") {
197  deps = [
198    ":sandbox_linux_unittests_sources",
199    "//build/config/sanitizers:deps",
200  ]
201  if (is_android) {
202    use_raw_android_executable = true
203  }
204}
205
206component("seccomp_bpf") {
207  sources = [
208    "bpf_dsl/bpf_dsl.cc",
209    "bpf_dsl/bpf_dsl.h",
210    "bpf_dsl/bpf_dsl_forward.h",
211    "bpf_dsl/bpf_dsl_impl.h",
212    "bpf_dsl/codegen.cc",
213    "bpf_dsl/codegen.h",
214    "bpf_dsl/cons.h",
215    "bpf_dsl/errorcode.h",
216    "bpf_dsl/linux_syscall_ranges.h",
217    "bpf_dsl/policy.cc",
218    "bpf_dsl/policy.h",
219    "bpf_dsl/policy_compiler.cc",
220    "bpf_dsl/policy_compiler.h",
221    "bpf_dsl/seccomp_macros.h",
222    "bpf_dsl/syscall_set.cc",
223    "bpf_dsl/syscall_set.h",
224    "bpf_dsl/trap_registry.h",
225    "seccomp-bpf/die.cc",
226    "seccomp-bpf/die.h",
227    "seccomp-bpf/sandbox_bpf.cc",
228    "seccomp-bpf/sandbox_bpf.h",
229    "seccomp-bpf/syscall.cc",
230    "seccomp-bpf/syscall.h",
231    "seccomp-bpf/trap.cc",
232    "seccomp-bpf/trap.h",
233  ]
234  defines = [ "SANDBOX_IMPLEMENTATION" ]
235
236  public_deps = [
237    ":sandbox_services_headers",
238  ]
239  deps = [
240    ":sandbox_services",
241    "//base",
242  ]
243
244  if (is_nacl_nonsfi) {
245    cflags = [ "-fgnu-inline-asm" ]
246    sources -= [
247      "bpf_dsl/bpf_dsl_forward.h",
248      "bpf_dsl/bpf_dsl_impl.h",
249      "bpf_dsl/cons.h",
250      "bpf_dsl/errorcode.h",
251      "bpf_dsl/linux_syscall_ranges.h",
252      "bpf_dsl/seccomp_macros.h",
253      "bpf_dsl/trap_registry.h",
254    ]
255  }
256}
257
258component("seccomp_bpf_helpers") {
259  sources = [
260    "seccomp-bpf-helpers/baseline_policy.cc",
261    "seccomp-bpf-helpers/baseline_policy.h",
262    "seccomp-bpf-helpers/sigsys_handlers.cc",
263    "seccomp-bpf-helpers/sigsys_handlers.h",
264    "seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
265    "seccomp-bpf-helpers/syscall_parameters_restrictions.h",
266    "seccomp-bpf-helpers/syscall_sets.cc",
267    "seccomp-bpf-helpers/syscall_sets.h",
268  ]
269  defines = [ "SANDBOX_IMPLEMENTATION" ]
270
271  deps = [
272    ":sandbox_services",
273    ":seccomp_bpf",
274    "//base",
275  ]
276
277  if (is_nacl_nonsfi) {
278    sources -= [
279      "seccomp-bpf-helpers/baseline_policy.cc",
280      "seccomp-bpf-helpers/baseline_policy.h",
281      "seccomp-bpf-helpers/syscall_sets.cc",
282      "seccomp-bpf-helpers/syscall_sets.h",
283    ]
284    configs += [ ":nacl_nonsfi_warnings" ]
285  }
286}
287
288if (is_linux) {
289  # The setuid sandbox for Linux.
290  executable("chrome_sandbox") {
291    sources = [
292      "suid/common/sandbox.h",
293      "suid/common/suid_unsafe_environment_variables.h",
294      "suid/process_util.h",
295      "suid/process_util_linux.c",
296      "suid/sandbox.c",
297    ]
298
299    cflags = [
300      # For ULLONG_MAX
301      "-std=gnu99",
302
303      # These files have a suspicious comparison.
304      # TODO fix this and re-enable this warning.
305      "-Wno-sign-compare",
306    ]
307
308    import("//build/config/compiler/compiler.gni")
309    import("//build/config/sanitizers/sanitizers.gni")
310    if (is_component_build || using_sanitizer) {
311      # WARNING! We remove this config so that we don't accidentally
312      # pick up the //build/config:rpath_for_built_shared_libraries
313      # sub-config. However, this means that we need to duplicate any
314      # other flags that executable_config might have.
315      configs -= [ "//build/config:executable_config" ]
316      if (!use_gold) {
317        ldflags = [ "-Wl,--disable-new-dtags" ]
318      }
319    }
320
321    # We also do not want to pick up any of the other sanitizer
322    # flags (i.e. we do not want to build w/ the sanitizers at all).
323    # This is safe to delete unconditionally, because it is part of the
324    # default configs and empty when not using the sanitizers.
