Merge from Chromium at DEPS revision 262940
This commit was generated by merge_to_master.py.
Change-Id: I9a3fddbb29857fa8f68a18c6a0115862b65f84d1
diff --git a/sandbox/linux/sandbox_export.h b/sandbox/linux/sandbox_export.h
new file mode 100644
index 0000000..546de90
--- /dev/null
+++ b/sandbox/linux/sandbox_export.h
@@ -0,0 +1,23 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SANDBOX_EXPORT_H_
+#define SANDBOX_LINUX_SANDBOX_EXPORT_H_
+
+#if defined(COMPONENT_BUILD)
+
+#if defined(SANDBOX_IMPLEMENTATION)
+#define SANDBOX_EXPORT __attribute__((visibility("default")))
+#define SANDBOX_EXPORT_PRIVATE __attribute__((visibility("default")))
+#else
+#define SANDBOX_EXPORT
+#define SANDBOX_EXPORT_PRIVATE
+#endif // defined(SANDBOX_IMPLEMENTATION)
+
+#else // defined(COMPONENT_BUILD)
+#define SANDBOX_EXPORT
+#define SANDBOX_EXPORT_PRIVATE
+#endif // defined(COMPONENT_BUILD)
+
+#endif // SANDBOX_LINUX_SANDBOX_EXPORT_H_
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi
index 59c61ff..75f37c9 100644
--- a/sandbox/linux/sandbox_linux.gypi
+++ b/sandbox/linux/sandbox_linux.gypi
@@ -82,7 +82,7 @@
},
{
'target_name': 'seccomp_bpf',
- 'type': 'static_library',
+ 'type': '<(component)',
'sources': [
'seccomp-bpf/basicblock.cc',
'seccomp-bpf/basicblock.h',
@@ -110,13 +110,16 @@
'../base/base.gyp:base',
'sandbox_services_headers',
],
+ 'defines': [
+ 'SANDBOX_IMPLEMENTATION',
+ ],
'include_dirs': [
'../..',
],
},
{
'target_name': 'seccomp_bpf_helpers',
- 'type': 'static_library',
+ 'type': '<(component)',
'sources': [
'seccomp-bpf-helpers/baseline_policy.cc',
'seccomp-bpf-helpers/baseline_policy.h',
@@ -128,6 +131,11 @@
'seccomp-bpf-helpers/syscall_sets.h',
],
'dependencies': [
+ '../base/base.gyp:base',
+ 'seccomp_bpf',
+ ],
+ 'defines': [
+ 'SANDBOX_IMPLEMENTATION',
],
'include_dirs': [
'../..',
@@ -175,7 +183,7 @@
],
},
{ 'target_name': 'sandbox_services',
- 'type': 'static_library',
+ 'type': '<(component)',
'sources': [
'services/broker_process.cc',
'services/broker_process.h',
@@ -191,6 +199,9 @@
'dependencies': [
'../base/base.gyp:base',
],
+ 'defines': [
+ 'SANDBOX_IMPLEMENTATION',
+ ],
'conditions': [
['compile_credentials==1', {
'sources': [
@@ -240,13 +251,16 @@
},
{
'target_name': 'suid_sandbox_client',
- 'type': 'static_library',
+ 'type': '<(component)',
'sources': [
'suid/common/sandbox.h',
'suid/common/suid_unsafe_environment_variables.h',
'suid/client/setuid_sandbox_client.cc',
'suid/client/setuid_sandbox_client.h',
],
+ 'defines': [
+ 'SANDBOX_IMPLEMENTATION',
+ ],
'dependencies': [
'../base/base.gyp:base',
'sandbox_services',
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
index 1dfd137..f1e4bb9 100644
--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
@@ -5,6 +5,7 @@
#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
+#include "sandbox/linux/sandbox_export.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
@@ -22,7 +23,7 @@
// The "baseline" policy is somewhat arbitrary. All Chromium policies are an
// alteration of it, and it represents a reasonable common ground to run most
// code in a sandboxed environment.
-class BaselinePolicy : public SandboxBPFPolicy {
+class SANDBOX_EXPORT BaselinePolicy : public SandboxBPFPolicy {
public:
BaselinePolicy();
// |fs_denied_errno| is the errno returned when a filesystem access system
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
index 6ff7125..4cefa4c 100644
--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
@@ -9,7 +9,6 @@
#include <unistd.h>
#include "base/basictypes.h"
-#include "base/logging.h"
#include "base/posix/eintr_wrapper.h"
#include "build/build_config.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
@@ -95,11 +94,11 @@
// TODO(jln): refactor the reporting functions.
intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) {
+ static const char kSeccompCloneError[] =
+ __FILE__":**CRASHING**:clone() failure\n";
+ WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1);
// "flags" is the first argument in the kernel's clone().
// Mark as volatile to be able to find the value on the stack in a minidump.
-#if !defined(NDEBUG)
- RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n");
-#endif
volatile uint64_t clone_flags = args.args[0];
volatile char* addr;
if (IsArchitectureX86_64()) {
@@ -115,10 +114,10 @@
intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args,
void* /* aux */) {
+ static const char kSeccompPrctlError[] =
+ __FILE__":**CRASHING**:prctl() failure\n";
+ WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1);
// Mark as volatile to be able to find the value on the stack in a minidump.
