Linux sandbox: make seccomp_bpf a component target.

Make sure that for component builds, seccomp_bpf gets built as a .so library. This should prevent duplicated implementations from living in a given process, which breaks singletons. BUG=360124 R=rsesek@chromium.org Review URL: https://codereview.chromium.org/226253004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@261892 0039d316-1c4b-4281-b951-d872f2087c98
author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-04-04 21:56:48 +0000
committer: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-04-04 21:56:48 +0000
commit: edfb276904817fe8d73a72345371d315015bb02c (patch)
tree: 08c164defdd129ed5c13e0a06bde56d824a38aad /sandbox
parent: 537f83ad2ace260a444313fb1d7da63a375ff4cd (diff)
download: chromium_src-edfb276904817fe8d73a72345371d315015bb02c.zip
chromium_src-edfb276904817fe8d73a72345371d315015bb02c.tar.gz
chromium_src-edfb276904817fe8d73a72345371d315015bb02c.tar.bz2
9 files changed, 78 insertions, 36 deletions
diff --git a/sandbox/linux/sandbox_export.h b/sandbox/linux/sandbox_export.h
new file mode 100644
index 0000000..546de90
--- /dev/null
+++ b/sandbox/linux/sandbox_export.h
@@ -0,0 +1,23 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SANDBOX_EXPORT_H_
+#define SANDBOX_LINUX_SANDBOX_EXPORT_H_
+
+#if defined(COMPONENT_BUILD)
+
+#if defined(SANDBOX_IMPLEMENTATION)
+#define SANDBOX_EXPORT __attribute__((visibility("default")))
+#define SANDBOX_EXPORT_PRIVATE __attribute__((visibility("default")))
+#else
+#define SANDBOX_EXPORT
+#define SANDBOX_EXPORT_PRIVATE
+#endif  // defined(SANDBOX_IMPLEMENTATION)
+
+#else  // defined(COMPONENT_BUILD)
+#define SANDBOX_EXPORT
+#define SANDBOX_EXPORT_PRIVATE
+#endif  // defined(COMPONENT_BUILD)
+
+#endif  // SANDBOX_LINUX_SANDBOX_EXPORT_H_
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi
index 59c61ff..48d1f54 100644
--- a/sandbox/linux/sandbox_linux.gypi
+++ b/sandbox/linux/sandbox_linux.gypi
@@ -82,7 +82,7 @@
     },
     {
       'target_name': 'seccomp_bpf',
-      'type': 'static_library',
+      'type': '<(component)',
       'sources': [
         'seccomp-bpf/basicblock.cc',
         'seccomp-bpf/basicblock.h',
@@ -110,6 +110,9 @@
         '../base/base.gyp:base',
         'sandbox_services_headers',
       ],
+      'defines': [
+        'SANDBOX_IMPLEMENTATION',
+      ],
       'include_dirs': [
         '../..',
       ],
diff --git a/sandbox/linux/seccomp-bpf/codegen.h b/sandbox/linux/seccomp-bpf/codegen.h
index 2745e51..ad28978 100644
--- a/sandbox/linux/seccomp-bpf/codegen.h
+++ b/sandbox/linux/seccomp-bpf/codegen.h
@@ -9,6 +9,7 @@
 #include <set>
 #include <vector>
 
+#include "sandbox/linux/sandbox_export.h"
 #include "sandbox/linux/seccomp-bpf/basicblock.h"
 #include "sandbox/linux/seccomp-bpf/instruction.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
@@ -52,7 +53,7 @@ typedef std::map<const BasicBlock*, int> IncomingBranches;
 //     static_cast<unsigned short>(program->size()), &program[0] };
 //   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
 //
-class CodeGen {
+class SANDBOX_EXPORT CodeGen {
  public:
   CodeGen();
   ~CodeGen();
diff --git a/sandbox/linux/seccomp-bpf/die.h b/sandbox/linux/seccomp-bpf/die.h
index 5dcfda0..2708a12 100644
--- a/sandbox/linux/seccomp-bpf/die.h
+++ b/sandbox/linux/seccomp-bpf/die.h
@@ -6,6 +6,7 @@
 #define SANDBOX_LINUX_SECCOMP_BPF_DIE_H__
 
 #include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
@@ -20,7 +21,7 @@ namespace sandbox {
 // Adds an informational message to the log file or stderr as appropriate.
 #define SANDBOX_INFO(m) sandbox::Die::SandboxInfo(m, __FILE__, __LINE__)
 