325    configs -= [ "//build/config/sanitizers:default_sanitizer_flags" ]
326  }
327}
328
329component("sandbox_services") {
330  sources = [
331    "services/init_process_reaper.cc",
332    "services/init_process_reaper.h",
333    "services/proc_util.cc",
334    "services/proc_util.h",
335    "services/resource_limits.cc",
336    "services/resource_limits.h",
337    "services/scoped_process.cc",
338    "services/scoped_process.h",
339    "services/syscall_wrappers.cc",
340    "services/syscall_wrappers.h",
341    "services/thread_helpers.cc",
342    "services/thread_helpers.h",
343    "services/yama.cc",
344    "services/yama.h",
345    "syscall_broker/broker_channel.cc",
346    "syscall_broker/broker_channel.h",
347    "syscall_broker/broker_client.cc",
348    "syscall_broker/broker_client.h",
349    "syscall_broker/broker_common.h",
350    "syscall_broker/broker_file_permission.cc",
351    "syscall_broker/broker_file_permission.h",
352    "syscall_broker/broker_host.cc",
353    "syscall_broker/broker_host.h",
354    "syscall_broker/broker_policy.cc",
355    "syscall_broker/broker_policy.h",
356    "syscall_broker/broker_process.cc",
357    "syscall_broker/broker_process.h",
358  ]
359
360  defines = [ "SANDBOX_IMPLEMENTATION" ]
361
362  public_deps = []
363  deps = [
364    "//base",
365  ]
366
367  if (compile_credentials || is_nacl_nonsfi) {
368    sources += [
369      "services/credentials.cc",
370      "services/credentials.h",
371      "services/namespace_sandbox.cc",
372      "services/namespace_sandbox.h",
373      "services/namespace_utils.cc",
374      "services/namespace_utils.h",
375    ]
376
377    public_deps += [ ":sandbox_services_headers" ]
378  }
379
380  if (is_nacl_nonsfi) {
381    cflags = [ "-fgnu-inline-asm" ]
382
383    sources -= [
384      "services/init_process_reaper.cc",
385      "services/init_process_reaper.h",
386      "services/scoped_process.cc",
387      "services/scoped_process.h",
388      "services/yama.cc",
389      "services/yama.h",
390      "syscall_broker/broker_channel.cc",
391      "syscall_broker/broker_channel.h",
392      "syscall_broker/broker_client.cc",
393      "syscall_broker/broker_client.h",
394      "syscall_broker/broker_common.h",
395      "syscall_broker/broker_file_permission.cc",
396      "syscall_broker/broker_file_permission.h",
397      "syscall_broker/broker_host.cc",
398      "syscall_broker/broker_host.h",
399      "syscall_broker/broker_policy.cc",
400      "syscall_broker/broker_policy.h",
401      "syscall_broker/broker_process.cc",
402      "syscall_broker/broker_process.h",
403    ]
404  }
405}
406
407source_set("sandbox_services_headers") {
408  sources = [
409    "system_headers/arm64_linux_syscalls.h",
410    "system_headers/arm64_linux_ucontext.h",
411    "system_headers/arm_linux_syscalls.h",
412    "system_headers/arm_linux_ucontext.h",
413    "system_headers/i386_linux_ucontext.h",
414    "system_headers/linux_futex.h",
415    "system_headers/linux_seccomp.h",
416    "system_headers/linux_signal.h",
417    "system_headers/linux_syscalls.h",
418    "system_headers/linux_time.h",
419    "system_headers/linux_ucontext.h",
420    "system_headers/x86_32_linux_syscalls.h",
421    "system_headers/x86_64_linux_syscalls.h",
422  ]
423}
424
425if (compile_suid_client || is_nacl_nonsfi) {
426  component("suid_sandbox_client") {
427    sources = [
428      "suid/client/setuid_sandbox_client.cc",
429      "suid/client/setuid_sandbox_client.h",
430      "suid/client/setuid_sandbox_host.cc",
431      "suid/client/setuid_sandbox_host.h",
432      "suid/common/sandbox.h",
433      "suid/common/suid_unsafe_environment_variables.h",
434    ]
435    defines = [ "SANDBOX_IMPLEMENTATION" ]
436
437    deps = [
438      ":sandbox_services",
439      "//base",
440    ]
441
442    if (is_nacl_nonsfi) {
443      sources -= [
444        "suid/client/setuid_sandbox_host.cc",
445        "suid/client/setuid_sandbox_host.h",
446        "suid/common/sandbox.h",
447        "suid/common/suid_unsafe_environment_variables.h",
448      ]
449    }
450  }
451}
452
453if (is_android) {
454  # TODO(GYP_GONE) Delete this after we've converted everything to GN.
455  group("sandbox_linux_unittests_deps") {
456    testonly = true
457    deps = [
458      ":sandbox_linux_unittests",
459    ]
460  }
461}
462