-#if !defined(NDEBUG)
- RAW_LOG(ERROR, __FILE__":**CRASHING**:prctl() failure\n");
-#endif
volatile uint64_t option = args.args[0];
volatile char* addr =
reinterpret_cast<volatile char*>(option & 0xFFF);
@@ -129,10 +128,10 @@
intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args,
void* /* aux */) {
+ static const char kSeccompIoctlError[] =
+ __FILE__":**CRASHING**:ioctl() failure\n";
+ WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1);
// Make "request" volatile so that we can see it on the stack in a minidump.
-#if !defined(NDEBUG)
- RAW_LOG(ERROR, __FILE__":**CRASHING**:ioctl() failure\n");
-#endif
volatile uint64_t request = args.args[1];
volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF);
*addr = '\0';
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
index 3bf5c16..0bada37 100644
--- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
@@ -7,6 +7,7 @@
#include "base/basictypes.h"
#include "build/build_config.h"
+#include "sandbox/linux/sandbox_export.h"
// The handlers are suitable for use in Trap() error codes. They are
// guaranteed to be async-signal safe.
@@ -19,20 +20,24 @@
// This handler will crash the currently running process. The crashing address
// will be the number of the current system call, extracted from |args|.
// This handler will also print to stderr the number of the crashing syscall.
-intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+ CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux);
// The following three handlers are suitable to report failures with the
// clone(), prctl() and ioctl() system calls respectively.
// The crashing address will be (clone_flags & 0xFFFFFF), where clone_flags is
// the clone(2) argument, extracted from |args|.
-intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+ SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux);
// The crashing address will be (option & 0xFFF), where option is the prctl(2)
// argument.
-intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+ SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* aux);
// The crashing address will be request & 0xFFFF, where request is the ioctl(2)
// argument.
-intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux);
+SANDBOX_EXPORT intptr_t
+ SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux);
} // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
index 65b7c47..aa1e0d1 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -6,10 +6,11 @@
#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
#include "build/build_config.h"
+#include "sandbox/linux/sandbox_export.h"
// These are helpers to build seccomp-bpf policies, i.e. policies for a
// sandbox that reduces the Linux kernel's attack surface. They return an
-// ErrorCode suitable to restrict certain system call parameters.
+// SANDBOX_EXPORT ErrorCode suitable to restrict certain system call parameters.
namespace sandbox {
@@ -20,37 +21,38 @@
// Reject fork(2) attempts with EPERM.
// Don't restrict on ASAN.
// Crash if anything else is attempted.
-ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode
+ RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
// Crash if anything else is attempted.
-ErrorCode RestrictPrctl(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictPrctl(SandboxBPF* sandbox);
// Allow TCGETS and FIONREAD.
// Crash if anything else is attempted.
-ErrorCode RestrictIoctl(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictIoctl(SandboxBPF* sandbox);
// Restrict the flags argument in mmap(2).
// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
// Crash if any other flag is used.
-ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
// Restrict the prot argument in mprotect(2).
// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
-ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
// Restrict fcntl(2) cmd argument to:
// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
// F_SETLK, F_SETLKW and F_GETLK.
// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
-ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
#if defined(__i386__)
// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
-ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
+SANDBOX_EXPORT ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
#endif
} // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
index d2cf1a1..dc92681 100644
--- a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
@@ -7,6 +7,7 @@
#include "base/basictypes.h"
#include "build/build_config.h"
+#include "sandbox/linux/sandbox_export.h"
// These are helpers to build seccomp-bpf policies, i.e. policies for a
// sandbox that reduces the Linux kernel's attack surface. Given their
@@ -15,7 +16,7 @@
namespace sandbox {
-class SyscallSets {
+class SANDBOX_EXPORT SyscallSets {
public:
static bool IsKill(int sysno);
static bool IsAllowedGettime(int sysno);
diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h
index dd30b15..cc3fc25 100644
--- a/sandbox/linux/seccomp-bpf/bpf_tests.h
+++ b/sandbox/linux/seccomp-bpf/bpf_tests.h
@@ -84,7 +84,8 @@
sandbox::SandboxBPF sandbox;
sandbox.set_proc_fd(proc_fd);
sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
- sandbox.SandboxBPF::StartSandbox();
+ BPF_ASSERT(sandbox.StartSandbox(
+ sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
arg->test()(arg->aux_);
} else {
diff --git a/sandbox/linux/seccomp-bpf/codegen.h b/sandbox/linux/seccomp-bpf/codegen.h
index 2745e51..ad28978 100644
--- a/sandbox/linux/seccomp-bpf/codegen.h
+++ b/sandbox/linux/seccomp-bpf/codegen.h
@@ -9,6 +9,7 @@
#include <set>
#include <vector>
+#include "sandbox/linux/sandbox_export.h"
#include "sandbox/linux/seccomp-bpf/basicblock.h"
#include "sandbox/linux/seccomp-bpf/instruction.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
@@ -52,7 +53,7 @@
// static_cast<unsigned short>(program->size()), &program[0] };
// prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
//
-class CodeGen {
+class SANDBOX_EXPORT CodeGen {
public:
CodeGen();
~CodeGen();
diff --git a/sandbox/linux/seccomp-bpf/demo.cc b/sandbox/linux/seccomp-bpf/demo.cc
index 1418018..1cf4511 100644
--- a/sandbox/linux/seccomp-bpf/demo.cc
+++ b/sandbox/linux/seccomp-bpf/demo.cc
@@ -421,7 +421,10 @@
SandboxBPF sandbox;
sandbox.set_proc_fd(proc_fd);
sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL);
- sandbox.StartSandbox();
+ if (!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)) {
+ fprintf(stderr, "StartSandbox() failed");
+ _exit(1);
+ }
// Check that we can create threads
pthread_t thr;
diff --git a/sandbox/linux/seccomp-bpf/die.h b/sandbox/linux/seccomp-bpf/die.h
index 5dcfda0..2708a12 100644
--- a/sandbox/linux/seccomp-bpf/die.h
+++ b/sandbox/linux/seccomp-bpf/die.h
@@ -6,6 +6,7 @@
#define SANDBOX_LINUX_SECCOMP_BPF_DIE_H__
#include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
@@ -20,7 +21,7 @@
// Adds an informational message to the log file or stderr as appropriate.
