1d9f0492fSopenharmony_ci# Copyright (c) 2022 Huawei Device Co., Ltd. 2d9f0492fSopenharmony_ci# Licensed under the Apache License, Version 2.0 (the "License"); 3d9f0492fSopenharmony_ci# you may not use this file except in compliance with the License. 4d9f0492fSopenharmony_ci# You may obtain a copy of the License at 5d9f0492fSopenharmony_ci# 6d9f0492fSopenharmony_ci# http://www.apache.org/licenses/LICENSE-2.0 7d9f0492fSopenharmony_ci# 8d9f0492fSopenharmony_ci# Unless required by applicable law or agreed to in writing, software 9d9f0492fSopenharmony_ci# distributed under the License is distributed on an "AS IS" BASIS, 10d9f0492fSopenharmony_ci# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11d9f0492fSopenharmony_ci# See the License for the specific language governing permissions and 12d9f0492fSopenharmony_ci# limitations under the License. 13d9f0492fSopenharmony_ci 14d9f0492fSopenharmony_ciimport("//build/config/python.gni") 15d9f0492fSopenharmony_ciimport("//build/ohos.gni") 16d9f0492fSopenharmony_ci 17d9f0492fSopenharmony_citemplate("ohos_prebuilt_seccomp") { 18d9f0492fSopenharmony_ci if (!build_seccomp) { 19d9f0492fSopenharmony_ci group(target_name) { 20d9f0492fSopenharmony_ci not_needed(invoker, "*") 21d9f0492fSopenharmony_ci } 22d9f0492fSopenharmony_ci } else { 23d9f0492fSopenharmony_ci assert(defined(invoker.sources), 24d9f0492fSopenharmony_ci "source must be defined for ${target_name}.") 25d9f0492fSopenharmony_ci assert(defined(invoker.filtername), 26d9f0492fSopenharmony_ci "source must be defined for ${target_name}.") 27d9f0492fSopenharmony_ci assert( 28d9f0492fSopenharmony_ci defined(invoker.process_type) && 29d9f0492fSopenharmony_ci (invoker.process_type == "app" || invoker.process_type == "system"), 30d9f0492fSopenharmony_ci "process_type must be defined for ${target_name}, and the type must be app or system") 31d9f0492fSopenharmony_ci 32d9f0492fSopenharmony_ci _seccomp_filter_target = "gen_${target_name}" 33d9f0492fSopenharmony_ci _output_name = "${invoker.filtername}_filter" 34d9f0492fSopenharmony_ci _seccomp_filter_file = target_gen_dir + "/${_output_name}.c" 35d9f0492fSopenharmony_ci _syscall_to_nr_arm_name = "${target_name}_syscall_to_nr_arm" 36d9f0492fSopenharmony_ci _syscall_to_nr_arm64_name = "${target_name}_syscall_to_nr_arm64" 37d9f0492fSopenharmony_ci _syscall_to_nr_riscv64_name = "${target_name}_syscall_to_nr_riscv64" 38d9f0492fSopenharmony_ci _blocklist_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/${invoker.process_type}.blocklist.seccomp.policy" 39d9f0492fSopenharmony_ci _key_process_file_name = "//base/startup/init/services/modules/seccomp/seccomp_policy/privileged_process.seccomp.policy" 40d9f0492fSopenharmony_ci 41d9f0492fSopenharmony_ci action(_syscall_to_nr_arm_name) { 42d9f0492fSopenharmony_ci script = "${clang_base_path}/bin/clang" 43d9f0492fSopenharmony_ci output_dir = 44d9f0492fSopenharmony_ci target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm" 45d9f0492fSopenharmony_ci args = [ 46d9f0492fSopenharmony_ci "-I", 47d9f0492fSopenharmony_ci rebase_path( 48d9f0492fSopenharmony_ci "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"), 49d9f0492fSopenharmony_ci "-I", 50d9f0492fSopenharmony_ci rebase_path( 51d9f0492fSopenharmony_ci "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"), 52d9f0492fSopenharmony_ci "-dD", 53d9f0492fSopenharmony_ci "-E", 54d9f0492fSopenharmony_ci "-Wall", 55d9f0492fSopenharmony_ci "-nostdinc", 56d9f0492fSopenharmony_ci "-o", 57d9f0492fSopenharmony_ci rebase_path(output_dir), 58d9f0492fSopenharmony_ci rebase_path( 59d9f0492fSopenharmony_ci "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"), 60d9f0492fSopenharmony_ci ] 61d9f0492fSopenharmony_ci 62d9f0492fSopenharmony_ci outputs = [ output_dir ] 63d9f0492fSopenharmony_ci } 64d9f0492fSopenharmony_ci 65d9f0492fSopenharmony_ci action(_syscall_to_nr_arm64_name) { 66d9f0492fSopenharmony_ci script = "${clang_base_path}/bin/clang" 67d9f0492fSopenharmony_ci output_dir = 68d9f0492fSopenharmony_ci target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm64" 69d9f0492fSopenharmony_ci args = [ 70d9f0492fSopenharmony_ci "-I", 71d9f0492fSopenharmony_ci rebase_path( 72d9f0492fSopenharmony_ci "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"), 73d9f0492fSopenharmony_ci "-I", 74d9f0492fSopenharmony_ci rebase_path( 75d9f0492fSopenharmony_ci "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"), 76d9f0492fSopenharmony_ci "-dD", 77d9f0492fSopenharmony_ci "-E", 78d9f0492fSopenharmony_ci "-Wall", 79d9f0492fSopenharmony_ci "-nostdinc", 80d9f0492fSopenharmony_ci "-o", 81d9f0492fSopenharmony_ci rebase_path(output_dir), 82d9f0492fSopenharmony_ci rebase_path( 83d9f0492fSopenharmony_ci "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"), 84d9f0492fSopenharmony_ci ] 85d9f0492fSopenharmony_ci 86d9f0492fSopenharmony_ci outputs = [ output_dir ] 87d9f0492fSopenharmony_ci } 88d9f0492fSopenharmony_ci action(_syscall_to_nr_riscv64_name) { 89d9f0492fSopenharmony_ci script = "${clang_base_path}/bin/clang" 90d9f0492fSopenharmony_ci output_dir = 91d9f0492fSopenharmony_ci target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_riscv64" 92d9f0492fSopenharmony_ci args = [ 93d9f0492fSopenharmony_ci "-I", 94d9f0492fSopenharmony_ci rebase_path( 95d9f0492fSopenharmony_ci "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-riscv"), 96d9f0492fSopenharmony_ci "-I", 97d9f0492fSopenharmony_ci rebase_path( 98d9f0492fSopenharmony_ci "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"), 99d9f0492fSopenharmony_ci "-dD", 100d9f0492fSopenharmony_ci "-E", 101d9f0492fSopenharmony_ci "-Wall", 102d9f0492fSopenharmony_ci "-nostdinc", 103d9f0492fSopenharmony_ci "-o", 104d9f0492fSopenharmony_ci rebase_path(output_dir), 105d9f0492fSopenharmony_ci rebase_path( 106d9f0492fSopenharmony_ci "//base/startup/init/services/modules/seccomp/gen_syscall_name_nrs.c"), 107d9f0492fSopenharmony_ci ] 108d9f0492fSopenharmony_ci outputs = [ output_dir ] 109d9f0492fSopenharmony_ci } 110d9f0492fSopenharmony_ci action(_seccomp_filter_target) { 111d9f0492fSopenharmony_ci script = "//base/startup/init/services/modules/seccomp/scripts/generate_code_from_policy.py" 112d9f0492fSopenharmony_ci 113d9f0492fSopenharmony_ci sources = invoker.sources 114d9f0492fSopenharmony_ci sources += get_target_outputs(":${_syscall_to_nr_arm_name}") 115d9f0492fSopenharmony_ci sources += get_target_outputs(":${_syscall_to_nr_arm64_name}") 116d9f0492fSopenharmony_ci sources += get_target_outputs(":${_syscall_to_nr_riscv64_name}") 117d9f0492fSopenharmony_ci uid_is_root = false 118d9f0492fSopenharmony_ci if (defined(invoker.uid_is_root)) { 119d9f0492fSopenharmony_ci uid_is_root = invoker.uid_is_root 120d9f0492fSopenharmony_ci } else { 121d9f0492fSopenharmony_ci uid_is_root = false 122d9f0492fSopenharmony_ci } 123d9f0492fSopenharmony_ci if (invoker.process_type == "system" && 124d9f0492fSopenharmony_ci invoker.filtername != "appspawn" && 