BUILD.gn

# Copyright (c) 2022 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import("//base/startup/init/begetd.gni")
import(
    "//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni")
import("//build/config/clang/clang.gni")
import("//build/ohos.gni")
import("//build/ohos/kernel/kernel.gni")

INIT_PART = "init"

action("syscall_to_nr_arm") {
  script = "${clang_base_path}/bin/clang"
  output_dir = target_gen_dir + "/libsyscall_to_nr_arm"
  args = [
    "-I",
    rebase_path(
        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
    "-I",
    rebase_path(
        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
    "-dD",
    "-E",
    "-Wall",
    "-nostdinc",
    "-o",
    rebase_path(output_dir),
    rebase_path("gen_syscall_name_nrs.c"),
  ]

  outputs = [ output_dir ]
}

action("syscall_to_nr_arm64") {
  script = "${clang_base_path}/bin/clang"
  output_dir = target_gen_dir + "/libsyscall_to_nr_arm64"
  args = [
    "-I",
    rebase_path(
        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
    "-I",
    rebase_path(
        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
    "-dD",
    "-E",
    "-Wall",
    "-nostdinc",
    "-o",
    rebase_path(output_dir),
    rebase_path("gen_syscall_name_nrs.c"),
  ]

  outputs = [ output_dir ]
}

ohos_prebuilt_seccomp("system_filter") {
  sources = []
  if (target_cpu == "arm") {
    sources += [ "seccomp_policy/system_arm.seccomp.policy" ]
  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
    sources += [
      # 64-bit machine also need check use 32-bit syscall
      "seccomp_policy/system_arm.seccomp.policy",
      "seccomp_policy/system_arm64.seccomp.policy",
    ]
  }

  filtername = "g_systemSeccompFilter"
  part_name = INIT_PART
  subsystem_name = "startup"

  install_enable = true
  install_images = [ "system" ]
}

ohos_prebuilt_seccomp("appspawn_filter") {
  sources = []
  if (target_cpu == "arm") {
    sources += [ "seccomp_policy/spawn_arm.seccomp.policy" ]
  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
    sources += [
      # 64-bit machine also need check use 32-bit syscall
      "seccomp_policy/spawn_arm.seccomp.policy",
      "seccomp_policy/spawn_arm64.seccomp.policy",
    ]
  }

  filtername = "g_appspawnSeccompFilter"
  part_name = INIT_PART
  subsystem_name = "startup"

  install_enable = true
  install_images = [ "system" ]
}

ohos_prebuilt_seccomp("nwebspawn_filter") {
  if (target_cpu == "arm") {
    sources = [ "seccomp_policy/renderer_arm.seccomp.policy" ]
  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
    sources = [ "seccomp_policy/renderer_arm64.seccomp.policy" ]
  }

  filtername = "g_nwebspawnSeccompFilter"
  part_name = INIT_PART
  subsystem_name = "startup"

  install_enable = true
  install_images = [ "system" ]
}

ohos_prebuilt_seccomp("app_filter") {
  sources = []
  if (target_cpu == "arm") {
    sources += [ "seccomp_policy/app_arm.seccomp.policy" ]
  } else if (target_cpu == "arm64" || target_cpu == "x86_64") {
    sources += [
      # 64-bit machine also need check use 32-bit syscall
      "seccomp_policy/app_arm.seccomp.policy",
      "seccomp_policy/app_arm64.seccomp.policy",
    ]
  }

  filtername = "g_appSeccompFilter"
  part_name = INIT_PART
  subsystem_name = "startup"

  install_enable = true
  install_images = [ "system" ]
}

config("libseccomp_static_config") {
  include_dirs = [
    "//base/startup/init/services/modules",
    "//base/startup/init/interfaces/innerkits/seccomp/include",
    "//third_party/bounds_checking_function/include",
  ]
}

ohos_source_set("libseccomp_static") {
  sources = [
    "seccomp_policy.c",
    "seccomp_policy_static.c",
  ]
  public_configs = [
    ":libseccomp_static_config",
    "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config",
  ]
}

group("seccomp_filter") {
  deps = [
    ":app_filter",
    ":appspawn_filter",
    ":nwebspawn_filter",
    ":system_filter",
  ]
}