#define SANDBOX_INFO(m) sandbox::Die::SandboxInfo(m, __FILE__, __LINE__)
-class Die {
+class SANDBOX_EXPORT Die {
public:
// Terminate the program, even if the current sandbox policy prevents some
// of the more commonly used functions used for exiting.
diff --git a/sandbox/linux/seccomp-bpf/errorcode.h b/sandbox/linux/seccomp-bpf/errorcode.h
index 625d123..7a21f3f 100644
--- a/sandbox/linux/seccomp-bpf/errorcode.h
+++ b/sandbox/linux/seccomp-bpf/errorcode.h
@@ -5,6 +5,7 @@
#ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
#define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
+#include "sandbox/linux/sandbox_export.h"
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
#include "sandbox/linux/seccomp-bpf/trap.h"
@@ -20,7 +21,7 @@
// All of the commonly used values are stored in the "err_" field. So, code
// that is using the ErrorCode class typically operates on a single 32bit
// field.
-class ErrorCode {
+class SANDBOX_EXPORT ErrorCode {
public:
enum {
// Allow this system call. The value of ERR_ALLOWED is pretty much
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index 6b2327e..1538fe8 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -323,7 +323,9 @@
}
SetSandboxPolicyDeprecated(syscall_evaluator, aux);
- StartSandbox();
+ if (!StartSandbox(PROCESS_SINGLE_THREADED)) {
+ SANDBOX_DIE(NULL);
+ }
// Run our code in the sandbox.
code_in_sandbox();
@@ -430,15 +432,20 @@
void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
-void SandboxBPF::StartSandbox() {
+bool SandboxBPF::StartSandbox(SandboxThreadState thread_state) {
+ CHECK(thread_state == PROCESS_SINGLE_THREADED ||
+ thread_state == PROCESS_MULTI_THREADED);
+
if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
SANDBOX_DIE(
"Trying to start sandbox, even though it is known to be "
"unavailable");
+ return false;
} else if (sandbox_has_started_ || !conds_) {
SANDBOX_DIE(
"Cannot repeatedly start sandbox. Create a separate Sandbox "
"object instead.");
+ return false;
}
if (proc_fd_ < 0) {
proc_fd_ = open("/proc", O_RDONLY | O_DIRECTORY);
@@ -447,8 +454,10 @@
// For now, continue in degraded mode, if we can't access /proc.
// In the future, we might want to tighten this requirement.
}
- if (!IsSingleThreaded(proc_fd_)) {
+
+ if (thread_state == PROCESS_SINGLE_THREADED && !IsSingleThreaded(proc_fd_)) {
SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
+ return false;
}
// We no longer need access to any files in /proc. We want to do this
@@ -457,15 +466,18 @@
if (proc_fd_ >= 0) {
if (IGNORE_EINTR(close(proc_fd_))) {
SANDBOX_DIE("Failed to close file descriptor for /proc");
+ return false;
}
proc_fd_ = -1;
}
// Install the filters.
- InstallFilter();
+ InstallFilter(thread_state);
// We are now inside the sandbox.
status_ = STATUS_ENABLED;
+
+ return true;
}
void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
@@ -499,7 +511,7 @@
policy_.reset(policy);
}
-void SandboxBPF::InstallFilter() {
+void SandboxBPF::InstallFilter(SandboxThreadState thread_state) {
// We want to be very careful in not imposing any requirements on the
// policies that are set with SetSandboxPolicy(). This means, as soon as
// the sandbox is active, we shouldn't be relying on libraries that could
@@ -535,9 +547,23 @@
}
}
- sandbox_has_started_ = true;
+ // TODO(rsesek): Always try to engage the sandbox with the
+ // PROCESS_MULTI_THREADED path first, and if that fails, assert that the
+ // process IsSingleThreaded() or SANDBOX_DIE.
- return;
+ if (thread_state == PROCESS_MULTI_THREADED) {
+ // TODO(rsesek): Move these to a more reasonable place once the kernel
+ // patch has landed upstream and these values are formalized.
