summaryrefslogtreecommitdiffstats
path: root/sandbox/sandbox.gyp
Commit message (Collapse)AuthorAgeFilesLines
* Force inclusion of build/common.gypi for all chromium gyp files.yaar@chromium.org2009-09-151-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | Why: Simpler build code. If everybody includes it, it should be included automatically. Why now: The webkit chromium builds need it be specified, since can't default to build/common.gypi. What was done: 1. build/common.gypi's contents were moved to a new file build/gyp_chromium.gypi 2. tools/gyp/gyp_chromium was moved to build/gyp_chromium and made to automatically include build/gyp_chromium.gypi. 3. lots of gyp files were fixed to not refer to build/common.gypi any more. 4. o3d which also builds independently of chrome, was fixed to have a gyp_o3d that includes gyp_chromium.gypi too. 5. build/common.gypi was left empty, because there are some external projects that still refer to it. Things that are left to do after this patch is in: 1. The following external files (in other repositories) need to stop include common.gypi ./third_party/hunspell/hunspell.gyp ./third_party/icu/icu.gyp ./v8/tools/gyp/v8.gyp 2. Once nobody refers to common.gypi anymore, delete common.gypi -or- Delete gyp_chromium.gypi and move its content back to common.gypi Tested on mac, win and linux. On win, got a few unit tests errors on chrome bookmarks, which should not be related. I'm running again with clobber to verify. Review URL: http://codereview.chromium.org/206006 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26302 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: add support for SELinux.agl@chromium.org2009-09-151-1/+10
| | | | | | | | | | | | | | | | | | This patch adds support for a selinux GYP variable which, when set to one, does the following: * Removes the seccomp sandbox from the compile * Removes support for SUID sandboxing from the zygote * Performs a dynamic transition, in the zygote, to chromium_renderer_t. This code requires that the system policy have a sensible set of access vectors for the chromium_renderer_t type. Such a policy will be found in sandbox/selinux in the future. http://codereview.chromium.org/203071 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26257 0039d316-1c4b-4281-b951-d872f2087c98
* Fix issue 8348: unfork pe_image.h / pe_image.cctkent@chromium.org2009-09-081-3/+0
| | | | | | | | | | | | | Moved versions of those files from sandbox/src/ to base/ (overwrite versions in base/ to avoid 64-bit warning). Removed 'sandbox' namespace, adapted other files as necessary. BUG=8348 TEST=none Original review URL: http://codereview.chromium.org/179039 Patch by rsteiner git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25611 0039d316-1c4b-4281-b951-d872f2087c98
* Delete all precompiled support. It is causing more harm than good, ↵maruel@chromium.org2009-09-041-60/+0
| | | | | | | | | | | | especially when define changes. TEST=none BUG=20889 Review URL: http://codereview.chromium.org/171118 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25511 0039d316-1c4b-4281-b951-d872f2087c98
* Clean out leftover bits of the path-based Linux SUID sandbox.thestig@chromium.org2009-09-011-10/+0
| | | | | | | | TEST=none BUG=none Review URL: http://codereview.chromium.org/181030 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@25019 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: updates to the SUID sandboxagl@chromium.org2009-08-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (patch from Julien Tinnes) * Light changes to make it compile as C99 code instead of C++ (no variable declaration inside 'for' loops initialization) * argc = 0 would lead to memory corruption. * Now always in CHROME_DEVEL_SANDBOX mode: + In the previous mode, the trusted binary was attacker-owned anyway because of the environment variables, so I believe it was trivial to bypass the check. + Remove check for being owned by current user. * Move all the tmp dir creation stuff *before* CLONE_FS happens: avoid doing stuff in a scary environment. I closed the fd in the untrusted process. * changed if (st.st_uid || st.st_gid || st.st_mode & S_IWOTH) to if (st.st_uid || st.st_gid || st.st_mode & 0777) * Check rmdir/fchown/fchmod return values * Check snprintf return value x3 (probably useless) git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24758 0039d316-1c4b-4281-b951-d872f2087c98
* Hide seccomp sandbox from !X86deanm@chromium.org2009-08-211-37/+41
| | | | | | | | | | | | | This CL moves the seccomp sandbox callsite behind an ifdef arch x86 and makes the gyp target conditional on !ARM. Patch by Joel Stanley <joel@jms.id.au> BUG=19953 Review URL: http://codereview.chromium.org/173201 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23984 0039d316-1c4b-4281-b951-d872f2087c98
* Initial version of the Seccomp sandbox. Imported from ↵markus@chromium.org2009-08-111-1/+45
| | | | | | | | | | | http://code.google.com/p/seccompsandbox/ Make the seccomp sandbox dependant on the --enable-seccomp-sandbox flag Review URL: http://codereview.chromium.org/165310 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23087 0039d316-1c4b-4281-b951-d872f2087c98
* Linux sandbox: save full list of SUID unsafe environment variables.agl@chromium.org2009-07-171-0/+3
