| # Copyright 2014 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| import("//build/config/features.gni") |
| import("//testing/test.gni") |
| |
| declare_args() { |
| compile_suid_client = is_linux |
| |
| compile_credentials = is_linux |
| |
| # On Android, use plain GTest. |
| use_base_test_suite = is_linux |
| } |
| |
| # We have two principal targets: sandbox and sandbox_linux_unittests |
| # All other targets are listed as dependencies. |
| # There is one notable exception: for historical reasons, chrome_sandbox is |
| # the setuid sandbox and is its own target. |
| |
| group("sandbox") { |
| deps = [ |
| ":sandbox_services", |
| ] |
| |
| if (compile_suid_client) { |
| deps += [ ":suid_sandbox_client" ] |
| } |
| if (use_seccomp_bpf) { |
| deps += [ |
| ":seccomp_bpf", |
| ":seccomp_bpf_helpers", |
| ] |
| } |
| } |
| |
| source_set("sandbox_linux_test_utils") { |
| testonly = true |
| sources = [ |
| "tests/sandbox_test_runner.cc", |
| "tests/sandbox_test_runner.h", |
| "tests/sandbox_test_runner_function_pointer.cc", |
| "tests/sandbox_test_runner_function_pointer.h", |
| "tests/test_utils.cc", |
| "tests/test_utils.h", |
| "tests/unit_tests.cc", |
| "tests/unit_tests.h", |
| ] |
| |
| deps = [ |
| "//testing/gtest", |
| ] |
| |
| if (use_seccomp_bpf) { |
| sources += [ |
| "seccomp-bpf/bpf_tester_compatibility_delegate.h", |
| "seccomp-bpf/bpf_tests.h", |
| "seccomp-bpf/sandbox_bpf_test_runner.cc", |
| "seccomp-bpf/sandbox_bpf_test_runner.h", |
| ] |
| deps += [ ":seccomp_bpf" ] |
| } |
| |
| if (use_base_test_suite) { |
| deps += [ "//base/test:test_support" ] |
| defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] |
| } |
| } |
| |
| # Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests. |
| source_set("sandbox_linux_unittests_sources") { |
| testonly = true |
| |
| sources = [ |
| "services/proc_util_unittest.cc", |
| "services/resource_limits_unittests.cc", |
| "services/scoped_process_unittest.cc", |
| "services/syscall_wrappers_unittest.cc", |
| "services/thread_helpers_unittests.cc", |
| "services/yama_unittests.cc", |
| "syscall_broker/broker_file_permission_unittest.cc", |
| "syscall_broker/broker_process_unittest.cc", |
| "tests/main.cc", |
| "tests/scoped_temporary_file.cc", |
| "tests/scoped_temporary_file.h", |
| "tests/scoped_temporary_file_unittest.cc", |
| "tests/test_utils_unittest.cc", |
| "tests/unit_tests_unittest.cc", |
| ] |
| |
| deps = [ |
| ":sandbox", |
| ":sandbox_linux_test_utils", |
| "//base", |
| "//testing/gtest", |
| ] |
| |
| if (use_base_test_suite) { |
| deps += [ "//base/test:test_support" ] |
| defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ] |
| } |
| |
| if (is_linux) { |
| # Don't use this on Android. |
| libs = [ "rt" ] |
| } |
| |
| if (compile_suid_client) { |
| sources += [ |
| "suid/client/setuid_sandbox_client_unittest.cc", |
| "suid/client/setuid_sandbox_host_unittest.cc", |
| ] |
| } |
| if (use_seccomp_bpf) { |
| sources += [ |
| "bpf_dsl/bpf_dsl_unittest.cc", |
| "bpf_dsl/codegen_unittest.cc", |
| "bpf_dsl/cons_unittest.cc", |
| "bpf_dsl/syscall_set_unittest.cc", |
| "integration_tests/bpf_dsl_seccomp_unittest.cc", |
| "integration_tests/seccomp_broker_process_unittest.cc", |
| "seccomp-bpf-helpers/baseline_policy_unittest.cc", |
| "seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc", |
| "seccomp-bpf/bpf_tests_unittest.cc", |
| "seccomp-bpf/errorcode_unittest.cc", |