+ #define PR_SECCOMP_EXT 41
+ #define SECCOMP_EXT_ACT 1
+ #define SECCOMP_EXT_ACT_TSYNC 1
+ if (prctl(PR_SECCOMP_EXT, SECCOMP_EXT_ACT, SECCOMP_EXT_ACT_TSYNC, 0, 0)) {
+ SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to synchronize threadgroup "
+ "BPF filters.");
+ }
+ }
+
+ sandbox_has_started_ = true;
}
SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index d626e4c..67b84b9 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -16,7 +16,9 @@
#include <utility>
#include <vector>
+#include "base/compiler_specific.h"
#include "base/memory/scoped_ptr.h"
+#include "sandbox/linux/sandbox_export.h"
#include "sandbox/linux/seccomp-bpf/die.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
@@ -41,7 +43,7 @@
class SandboxUnittestHelper;
struct Instruction;
-class SandboxBPF {
+class SANDBOX_EXPORT SandboxBPF {
public:
enum SandboxStatus {
STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox()
@@ -51,6 +53,18 @@
STATUS_ENABLED // The sandbox is now active
};
+ // Depending on the level of kernel support, seccomp-bpf may require the
+ // process to be single-threaded in order to enable it. When calling
+ // StartSandbox(), the program should indicate whether or not the sandbox
+ // should try and engage with multi-thread support.
+ enum SandboxThreadState {
+ PROCESS_INVALID,
+ PROCESS_SINGLE_THREADED, // The program is currently single-threaded.
+ // Note: PROCESS_MULTI_THREADED requires experimental kernel support that
+ // has not been contributed to upstream Linux.
+ PROCESS_MULTI_THREADED, // The program may be multi-threaded.
+ };
+
// When calling setSandboxPolicy(), the caller can provide an arbitrary
// pointer in |aux|. This pointer will then be forwarded to the sandbox
// policy each time a call is made through an EvaluateSyscall function
@@ -167,6 +181,8 @@
// This is the main public entry point. It finds all system calls that
// need rewriting, sets up the resources needed by the sandbox, and
// enters Seccomp mode.
+ // The calling process must specify its current SandboxThreadState, as a way
+ // to tell the sandbox which type of kernel support it should engage.
// It is possible to stack multiple sandboxes by creating separate "Sandbox"
// objects and calling "StartSandbox()" on each of them. Please note, that
// this requires special care, though, as newly stacked sandboxes can never
@@ -175,7 +191,7 @@
// disallowed.
// Finally, stacking does add more kernel overhead than having a single
// combined policy. So, it should only be used if there are no alternatives.
- void StartSandbox();
+ bool StartSandbox(SandboxThreadState thread_state) WARN_UNUSED_RESULT;
// Assembles a BPF filter program from the current policy. After calling this
// function, you must not call any other sandboxing function.
@@ -228,7 +244,7 @@
// Assembles and installs a filter based on the policy that has previously
// been configured with SetSandboxPolicy().
- void InstallFilter();
+ void InstallFilter(SandboxThreadState thread_state);
// Verify the correctness of a compiled program by comparing it against the
// current policy. This function should only ever be called by unit tests and
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index 17df1d5..ba13a32 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -99,7 +99,7 @@
pid_t test_var = 0;
SandboxBPF sandbox;
sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var);
- sandbox.StartSandbox();
+ BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
BPF_ASSERT(test_var == 0);
BPF_ASSERT(syscall(__NR_getpid) == 0);
@@ -326,7 +326,7 @@
// restrict filters, but we cannot relax existing filters.
SandboxBPF sandbox;
sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL);
- sandbox.StartSandbox();
+ BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
errno = 0;
BPF_ASSERT(syscall(__NR_getppid, 0) == -1);
diff --git a/sandbox/linux/seccomp-bpf/syscall.h b/sandbox/linux/seccomp-bpf/syscall.h
index 0b51380..95647ed 100644
--- a/sandbox/linux/seccomp-bpf/syscall.h
+++ b/sandbox/linux/seccomp-bpf/syscall.h
@@ -7,6 +7,8 @@
#include <stdint.h>
+#include "sandbox/linux/sandbox_export.h"
+
namespace sandbox {
// We have to make sure that we have a single "magic" return address for
@@ -15,13 +17,13 @@
// that also b) can be invoked in a way that computes this return address.
// Passing "nr" as "-1" computes the "magic" return address. Passing any
// other value invokes the appropriate system call.
