blob: a1a77204f5f370a1a0c65c19a32b084e7e541b28 [file] [log] [blame]
# Copyright 2014 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import("//build/config/features.gni")
import("//testing/test.gni")
declare_args() {
compile_suid_client = is_linux
compile_credentials = is_linux
# On Android, use plain GTest.
use_base_test_suite = is_linux
}
# We have two principal targets: sandbox and sandbox_linux_unittests
# All other targets are listed as dependencies.
# There is one notable exception: for historical reasons, chrome_sandbox is
# the setuid sandbox and is its own target.
group("sandbox") {
deps = [
":sandbox_services",
]
if (compile_suid_client) {
deps += [ ":suid_sandbox_client" ]
}
if (use_seccomp_bpf) {
deps += [
":seccomp_bpf",
":seccomp_bpf_helpers",
]
}
}
source_set("sandbox_linux_test_utils") {
testonly = true
sources = [
"tests/sandbox_test_runner.cc",
"tests/sandbox_test_runner.h",
"tests/sandbox_test_runner_function_pointer.cc",
"tests/sandbox_test_runner_function_pointer.h",
"tests/test_utils.cc",
"tests/test_utils.h",
"tests/unit_tests.cc",
"tests/unit_tests.h",
]
deps = [
"//testing/gtest",
]
if (use_seccomp_bpf) {
sources += [
"seccomp-bpf/bpf_tester_compatibility_delegate.h",
"seccomp-bpf/bpf_tests.h",
"seccomp-bpf/sandbox_bpf_test_runner.cc",
"seccomp-bpf/sandbox_bpf_test_runner.h",
]
deps += [ ":seccomp_bpf" ]
}
if (use_base_test_suite) {
deps += [ "//base/test:test_support" ]
defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
}
}
# Sources shared by sandbox_linux_unittests and sandbox_linux_jni_unittests.
source_set("sandbox_linux_unittests_sources") {
testonly = true
sources = [
"services/proc_util_unittest.cc",
"services/resource_limits_unittests.cc",
"services/scoped_process_unittest.cc",
"services/syscall_wrappers_unittest.cc",
"services/thread_helpers_unittests.cc",
"services/yama_unittests.cc",
"syscall_broker/broker_file_permission_unittest.cc",
"syscall_broker/broker_process_unittest.cc",
"tests/main.cc",
"tests/scoped_temporary_file.cc",
"tests/scoped_temporary_file.h",
"tests/scoped_temporary_file_unittest.cc",
"tests/test_utils_unittest.cc",
"tests/unit_tests_unittest.cc",
]
deps = [
":sandbox",
":sandbox_linux_test_utils",
"//base",
"//testing/gtest",
]
if (use_base_test_suite) {
deps += [ "//base/test:test_support" ]
defines = [ "SANDBOX_USES_BASE_TEST_SUITE" ]
}
if (is_linux) {
# Don't use this on Android.
libs = [ "rt" ]
}
if (compile_suid_client) {
sources += [
"suid/client/setuid_sandbox_client_unittest.cc",
"suid/client/setuid_sandbox_host_unittest.cc",
]
}
if (use_seccomp_bpf) {
sources += [
"bpf_dsl/bpf_dsl_unittest.cc",
"bpf_dsl/codegen_unittest.cc",
"bpf_dsl/cons_unittest.cc",
"bpf_dsl/syscall_set_unittest.cc",
"integration_tests/bpf_dsl_seccomp_unittest.cc",
"integration_tests/seccomp_broker_process_unittest.cc",
"seccomp-bpf-helpers/baseline_policy_unittest.cc",
"seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc",
"seccomp-bpf/bpf_tests_unittest.cc",
"seccomp-bpf/errorcode_unittest.cc",
"seccomp-bpf/sandbox_bpf_unittest.cc",
"seccomp-bpf/syscall_unittest.cc",
"seccomp-bpf/trap_unittest.cc",
]
}
if (compile_credentials) {
sources += [
"integration_tests/namespace_unix_domain_socket_unittest.cc",
"services/credentials_unittest.cc",
"services/namespace_utils_unittest.cc",
]
if (use_base_test_suite) {
# Tests that use advanced features not available in stock GTest.
sources += [ "services/namespace_sandbox_unittest.cc" ]
}
# For credentials_unittest.cc
configs += [ "//build/config/linux:libcap" ]
}
}
# The main sandboxing test target.
test("sandbox_linux_unittests") {
deps = [
":sandbox_linux_unittests_sources",
]