| "seccomp-bpf/sandbox_bpf_unittest.cc", |
| "seccomp-bpf/syscall_unittest.cc", |
| "seccomp-bpf/trap_unittest.cc", |
| ] |
| } |
| if (compile_credentials) { |
| sources += [ |
| "integration_tests/namespace_unix_domain_socket_unittest.cc", |
| "services/credentials_unittest.cc", |
| "services/namespace_utils_unittest.cc", |
| ] |
| |
| if (use_base_test_suite) { |
| # Tests that use advanced features not available in stock GTest. |
| sources += [ "services/namespace_sandbox_unittest.cc" ] |
| } |
| |
| # For credentials_unittest.cc |
| configs += [ "//build/config/linux:libcap" ] |
| } |
| } |
| |
| # The main sandboxing test target. |
| test("sandbox_linux_unittests") { |
| deps = [ |
| ":sandbox_linux_unittests_sources", |
| ] |
| } |
| |
| # This target is the shared library used by Android APK (i.e. |
| # JNI-friendly) tests. |
| shared_library("sandbox_linux_jni_unittests") { |
| testonly = true |
| deps = [ |
| ":sandbox_linux_unittests_sources", |
| ] |
| if (is_android) { |
| deps += [ "//testing/android/native_test:native_test_native_code" ] |
| } |
| } |
| |
| component("seccomp_bpf") { |
| sources = [ |
| "bpf_dsl/bpf_dsl.cc", |
| "bpf_dsl/bpf_dsl.h", |
| "bpf_dsl/bpf_dsl_forward.h", |
| "bpf_dsl/bpf_dsl_impl.h", |
| "bpf_dsl/codegen.cc", |
| "bpf_dsl/codegen.h", |
| "bpf_dsl/cons.h", |
| "bpf_dsl/dump_bpf.cc", |
| "bpf_dsl/dump_bpf.h", |
| "bpf_dsl/linux_syscall_ranges.h", |
| "bpf_dsl/policy.cc", |
| "bpf_dsl/policy.h", |
| "bpf_dsl/policy_compiler.cc", |
| "bpf_dsl/policy_compiler.h", |
| "bpf_dsl/seccomp_macros.h", |
| "bpf_dsl/syscall_set.cc", |
| "bpf_dsl/syscall_set.h", |
| "bpf_dsl/trap_registry.h", |
| "bpf_dsl/verifier.cc", |
| "bpf_dsl/verifier.h", |
| "seccomp-bpf/die.cc", |
| "seccomp-bpf/die.h", |
| "seccomp-bpf/errorcode.cc", |
| "seccomp-bpf/errorcode.h", |
| "seccomp-bpf/sandbox_bpf.cc", |
| "seccomp-bpf/sandbox_bpf.h", |
| "seccomp-bpf/syscall.cc", |
| "seccomp-bpf/syscall.h", |
| "seccomp-bpf/trap.cc", |
| "seccomp-bpf/trap.h", |
| ] |
| defines = [ "SANDBOX_IMPLEMENTATION" ] |
| |
| deps = [ |
| ":sandbox_services", |
| ":sandbox_services_headers", |
| "//base", |
| ] |
| } |
| |
| component("seccomp_bpf_helpers") { |
| sources = [ |
| "seccomp-bpf-helpers/baseline_policy.cc", |
| "seccomp-bpf-helpers/baseline_policy.h", |
| "seccomp-bpf-helpers/sigsys_handlers.cc", |
| "seccomp-bpf-helpers/sigsys_handlers.h", |
| "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", |
| "seccomp-bpf-helpers/syscall_parameters_restrictions.h", |
| "seccomp-bpf-helpers/syscall_sets.cc", |
| "seccomp-bpf-helpers/syscall_sets.h", |
| ] |
| defines = [ "SANDBOX_IMPLEMENTATION" ] |
| |
| deps = [ |
| "//base", |
| ":sandbox_services", |
| ":seccomp_bpf", |
| ] |
| } |
| |
| if (is_linux) { |
| # The setuid sandbox for Linux. |
| executable("chrome_sandbox") { |
| sources = [ |
| "suid/common/sandbox.h", |
| "suid/common/suid_unsafe_environment_variables.h", |
| "suid/process_util.h", |
| "suid/process_util_linux.c", |
| "suid/sandbox.c", |
| ] |
| |
| cflags = [ |
| # For ULLONG_MAX |
| "-std=gnu99", |
| |
| # These files have a suspicious comparison. |
| # TODO fix this and re-enable this warning. |
| "-Wno-sign-compare", |
| ] |
| } |
| } |
| |
| component("sandbox_services") { |
| sources = [ |
| "services/init_process_reaper.cc", |
| "services/init_process_reaper.h", |
| "services/proc_util.cc", |
| "services/proc_util.h", |
| "services/resource_limits.cc", |
