# Copyright (c) 2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//build/config/python.gni")
import("//build/ohos.gni")
template("ohos_prebuilt_seccomp") {
if (!build_seccomp) {
group(target_name) {
not_needed(invoker, "*")
}
} else {
assert(defined(invoker.sources),
"source must be defined for ${target_name}.")
assert(defined(invoker.filtername),
"source must be defined for ${target_name}.")
assert(
defined(invoker.process_type) &&
(invoker.process_type == "app" || invoker.process_type == "system"),
"process_type must be defined for ${target_name}, and the type must be app or system")
_seccomp_filter_target = "gen_${target_name}"
_output_name = "${invoker.filtername}_filter"
_seccomp_filter_file = target_gen_dir + "/${_output_name}.c"
_syscall_to_nr_arm_name = "${target_name}_syscall_to_nr_arm"
_syscall_to_nr_arm64_name = "${target_name}_syscall_to_nr_arm64"
_syscall_to_nr_riscv64_name = "${target_name}_syscall_to_nr_riscv64"
_blocklist_file_name = "//build/config/components/init/seccomp/seccomp_policy/${invoker.process_type}.blocklist.seccomp.policy"
_key_process_file_name = "//build/config/components/init/seccomp/seccomp_policy/privileged_process.seccomp.policy"
action(_syscall_to_nr_arm_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//build/config/components/init/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_syscall_to_nr_arm64_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_arm64"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//build/config/components/init/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_syscall_to_nr_riscv64_name) {
script = "${clang_base_path}/bin/clang"
output_dir =
target_gen_dir + "/${_seccomp_filter_target}/libsyscall_to_nr_riscv64"
args = [
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-riscv"),
"-I",
rebase_path(
"//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
"-dD",
"-E",
"-Wall",
"-nostdinc",
"-o",
rebase_path(output_dir),
rebase_path(
"//build/config/components/init/seccomp/gen_syscall_name_nrs.c"),
]
outputs = [ output_dir ]
}
action(_seccomp_filter_target) {
script = "//build/config/components/init/seccomp/scripts/generate_code_from_policy.py"
sources = invoker.sources
sources += get_target_outputs(":${_syscall_to_nr_arm_name}")
sources += get_target_outputs(":${_syscall_to_nr_arm64_name}")
sources += get_target_outputs(":${_syscall_to_nr_riscv64_name}")
uid_is_root = false
if (defined(invoker.uid_is_root)) {
uid_is_root = invoker.uid_is_root
} else {
uid_is_root = false
}
if (invoker.process_type == "system" &&
invoker.filtername != "appspawn" &&
invoker.filtername != "nwebspawn" && uid_is_root == false) {
sources += [ "//build/config/components/init/seccomp/seccomp_policy/system_uid_filter.seccomp.policy" ]
}
deps = [
":${_syscall_to_nr_arm64_name}",
":${_syscall_to_nr_arm_name}",
":${_syscall_to_nr_riscv64_name}",
]
if (build_variant == "root") {
seccomp_is_debug = "true"
} else {
seccomp_is_debug = "false"
}
args = []
foreach(source, sources) {
args += [
"--src-files",
rebase_path(source),
]
}
args += [
"--blocklist-file",
rebase_path(_blocklist_file_name),
"--dst-file",
rebase_path(_seccomp_filter_file),
"--filter-name",
invoker.filtername,
"--target-cpu",
invoker.target_cpu,
"--keyprocess-file",
rebase_path(_key_process_file_name),
"--is-debug",
seccomp_is_debug,
]
outputs = [ _seccomp_filter_file ]
}
ohos_shared_library(target_name) {
output_name = _output_name
deps = [ ":${_seccomp_filter_target}" ]
sources = get_target_outputs(":${_seccomp_filter_target}")
sanitize = {
cfi = true
cfi_cross_dso = true
debug = false
}
relative_install_dir = "seccomp"
if (defined(invoker.include_dirs)) {
include_dirs = invoker.include_dirs
}
if (defined(invoker.install_enable)) {
install_enable = invoker.install_enable
}
if (defined(invoker.part_name)) {
part_name = invoker.part_name
}
if (defined(invoker.subsystem_name)) {
subsystem_name = invoker.subsystem_name
}
if (defined(invoker.install_images)) {
install_images = invoker.install_images
}
}
}
}