-intptr_t SandboxSyscall(int nr,
- intptr_t p0,
- intptr_t p1,
- intptr_t p2,
- intptr_t p3,
- intptr_t p4,
- intptr_t p5);
+SANDBOX_EXPORT intptr_t SandboxSyscall(int nr,
+ intptr_t p0,
+ intptr_t p1,
+ intptr_t p2,
+ intptr_t p3,
+ intptr_t p4,
+ intptr_t p5);
// System calls can take up to six parameters. Traditionally, glibc
// implements this property by using variadic argument lists. This works, but
@@ -46,16 +48,17 @@
class T3 = intptr_t,
class T4 = intptr_t,
class T5 = intptr_t>
-inline intptr_t SandboxSyscall(int nr,
- T0 p0 = 0,
- T1 p1 = 0,
- T2 p2 = 0,
- T3 p3 = 0,
- T4 p4 = 0,
- T5 p5 = 0) __attribute__((always_inline));
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr,
+ T0 p0 = 0,
+ T1 p1 = 0,
+ T2 p2 = 0,
+ T3 p3 = 0,
+ T4 p4 = 0,
+ T5 p5 = 0)
+ __attribute__((always_inline));
template <class T0, class T1, class T2, class T3, class T4, class T5>
-inline intptr_t
+SANDBOX_EXPORT inline intptr_t
SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
return SandboxSyscall(nr,
(intptr_t)p0,
@@ -73,10 +76,11 @@
// compilers as soon as we have fully switched to C++11
template <class T0, class T1, class T2, class T3, class T4, class T5>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5)
+SANDBOX_EXPORT inline intptr_t
+ SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5)
__attribute__((always_inline));
template <class T0, class T1, class T2, class T3, class T4, class T5>
-inline intptr_t
+SANDBOX_EXPORT inline intptr_t
SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
return SandboxSyscall(nr,
(intptr_t)p0,
@@ -88,46 +92,52 @@
}
template <class T0, class T1, class T2, class T3, class T4>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4)
+SANDBOX_EXPORT inline intptr_t
+ SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4)
__attribute__((always_inline));
template <class T0, class T1, class T2, class T3, class T4>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4) {
+SANDBOX_EXPORT inline intptr_t
+SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4) {
return SandboxSyscall(nr, p0, p1, p2, p3, p4, 0);
}
template <class T0, class T1, class T2, class T3>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3)
+SANDBOX_EXPORT inline intptr_t
+ SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3)
__attribute__((always_inline));
template <class T0, class T1, class T2, class T3>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3) {
+SANDBOX_EXPORT inline intptr_t
+SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2, T3 p3) {
return SandboxSyscall(nr, p0, p1, p2, p3, 0, 0);
}
template <class T0, class T1, class T2>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2)
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2)
__attribute__((always_inline));
template <class T0, class T1, class T2>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1, T2 p2) {
return SandboxSyscall(nr, p0, p1, p2, 0, 0, 0);
}
template <class T0, class T1>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1)
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1)
__attribute__((always_inline));
template <class T0, class T1>
-inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0, T1 p1) {
return SandboxSyscall(nr, p0, p1, 0, 0, 0, 0);
}
template <class T0>
-inline intptr_t SandboxSyscall(int nr, T0 p0) __attribute__((always_inline));
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0)
+ __attribute__((always_inline));
template <class T0>
-inline intptr_t SandboxSyscall(int nr, T0 p0) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr, T0 p0) {
return SandboxSyscall(nr, p0, 0, 0, 0, 0, 0);
}
-inline intptr_t SandboxSyscall(int nr) __attribute__((always_inline));
-inline intptr_t SandboxSyscall(int nr) {
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr)
+ __attribute__((always_inline));
+SANDBOX_EXPORT inline intptr_t SandboxSyscall(int nr) {
return SandboxSyscall(nr, 0, 0, 0, 0, 0, 0);
}
diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.h b/sandbox/linux/seccomp-bpf/syscall_iterator.h
index 3b56ea3..ea4273f 100644
--- a/sandbox/linux/seccomp-bpf/syscall_iterator.h
+++ b/sandbox/linux/seccomp-bpf/syscall_iterator.h
@@ -8,6 +8,7 @@
#include <stdint.h>
#include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
@@ -31,7 +32,7 @@
// }
//
// TODO(markus): Make this a classic C++ iterator.
-class SyscallIterator {
+class SANDBOX_EXPORT SyscallIterator {
public:
explicit SyscallIterator(bool invalid_only)
: invalid_only_(invalid_only), done_(false), num_(0) {}
diff --git a/sandbox/linux/seccomp-bpf/trap.h b/sandbox/linux/seccomp-bpf/trap.h
index 334a30d..4438d67 100644
--- a/sandbox/linux/seccomp-bpf/trap.h
+++ b/sandbox/linux/seccomp-bpf/trap.h
@@ -12,6 +12,7 @@
#include <vector>
#include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
@@ -25,7 +26,7 @@
// Preferably, that means that no other threads should be running at that
// time. For the purposes of our sandbox, this assertion should always be
// true. Threads are incompatible with the seccomp sandbox anyway.
-class Trap {
+class SANDBOX_EXPORT Trap {
public:
// TrapFnc is a pointer to a function that handles Seccomp traps in
// user-space. The seccomp policy can request that a trap handler gets
diff --git a/sandbox/linux/services/broker_process.cc b/sandbox/linux/services/broker_process.cc
index 47aec25..e91df52 100644
--- a/sandbox/linux/services/broker_process.cc
+++ b/sandbox/linux/services/broker_process.cc
@@ -20,6 +20,7 @@
#include "base/basictypes.h"
#include "base/callback.h"
#include "base/compiler_specific.h"
+#include "base/files/scoped_file.h"
#include "base/logging.h"
#include "base/pickle.h"
#include "base/posix/eintr_wrapper.h"
@@ -335,10 +336,15 @@
// will write the reply.
if (msg_len < 0 || fds.size() != 1 || fds.at(0) < 0) {
PLOG(ERROR) << "Error reading message from the client";
+ // The client could try to DoS us by sending more file descriptors, so
+ // make sure we close them.