125d9f0492fSopenharmony_ci invoker.filtername != "nwebspawn" && uid_is_root == false) { 126d9f0492fSopenharmony_ci sources += [ "//base/startup/init/services/modules/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ] 127d9f0492fSopenharmony_ci } 128d9f0492fSopenharmony_ci 129d9f0492fSopenharmony_ci deps = [ 130d9f0492fSopenharmony_ci ":${_syscall_to_nr_arm64_name}", 131d9f0492fSopenharmony_ci ":${_syscall_to_nr_arm_name}", 132d9f0492fSopenharmony_ci ":${_syscall_to_nr_riscv64_name}", 133d9f0492fSopenharmony_ci ] 134d9f0492fSopenharmony_ci 135d9f0492fSopenharmony_ci if (build_variant == "root") { 136d9f0492fSopenharmony_ci seccomp_is_debug = "true" 137d9f0492fSopenharmony_ci } else { 138d9f0492fSopenharmony_ci seccomp_is_debug = "false" 139d9f0492fSopenharmony_ci } 140d9f0492fSopenharmony_ci 141d9f0492fSopenharmony_ci args = [] 142d9f0492fSopenharmony_ci foreach(source, sources) { 143d9f0492fSopenharmony_ci args += [ 144d9f0492fSopenharmony_ci "--src-files", 145d9f0492fSopenharmony_ci rebase_path(source), 146d9f0492fSopenharmony_ci ] 147d9f0492fSopenharmony_ci } 148d9f0492fSopenharmony_ci args += [ 149d9f0492fSopenharmony_ci "--blocklist-file", 150d9f0492fSopenharmony_ci rebase_path(_blocklist_file_name), 151d9f0492fSopenharmony_ci "--dst-file", 152d9f0492fSopenharmony_ci rebase_path(_seccomp_filter_file), 153d9f0492fSopenharmony_ci "--filter-name", 154d9f0492fSopenharmony_ci invoker.filtername, 155d9f0492fSopenharmony_ci "--target-cpu", 156d9f0492fSopenharmony_ci invoker.target_cpu, 157d9f0492fSopenharmony_ci "--keyprocess-file", 158d9f0492fSopenharmony_ci rebase_path(_key_process_file_name), 159d9f0492fSopenharmony_ci "--is-debug", 160d9f0492fSopenharmony_ci seccomp_is_debug, 161d9f0492fSopenharmony_ci ] 162d9f0492fSopenharmony_ci 163d9f0492fSopenharmony_ci outputs = [ _seccomp_filter_file ] 164d9f0492fSopenharmony_ci } 165d9f0492fSopenharmony_ci 166d9f0492fSopenharmony_ci ohos_shared_library(target_name) { 167d9f0492fSopenharmony_ci output_name = _output_name 168d9f0492fSopenharmony_ci deps = [ ":${_seccomp_filter_target}" ] 169d9f0492fSopenharmony_ci sources = get_target_outputs(":${_seccomp_filter_target}") 170d9f0492fSopenharmony_ci sanitize = { 171d9f0492fSopenharmony_ci cfi = true 172d9f0492fSopenharmony_ci cfi_cross_dso = true 173d9f0492fSopenharmony_ci debug = false 174d9f0492fSopenharmony_ci } 175d9f0492fSopenharmony_ci 176d9f0492fSopenharmony_ci relative_install_dir = "seccomp" 177d9f0492fSopenharmony_ci 178d9f0492fSopenharmony_ci if (defined(invoker.include_dirs)) { 179d9f0492fSopenharmony_ci include_dirs = invoker.include_dirs 180d9f0492fSopenharmony_ci } 181d9f0492fSopenharmony_ci 182d9f0492fSopenharmony_ci if (defined(invoker.install_enable)) { 183d9f0492fSopenharmony_ci install_enable = invoker.install_enable 184d9f0492fSopenharmony_ci } 185d9f0492fSopenharmony_ci 186d9f0492fSopenharmony_ci if (defined(invoker.part_name)) { 187d9f0492fSopenharmony_ci part_name = invoker.part_name 188d9f0492fSopenharmony_ci } 189d9f0492fSopenharmony_ci 190d9f0492fSopenharmony_ci if (defined(invoker.subsystem_name)) { 191d9f0492fSopenharmony_ci subsystem_name = invoker.subsystem_name 192d9f0492fSopenharmony_ci } 193d9f0492fSopenharmony_ci 194d9f0492fSopenharmony_ci if (defined(invoker.install_images)) { 195d9f0492fSopenharmony_ci install_images = invoker.install_images 196d9f0492fSopenharmony_ci } 197d9f0492fSopenharmony_ci } 198d9f0492fSopenharmony_ci } 199d9f0492fSopenharmony_ci} 200