}
# This target is the shared library used by Android APK (i.e.
# JNI-friendly) tests.
shared_library("sandbox_linux_jni_unittests") {
testonly = true
deps = [
":sandbox_linux_unittests_sources",
]
if (is_android) {
deps += [ "//testing/android/native_test:native_test_native_code" ]
}
}
component("seccomp_bpf") {
sources = [
"bpf_dsl/bpf_dsl.cc",
"bpf_dsl/bpf_dsl.h",
"bpf_dsl/bpf_dsl_forward.h",
"bpf_dsl/bpf_dsl_impl.h",
"bpf_dsl/codegen.cc",
"bpf_dsl/codegen.h",
"bpf_dsl/cons.h",
"bpf_dsl/dump_bpf.cc",
"bpf_dsl/dump_bpf.h",
"bpf_dsl/linux_syscall_ranges.h",
"bpf_dsl/policy.cc",
"bpf_dsl/policy.h",
"bpf_dsl/policy_compiler.cc",
"bpf_dsl/policy_compiler.h",
"bpf_dsl/seccomp_macros.h",
"bpf_dsl/syscall_set.cc",
"bpf_dsl/syscall_set.h",
"bpf_dsl/trap_registry.h",
"bpf_dsl/verifier.cc",
"bpf_dsl/verifier.h",
"seccomp-bpf/die.cc",
"seccomp-bpf/die.h",
"seccomp-bpf/errorcode.cc",
"seccomp-bpf/errorcode.h",
"seccomp-bpf/sandbox_bpf.cc",
"seccomp-bpf/sandbox_bpf.h",
"seccomp-bpf/syscall.cc",
"seccomp-bpf/syscall.h",
"seccomp-bpf/trap.cc",
"seccomp-bpf/trap.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
":sandbox_services",
":sandbox_services_headers",
"//base",
]
}
component("seccomp_bpf_helpers") {
sources = [
"seccomp-bpf-helpers/baseline_policy.cc",
"seccomp-bpf-helpers/baseline_policy.h",
"seccomp-bpf-helpers/sigsys_handlers.cc",
"seccomp-bpf-helpers/sigsys_handlers.h",
"seccomp-bpf-helpers/syscall_parameters_restrictions.cc",
"seccomp-bpf-helpers/syscall_parameters_restrictions.h",
"seccomp-bpf-helpers/syscall_sets.cc",
"seccomp-bpf-helpers/syscall_sets.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
"//base",
":sandbox_services",
":seccomp_bpf",
]
}
if (is_linux) {
# The setuid sandbox for Linux.
executable("chrome_sandbox") {
sources = [
"suid/common/sandbox.h",
"suid/common/suid_unsafe_environment_variables.h",
"suid/process_util.h",
"suid/process_util_linux.c",
"suid/sandbox.c",
]
cflags = [
# For ULLONG_MAX
"-std=gnu99",
# These files have a suspicious comparison.
# TODO fix this and re-enable this warning.
"-Wno-sign-compare",
]
}
}
component("sandbox_services") {
sources = [
"services/init_process_reaper.cc",
"services/init_process_reaper.h",
"services/proc_util.cc",
"services/proc_util.h",
"services/resource_limits.cc",
"services/resource_limits.h",
"services/scoped_process.cc",
"services/scoped_process.h",
"services/syscall_wrappers.cc",
"services/syscall_wrappers.h",
"services/thread_helpers.cc",
"services/thread_helpers.h",
"services/yama.cc",
"services/yama.h",
"syscall_broker/broker_channel.cc",
"syscall_broker/broker_channel.h",
"syscall_broker/broker_client.cc",
"syscall_broker/broker_client.h",
"syscall_broker/broker_common.h",
"syscall_broker/broker_file_permission.cc",
"syscall_broker/broker_file_permission.h",
"syscall_broker/broker_host.cc",
"syscall_broker/broker_host.h",
"syscall_broker/broker_policy.cc",
"syscall_broker/broker_policy.h",
"syscall_broker/broker_process.cc",
"syscall_broker/broker_process.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
"//base",
]
if (compile_credentials) {
sources += [
"services/credentials.cc",
"services/credentials.h",
"services/namespace_sandbox.cc",
"services/namespace_sandbox.h",
"services/namespace_utils.cc",
"services/namespace_utils.h",
]
deps += [ ":sandbox_services_headers" ]
}
}
source_set("sandbox_services_headers") {
sources = [
"system_headers/arm64_linux_syscalls.h",
"system_headers/arm64_linux_ucontext.h",
"system_headers/arm_linux_syscalls.h",
"system_headers/arm_linux_ucontext.h",
"system_headers/i386_linux_ucontext.h",
"system_headers/linux_futex.h",
"system_headers/linux_seccomp.h",
"system_headers/linux_signal.h",
"system_headers/linux_syscalls.h",
"system_headers/linux_time.h",
"system_headers/linux_ucontext.h",
"system_headers/x86_32_linux_syscalls.h",
"system_headers/x86_64_linux_syscalls.h",
]
}
# We make this its own target so that it does not interfere with our tests.
source_set("libc_urandom_override") {
sources = [
"services/libc_urandom_override.cc",
"services/libc_urandom_override.h",
]
deps = [
"//base",
]
}
if (compile_suid_client) {
component("suid_sandbox_client") {
sources = [
"suid/client/setuid_sandbox_client.cc",
"suid/client/setuid_sandbox_client.h",
"suid/client/setuid_sandbox_host.cc",
"suid/client/setuid_sandbox_host.h",
"suid/common/sandbox.h",
"suid/common/suid_unsafe_environment_variables.h",
]
defines = [ "SANDBOX_IMPLEMENTATION" ]
deps = [
":sandbox_services",
"//base",
]
}
}
if (is_android) {
# TODO(GYP) enable this. Needs an android_strip wrapper python script.
#action("sandbox_linux_unittests_stripped") {
# script = "android_stip.py"
#
# in_file = "$root_out_dir/sandbox_linux_unittests"
#
# out_file = "$root_out_dir/sandbox_linux_unittests_stripped"
# outputs = [ out_file ]
#
# args = [
# rebase_path(in_file, root_build_dir),
# "-o", rebase_path(out_file, root_build_dir),
# ]
#
# deps = [
# ":sandbox_linux_unittests",
# ]
#}
# TODO(GYP) convert this.
# {
# 'target_name': 'sandbox_linux_jni_unittests_apk',
# 'type': 'none',
# 'variables': {
# 'test_suite_name': 'sandbox_linux_jni_unittests',
# },
# 'dependencies': [
# 'sandbox_linux_jni_unittests',
# ],
# 'includes': [ '../../build/apk_test.gypi' ],
# }
}