+ for (std::vector<int>::iterator it = fds.begin(); it != fds.end(); ++it) {
+ PCHECK(0 == IGNORE_EINTR(close(*it)));
+ }
return false;
}
- const int temporary_ipc = fds.at(0);
+ base::ScopedFD temporary_ipc(fds.at(0));
Pickle pickle(buf, msg_len);
PickleIterator iter(pickle);
@@ -351,15 +357,13 @@
case kCommandOpen:
// We reply on the file descriptor sent to us via the IPC channel.
r = HandleRemoteCommand(static_cast<IPCCommands>(command_type),
- temporary_ipc, pickle, iter);
+ temporary_ipc.get(), pickle, iter);
break;
default:
NOTREACHED();
r = false;
break;
}
- int ret = IGNORE_EINTR(close(temporary_ipc));
- DCHECK(!ret) << "Could not close temporary IPC channel";
return r;
}
@@ -402,7 +406,7 @@
// Close anything we have opened in this process.
for (std::vector<int>::iterator it = opened_files.begin();
- it < opened_files.end(); ++it) {
+ it != opened_files.end(); ++it) {
int ret = IGNORE_EINTR(close(*it));
DCHECK(!ret) << "Could not close file descriptor";
}
diff --git a/sandbox/linux/services/broker_process.h b/sandbox/linux/services/broker_process.h
index 84de396..b312b8f 100644
--- a/sandbox/linux/services/broker_process.h
+++ b/sandbox/linux/services/broker_process.h
@@ -12,6 +12,7 @@
#include "base/callback_forward.h"
#include "base/pickle.h"
#include "base/process/process.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
@@ -25,7 +26,7 @@
// 2. CHECK(open_broker.Init(NULL));
// 3. Enable sandbox.
// 4. Use open_broker.Open() to open files.
-class BrokerProcess {
+class SANDBOX_EXPORT BrokerProcess {
public:
// |denied_errno| is the error code returned when methods such as Open()
// or Access() are invoked on a file which is not in the whitelist. EACCESS
diff --git a/sandbox/linux/services/credentials.h b/sandbox/linux/services/credentials.h
index 48cf259..75eb5c4 100644
--- a/sandbox/linux/services/credentials.h
+++ b/sandbox/linux/services/credentials.h
@@ -15,13 +15,14 @@
#include "base/basictypes.h"
#include "base/memory/scoped_ptr.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
// This class should be used to manipulate the current process' credentials.
// It is currently a stub used to manipulate POSIX.1e capabilities as
// implemented by the Linux kernel.
-class Credentials {
+class SANDBOX_EXPORT Credentials {
public:
Credentials();
~Credentials();
diff --git a/sandbox/linux/services/init_process_reaper.h b/sandbox/linux/services/init_process_reaper.h
index 531d18c..7c9eab4 100644
--- a/sandbox/linux/services/init_process_reaper.h
+++ b/sandbox/linux/services/init_process_reaper.h
@@ -6,6 +6,7 @@
#define SANDBOX_LINUX_SERVICES_INIT_PROCESS_REAPER_H_
#include "base/callback_forward.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
@@ -16,7 +17,8 @@
// immediately after fork().
// Since this function calls fork(), it's very important that the caller has
// only one thread running.
-bool CreateInitProcessReaper(base::Closure* post_fork_parent_callback);
+SANDBOX_EXPORT bool CreateInitProcessReaper(
+ base::Closure* post_fork_parent_callback);
} // namespace sandbox.
diff --git a/sandbox/linux/services/scoped_process.h b/sandbox/linux/services/scoped_process.h
index d9f8b25..61da80a 100644
--- a/sandbox/linux/services/scoped_process.h
+++ b/sandbox/linux/services/scoped_process.h
@@ -8,6 +8,7 @@
#include "base/basictypes.h"
#include "base/callback_forward.h"
#include "base/process/process_handle.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
@@ -18,7 +19,7 @@
// destroy it.
// This class cannot be instanciated from a multi-threaded process, as it needs
// to fork().
-class ScopedProcess {
+class SANDBOX_EXPORT ScopedProcess {
public:
// A new process will be created and |child_callback| will run in the child
// process. This callback is allowed to terminate the process or to simply
diff --git a/sandbox/linux/services/thread_helpers.h b/sandbox/linux/services/thread_helpers.h
index f1b9327..d3ae038 100644
--- a/sandbox/linux/services/thread_helpers.h
+++ b/sandbox/linux/services/thread_helpers.h
@@ -6,12 +6,13 @@
#define SANDBOX_LINUX_SERVICES_THREAD_HELPERS_H_
#include "base/basictypes.h"
+#include "sandbox/linux/sandbox_export.h"
namespace base { class Thread; }
namespace sandbox {
-class ThreadHelpers {
+class SANDBOX_EXPORT ThreadHelpers {
public:
// Check whether the current process is single threaded. |proc_self_tasks|
// can be a file descriptor to /proc/self/task/ and remains owned by the
diff --git a/sandbox/linux/services/yama.h b/sandbox/linux/services/yama.h
index 236b74c..8677c2f 100644
--- a/sandbox/linux/services/yama.h
+++ b/sandbox/linux/services/yama.h
@@ -7,13 +7,14 @@
#include "base/basictypes.h"
#include "base/process/process_handle.h"
+#include "sandbox/linux/sandbox_export.h"
namespace sandbox {
// Yama is a LSM kernel module which can restrict ptrace().