| | | | | | | | | | | | | r20733 added code to save LD_LIBRARY_PATH when using the SUID sandbox. That fixed a P0, show-stopper bug, however, LD_LIBRARY_PATH isn't the only variable which is stomped when using SUID binaries. This patch extends support to all variables that we so affected. BUG=16815 http://codereview.chromium.org/159025 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21009 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: move hardcoded paths to GYP variables.agl@chromium.org2009-07-151-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the hardcoded paths for the sandbox binary location and the chrome binary location for the sandbox. Instead, you can now set GYP variables for these things. Indeed, you have to set a GYP variable in order to use the sandbox now. GYP variables can be set on the command line, if you run gyp.py directly, with -D key=value. Or you can export GYP_DEFINES="key=value key2=value2". Now, in order to use the sandbox you should set: linux_sandbox_path=/opt/google/chrome/chrome-sandbox linux_sandbox_chrome_path=/opt/google/chrome/chrome (changing the paths as needed, of course). See the comments in build/common.gypi For development see http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment Because developers need to setup a special sandbox binary. http://codereview.chromium.org/149689 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20801 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: fix for developing on a machine with google-chrome packages installed.agl@chromium.org2009-07-151-0/+7
| | | | | | | | | | | | | | | | | | | | | | | The latest google-chrome packages contain a sandbox binary, which the development builds of chromium will pick up on automatically. However, for safety reasons, the sandbox binary will only exec a fixed chrome binary location. Since development builds will be somewhere else in the filesystem, this means that they will fail to start their zygote processes and generally be very sad. However, we /do/ want people developing with the sandbox, but we don't want the general sandbox binary to be able to exec anything. We could have chromium try and find its sandbox binary relative to the build directory, but some people build on NFS and, since the sandbox binary needs to be SUID, this won't work for them. Instead, we add a new target: chrome_devel_sandbox which developers can use. This builds a sandbox binary that will exec anything which is owned by the running user. This alternative sandbox binary can be selected by exporting CHROME_DEVEL_SANDBOX. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20709 0039d316-1c4b-4281-b951-d872f2087c98
* Build fix: scons doesn't support hyphens in target names.agl@chromium.org2009-07-081-1/+1
| | | | git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20111 0039d316-1c4b-4281-b951-d872f2087c98
* Linux: SUID sandbox supportagl@chromium.org2009-07-081-0/+11
| | | | | | | | | | | | | | | | | | | | | * Make processes dumpable when they crash. * Find crashing processes by searching for a socket inode, rather than relying on SCM_CREDENTIALS. The kernel doesn't translate PIDs between PID namespaces with SCM_CREDENTIALS, so we can't use the PID there. * Use a command line flag to the renderer to enable crash dumping. Previously it tried to access the user's home directory for this information. * Search for a sandbox helper binary and, if found, use it. * Include the source for a sandbox helper binary. It's currently not built by default. http://codereview.chromium.org/149230 R=evan,markus BUG=8081 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20110 0039d316-1c4b-4281-b951-d872f2087c98
* Explicitly enable /INCREMENTAL linking for gyp-generated Debug builds.sgk@google.com2009-05-221-0/+5
| | | | | | | | | | | | | | | | | | | | | | Explicitly disable it (/INCREMENTAL:NO) for Release, and for the following targets that require it: chrome.dll interactive_ui_tests.exe perf_tests.exe unit_tests.exe Explicitly specificy /SUBSYSTEM:CONSOLE as default for linking, and match current practice by overriding with /SUBSYSTEM:WINDOWS for: chrome.exe chrome.dll media_player.exe sandbox_poc.exe TEST=none BUG=none Review URL: http://codereview.chromium.org/115664 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16698 0039d316-1c4b-4281-b951-d872f2087c98
* Add support for alternate window station.nsylvain@chromium.org2009-05-201-0/+2
| | | | | | | | | | TEST: Start chrome, make sure it loads pages, then user process explorer to make sure the WindowStation handle name is not the same as the browser process. BUG:10996 Review URL: http://codereview.chromium.org/113190 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16483 0039d316-1c4b-4281-b951-d872f2087c98
* Basic underpinnings of the gyp equivalent of the Linux SHARED=1 build:sgk@google.com2009-04-081-1/+1
| | | | | | | | | parameterize the 'type' setting of the various library targets, with a default of 'static_library'. (Hat tip to Craig Schlenter.) Review URL: http://codereview.chromium.org/62127 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@13345 0039d316-1c4b-4281-b951-d872f2087c98
* sbox_unit_tests -> sbox_unittestsbradnelson@google.com2009-03-251-1/+1
| | | | | | Review URL: http://codereview.chromium.org/45052 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12464 0039d316-1c4b-4281-b951-d872f2087c98
* Switching sandbox to gyp on windows.bradnelson@google.com2009-03-231-0/+9
| | | | | | | | | Rolling forward deps on gyp to get 'copies' support. This time handled wow_helper. Review URL: http://codereview.chromium.org/42355 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12270 0039d316-1c4b-4281-b951-d872f2087c98
* Adding fixed guids to some modules to facilitate incremental switch to gyp.bradnelson@google.com2009-03-101-0/+1
| | | | | | Review URL: http://codereview.chromium.org/42044 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11388 0039d316-1c4b-4281-b951-d872f2087c98
* Snapshotting progress.bradnelson@google.com2009-03-091-0/+316
Got app and unit_tests linking with gyp under windows. Still missing pieces (things don't run). Review URL: http://codereview.chromium.org/39319 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11302 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-01-20 08:56:08 +0000