-class Die {
+class SANDBOX_EXPORT Die {
  public:
   // Terminate the program, even if the current sandbox policy prevents some
   // of the more commonly used functions used for exiting.
diff --git a/sandbox/linux/seccomp-bpf/errorcode.h b/sandbox/linux/seccomp-bpf/errorcode.h
index 625d123..7a21f3f 100644
--- a/sandbox/linux/seccomp-bpf/errorcode.h
+++ b/sandbox/linux/seccomp-bpf/errorcode.h
@@ -5,6 +5,7 @@
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
 
+#include "sandbox/linux/sandbox_export.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 
@@ -20,7 +21,7 @@ struct arch_seccomp_data;
 // All of the commonly used values are stored in the "err_" field. So, code
 // that is using the ErrorCode class typically operates on a single 32bit
 // field.
-class ErrorCode {
+class SANDBOX_EXPORT ErrorCode {
  public:
   enum {
     // Allow this system call. The value of ERR_ALLOWED is pretty much
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index d626e4c..f6e4135 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -17,6 +17,7 @@
 #include <vector>
 
 #include "base/memory/scoped_ptr.h"
+#include "sandbox/linux/sandbox_export.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
@@ -41,7 +42,7 @@ class SandboxBPFPolicy;
 class SandboxUnittestHelper;
 struct Instruction;
 
-class SandboxBPF {
+class SANDBOX_EXPORT SandboxBPF {
  public:
   enum SandboxStatus {
     STATUS_UNKNOWN,      // Status prior to calling supportsSeccompSandbox()
diff --git a/sandbox/linux/seccomp-bpf/syscall.h b/sandbox/linux/seccomp-bpf/syscall.h
index 0b51380..95647ed 100644
--- a/sandbox/linux/seccomp-bpf/syscall.h
+++ b/sandbox/linux/seccomp-bpf/syscall.h
@@ -7,6 +7,8 @@
 
 #include <stdint.h>
 
+#include "sandbox/linux/sandbox_export.h"
+
 namespace sandbox {
 
 // We have to make sure that we have a single "magic" return address for
@@ -15,13 +17,13 @@ namespace sandbox {
 // that also b) can be invoked in a way that computes this return address.
 // Passing "nr" as "-1" computes the "magic" return address. Passing any
 // other value invokes the appropriate system call.
-intptr_t SandboxSyscall(int nr,
-                        intptr_t p0,
-                        intptr_t p1,
-                        intptr_t p2,
-                        intptr_t p3,
-                        intptr_t p4,
-                        intptr_t p5);
+SANDBOX_EXPORT intptr_t SandboxSyscall(int nr,
+                                       intptr_t p0,
+                                       intptr_t p1,
+                                       intptr_t p2,
+                                       intptr_t p3,
+                                       intptr_t p4,
+                                       intptr_t p5);
 
 // System calls can take up to six parameters. Traditionally, glibc
 // implements this property by using variadic argument lists. This works, but
@@ -46,16 +48,17 @@ template <class T0 = intptr_t,
           class T3 = intptr_t,
           class T4 = intptr_t,
           class T5 = intptr_t>
-inline intptr_t SandboxSyscall(int nr,
-                               T0 p0 = 0,
-                               T1 p1 = 0,
-                               T2 p2 = 0,
-                               T3 p3 = 0,
-                               T4 p4 = 0,
-                               T5 p5 = 0) __attribute__((always_inline));
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr,
+                                              T0 p0 = 0,
+                                              T1 p1 = 0,
+                                              T2 p2 = 0,
+                                              T3 p3 = 0,
+                                              T4 p4 = 0,
+                                              T5 p5 = 0)
+    __attribute__((always_inline));
 
 template <class T0, class T1, class T2, class T3, class T4, class T5>
-inline intptr_t
+SANDBOX_EXPORT inline intptr_t
 SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
   return SandboxSyscall(nr,
                         (intptr_t)p0,
@@ -73,10 +76,11 @@ SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
 //   compilers as soon as we have fully switched to C++11
 