// This class provides ways to detect if Yama is present and enabled
// and to restrict which processes can ptrace the current process.
-class Yama {
+class SANDBOX_EXPORT Yama {
public:
// This enum should be used to set or check a bitmask.
// A value of 0 would indicate that the status is not known.
diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h
index 5a6724d..0f6db7a 100644
--- a/sandbox/linux/suid/client/setuid_sandbox_client.h
+++ b/sandbox/linux/suid/client/setuid_sandbox_client.h
@@ -7,6 +7,7 @@
#include "base/basictypes.h"
#include "base/callback_forward.h"
+#include "sandbox/linux/sandbox_export.h"
namespace base { class Environment; }
@@ -21,7 +22,7 @@
// 2. The browser launches a renderer through the setuid sandbox.
// 3. The renderer requests being chroot-ed through ChrootMe() and
// requests other sandboxing status via the status functions.
-class SetuidSandboxClient {
+class SANDBOX_EXPORT SetuidSandboxClient {
public:
// All instantation should go through this factory method.
static class SetuidSandboxClient* Create();
diff --git a/sandbox/linux/suid/sandbox.c b/sandbox/linux/suid/sandbox.c
index f6e6c49..d91c147 100644
--- a/sandbox/linux/suid/sandbox.c
+++ b/sandbox/linux/suid/sandbox.c
@@ -303,13 +303,14 @@
// something went wrong, hence we bail with an error message rather then
// provide less security.
if (errno != EINVAL) {
+ fprintf(stderr, "Failed to move to new namespace:");
if (kCloneExtraFlags[i] & CLONE_NEWPID) {
- fprintf(stderr, " PID namespaces supported");
+ fprintf(stderr, " PID namespaces supported,");
}
if (kCloneExtraFlags[i] & CLONE_NEWNET) {
- fprintf(stderr, " Network namespace supported");
+ fprintf(stderr, " Network namespace supported,");
}
- fprintf(stderr, "but failed: errno = %s\n", strerror(clone_errno));
+ fprintf(stderr, " but failed: errno = %s\n", strerror(clone_errno));
return false;
}
}
@@ -486,6 +487,13 @@
return 1;
}
+ if (geteuid() != 0) {
+ fprintf(stderr,
+ "The setuid sandbox is not running as root. Common causes:\n"
+ " * An unprivileged process using ptrace on it, like a debugger.\n"
+ " * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)\n");
+ }
+
if (!MoveToNewNamespaces())
return 1;
if (!SpawnChrootHelper())
diff --git a/sandbox/linux/tests/unit_tests_unittest.cc b/sandbox/linux/tests/unit_tests_unittest.cc
index 2084b97..5ec5648 100644
--- a/sandbox/linux/tests/unit_tests_unittest.cc
+++ b/sandbox/linux/tests/unit_tests_unittest.cc
@@ -4,14 +4,20 @@
#include <signal.h>
#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include "base/posix/eintr_wrapper.h"
#include "sandbox/linux/tests/unit_tests.h"
namespace sandbox {
namespace {
-const int kExpectedExitCode = 42;
+// Let's not use any of the "magic" values used internally in unit_tests.cc,
+// such as kExpectedValue.
+const int kExpectedExitCode = 100;
SANDBOX_DEATH_TEST(UnitTests,
DeathExitCode,
@@ -27,6 +33,23 @@
raise(kExpectedSignalNumber);
}
+// Test that a subprocess can be forked() and can use exit(3) instead of
+// _exit(2).
+TEST(UnitTests, SubProcessCanExit) {
+ pid_t child = fork();
+ ASSERT_NE(-1, child);
+
+ if (!child) {
+ exit(kExpectedExitCode);
+ }
+
+ int status = 0;
+ pid_t waitpid_ret = HANDLE_EINTR(waitpid(child, &status, 0));
+ EXPECT_EQ(child, waitpid_ret);
+ EXPECT_TRUE(WIFEXITED(status));
+ EXPECT_EQ(kExpectedExitCode, WEXITSTATUS(status));
+}
+
} // namespace
} // namespace sandbox
diff --git a/sandbox/sandbox.target.darwin-arm.mk b/sandbox/sandbox.target.darwin-arm.mk
index 6a0b9d5..ef01a58 100644
--- a/sandbox/sandbox.target.darwin-arm.mk
+++ b/sandbox/sandbox.target.darwin-arm.mk
@@ -7,14 +7,15 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_helpers_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -32,6 +33,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -39,3 +41,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.darwin-mips.mk b/sandbox/sandbox.target.darwin-mips.mk
index 7ff1f11..9f8d415 100644
--- a/sandbox/sandbox.target.darwin-mips.mk
+++ b/sandbox/sandbox.target.darwin-mips.mk
@@ -7,12 +7,13 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -30,6 +31,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -37,3 +39,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.darwin-x86.mk b/sandbox/sandbox.target.darwin-x86.mk
index 6a0b9d5..ef01a58 100644
--- a/sandbox/sandbox.target.darwin-x86.mk
+++ b/sandbox/sandbox.target.darwin-x86.mk
@@ -7,14 +7,15 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_helpers_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -32,6 +33,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -39,3 +41,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.darwin-x86_64.mk b/sandbox/sandbox.target.darwin-x86_64.mk
index 6a0b9d5..ef01a58 100644
--- a/sandbox/sandbox.target.darwin-x86_64.mk
+++ b/sandbox/sandbox.target.darwin-x86_64.mk
@@ -7,14 +7,15 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_helpers_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -32,6 +33,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -39,3 +41,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.linux-arm.mk b/sandbox/sandbox.target.linux-arm.mk
index 6a0b9d5..ef01a58 100644
--- a/sandbox/sandbox.target.linux-arm.mk
+++ b/sandbox/sandbox.target.linux-arm.mk
@@ -7,14 +7,15 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_helpers_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -32,6 +33,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -39,3 +41,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.linux-mips.mk b/sandbox/sandbox.target.linux-mips.mk