| "services/resource_limits.h", |
| "services/scoped_process.cc", |
| "services/scoped_process.h", |
| "services/syscall_wrappers.cc", |
| "services/syscall_wrappers.h", |
| "services/thread_helpers.cc", |
| "services/thread_helpers.h", |
| "services/yama.cc", |
| "services/yama.h", |
| "syscall_broker/broker_channel.cc", |
| "syscall_broker/broker_channel.h", |
| "syscall_broker/broker_client.cc", |
| "syscall_broker/broker_client.h", |
| "syscall_broker/broker_common.h", |
| "syscall_broker/broker_file_permission.cc", |
| "syscall_broker/broker_file_permission.h", |
| "syscall_broker/broker_host.cc", |
| "syscall_broker/broker_host.h", |
| "syscall_broker/broker_policy.cc", |
| "syscall_broker/broker_policy.h", |
| "syscall_broker/broker_process.cc", |
| "syscall_broker/broker_process.h", |
| ] |
| |
| defines = [ "SANDBOX_IMPLEMENTATION" ] |
| |
| deps = [ |
| "//base", |
| ] |
| |
| if (compile_credentials) { |
| sources += [ |
| "services/credentials.cc", |
| "services/credentials.h", |
| "services/namespace_sandbox.cc", |
| "services/namespace_sandbox.h", |
| "services/namespace_utils.cc", |
| "services/namespace_utils.h", |
| ] |
| |
| deps += [ ":sandbox_services_headers" ] |
| } |
| } |
| |
| source_set("sandbox_services_headers") { |
| sources = [ |
| "system_headers/arm64_linux_syscalls.h", |
| "system_headers/arm64_linux_ucontext.h", |
| "system_headers/arm_linux_syscalls.h", |
| "system_headers/arm_linux_ucontext.h", |
| "system_headers/i386_linux_ucontext.h", |
| "system_headers/linux_futex.h", |
| "system_headers/linux_seccomp.h", |
| "system_headers/linux_signal.h", |
| "system_headers/linux_syscalls.h", |
| "system_headers/linux_time.h", |
| "system_headers/linux_ucontext.h", |
| "system_headers/x86_32_linux_syscalls.h", |
| "system_headers/x86_64_linux_syscalls.h", |
| ] |
| } |
| |
| # We make this its own target so that it does not interfere with our tests. |
| source_set("libc_urandom_override") { |
| sources = [ |
| "services/libc_urandom_override.cc", |
| "services/libc_urandom_override.h", |
| ] |
| deps = [ |
| "//base", |
| ] |
| } |
| |
| if (compile_suid_client) { |
| component("suid_sandbox_client") { |
| sources = [ |
| "suid/client/setuid_sandbox_client.cc", |
| "suid/client/setuid_sandbox_client.h", |
| "suid/client/setuid_sandbox_host.cc", |
| "suid/client/setuid_sandbox_host.h", |
| "suid/common/sandbox.h", |
| "suid/common/suid_unsafe_environment_variables.h", |
| ] |
| defines = [ "SANDBOX_IMPLEMENTATION" ] |
| |
| deps = [ |
| ":sandbox_services", |
| "//base", |
| ] |
| } |
| } |
| |
| if (is_android) { |
| # TODO(GYP) enable this. Needs an android_strip wrapper python script. |
| #action("sandbox_linux_unittests_stripped") { |
| # script = "android_stip.py" |
| # |
| # in_file = "$root_out_dir/sandbox_linux_unittests" |
| # |
| # out_file = "$root_out_dir/sandbox_linux_unittests_stripped" |
| # outputs = [ out_file ] |
| # |
| # args = [ |
| # rebase_path(in_file, root_build_dir), |
| # "-o", rebase_path(out_file, root_build_dir), |
| # ] |
| # |
| # deps = [ |
| # ":sandbox_linux_unittests", |
| # ] |
| #} |
| # TODO(GYP) convert this. |
| # { |
| # 'target_name': 'sandbox_linux_jni_unittests_apk', |
| # 'type': 'none', |
| # 'variables': { |
| # 'test_suite_name': 'sandbox_linux_jni_unittests', |
| # }, |
| # 'dependencies': [ |
| # 'sandbox_linux_jni_unittests', |
| # ], |
| # 'includes': [ '../../build/apk_test.gypi' ], |
| # } |
| } |