 template <class T0, class T1, class T2, class T3, class T4, class T5>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5)
+SANDBOX_EXPORT inline intptr_t
+    SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5)
     __attribute__((always_inline));
 template <class T0, class T1, class T2, class T3, class T4, class T5>
-inline intptr_t
+SANDBOX_EXPORT inline intptr_t
 SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
   return SandboxSyscall(nr,
                         (intptr_t)p0,
@@ -88,46 +92,52 @@ SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
 }
 
 template <class T0, class T1, class T2, class T3, class T4>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4)
+SANDBOX_EXPORT inline intptr_t
+    SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4)
     __attribute__((always_inline));
 template <class T0, class T1, class T2, class T3, class T4>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4) {
+SANDBOX_EXPORT inline intptr_t
+SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4) {
   return SandboxSyscall(nr, p0, p1, p2, p3, p4, 0);
 }
 
 template <class T0, class T1, class T2, class T3>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3)
+SANDBOX_EXPORT inline intptr_t
+    SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3)
     __attribute__((always_inline));
 template <class T0, class T1, class T2, class T3>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3) {
+SANDBOX_EXPORT inline intptr_t
+SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3) {
   return SandboxSyscall(nr, p0, p1, p2, p3, 0, 0);
 }
 
 template <class T0, class T1, class T2>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2)
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2)
     __attribute__((always_inline));
 template <class T0, class T1, class T2>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2) {
   return SandboxSyscall(nr, p0, p1, p2, 0, 0, 0);
 }
 
 template <class T0, class T1>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1)
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1)
     __attribute__((always_inline));
 template <class T0, class T1>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1) {
   return SandboxSyscall(nr, p0, p1, 0, 0, 0, 0);
 }
 
 template <class T0>
-inline intptr_t SandboxSyscall(int nr, T0 p0) __attribute__((always_inline));
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0)
+    __attribute__((always_inline));
 template <class T0>
-inline intptr_t SandboxSyscall(int nr, T0 p0) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0) {
   return SandboxSyscall(nr, p0, 0, 0, 0, 0, 0);
 }
 
-inline intptr_t SandboxSyscall(int nr) __attribute__((always_inline));
-inline intptr_t SandboxSyscall(int nr) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr)
+    __attribute__((always_inline));
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr) {
   return SandboxSyscall(nr, 0, 0, 0, 0, 0, 0);
 }
 
diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.h b/sandbox/linux/seccomp-bpf/syscall_iterator.h
index 3b56ea3..ea4273f 100644
--- a/sandbox/linux/seccomp-bpf/syscall_iterator.h
+++ b/sandbox/linux/seccomp-bpf/syscall_iterator.h
@@ -8,6 +8,7 @@
 #include <stdint.h>
 
 #include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
@@ -31,7 +32,7 @@ namespace sandbox {
 //   }
 //
 // TODO(markus): Make this a classic C++ iterator.
-class SyscallIterator {
+class SANDBOX_EXPORT SyscallIterator {
  public:
   explicit SyscallIterator(bool invalid_only)
       : invalid_only_(invalid_only), done_(false), num_(0) {}
diff --git a/sandbox/linux/seccomp-bpf/trap.h b/sandbox/linux/seccomp-bpf/trap.h
index 334a30d..4438d67 100644
--- a/sandbox/linux/seccomp-bpf/trap.h
+++ b/sandbox/linux/seccomp-bpf/trap.h
@@ -12,6 +12,7 @@
 #include <vector>
 
 #include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
 
 namespace sandbox {
 
@@ -25,7 +26,7 @@ class ErrorCode;
 //   Preferably, that means that no other threads should be running at that
 //   time. For the purposes of our sandbox, this assertion should always be
 //   true. Threads are incompatible with the seccomp sandbox anyway.
-class Trap {
+class SANDBOX_EXPORT Trap {
  public:
   // TrapFnc is a pointer to a function that handles Seccomp traps in
   // user-space. The seccomp policy can request that a trap handler gets
author	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-04-04 21:56:48 +0000
committer	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-04-04 21:56:48 +0000
commit	edfb276904817fe8d73a72345371d315015bb02c (patch)
tree	08c164defdd129ed5c13e0a06bde56d824a38aad /sandbox
parent	537f83ad2ace260a444313fb1d7da63a375ff4cd (diff)
download	chromium_src-edfb276904817fe8d73a72345371d315015bb02c.zip chromium_src-edfb276904817fe8d73a72345371d315015bb02c.tar.gz chromium_src-edfb276904817fe8d73a72345371d315015bb02c.tar.bz2