index 7ff1f11..9f8d415 100644
--- a/sandbox/sandbox.target.linux-mips.mk
+++ b/sandbox/sandbox.target.linux-mips.mk
@@ -7,12 +7,13 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -30,6 +31,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -37,3 +39,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.linux-x86.mk b/sandbox/sandbox.target.linux-x86.mk
index 6a0b9d5..ef01a58 100644
--- a/sandbox/sandbox.target.linux-x86.mk
+++ b/sandbox/sandbox.target.linux-x86.mk
@@ -7,14 +7,15 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_helpers_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -32,6 +33,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -39,3 +41,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox.target.linux-x86_64.mk b/sandbox/sandbox.target.linux-x86_64.mk
index 6a0b9d5..ef01a58 100644
--- a/sandbox/sandbox.target.linux-x86_64.mk
+++ b/sandbox/sandbox.target.linux-x86_64.mk
@@ -7,14 +7,15 @@
LOCAL_MODULE_STEM := sandbox
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp)/sandbox_sandbox_services_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp)/sandbox_seccomp_bpf_gyp.a \
- $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp)/sandbox_seccomp_bpf_helpers_gyp.a
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_sandbox_services_gyp,,,$(GYP_VAR_PREFIX))/sandbox_sandbox_services_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_gyp.a \
+ $(call intermediates-dir-for,STATIC_LIBRARIES,sandbox_seccomp_bpf_helpers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_seccomp_bpf_helpers_gyp.a
GYP_GENERATED_OUTPUTS :=
@@ -32,6 +33,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -39,3 +41,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox_services.target.darwin-arm.mk b/sandbox/sandbox_services.target.darwin-arm.mk
index df03010..2888761 100644
--- a/sandbox/sandbox_services.target.darwin-arm.mk
+++ b/sandbox/sandbox_services.target.darwin-arm.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -82,6 +83,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -169,6 +171,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -212,9 +215,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
@@ -231,9 +234,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
diff --git a/sandbox/sandbox_services.target.darwin-mips.mk b/sandbox/sandbox_services.target.darwin-mips.mk
index 9eabd26..a3fc1e0 100644
--- a/sandbox/sandbox_services.target.darwin-mips.mk
+++ b/sandbox/sandbox_services.target.darwin-mips.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -81,6 +82,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -167,6 +169,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -210,9 +213,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-EL \
@@ -227,9 +230,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-EL \
diff --git a/sandbox/sandbox_services.target.darwin-x86.mk b/sandbox/sandbox_services.target.darwin-x86.mk
index 74c3f4f..a8ec83e 100644
--- a/sandbox/sandbox_services.target.darwin-x86.mk
+++ b/sandbox/sandbox_services.target.darwin-x86.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -83,6 +84,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -170,6 +172,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -212,9 +215,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
@@ -229,9 +232,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
diff --git a/sandbox/sandbox_services.target.darwin-x86_64.mk b/sandbox/sandbox_services.target.darwin-x86_64.mk
index f1db3d3..ce9dfb8 100644
--- a/sandbox/sandbox_services.target.darwin-x86_64.mk
+++ b/sandbox/sandbox_services.target.darwin-x86_64.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -83,6 +84,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -170,6 +172,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -212,9 +215,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
@@ -229,9 +232,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
diff --git a/sandbox/sandbox_services.target.linux-arm.mk b/sandbox/sandbox_services.target.linux-arm.mk
index df03010..2888761 100644
--- a/sandbox/sandbox_services.target.linux-arm.mk
+++ b/sandbox/sandbox_services.target.linux-arm.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -82,6 +83,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -169,6 +171,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -212,9 +215,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
@@ -231,9 +234,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
diff --git a/sandbox/sandbox_services.target.linux-mips.mk b/sandbox/sandbox_services.target.linux-mips.mk
index 9eabd26..a3fc1e0 100644
--- a/sandbox/sandbox_services.target.linux-mips.mk
+++ b/sandbox/sandbox_services.target.linux-mips.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -81,6 +82,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -167,6 +169,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -210,9 +213,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-EL \
@@ -227,9 +230,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-EL \
diff --git a/sandbox/sandbox_services.target.linux-x86.mk b/sandbox/sandbox_services.target.linux-x86.mk
index 74c3f4f..a8ec83e 100644
--- a/sandbox/sandbox_services.target.linux-x86.mk
+++ b/sandbox/sandbox_services.target.linux-x86.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -83,6 +84,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -170,6 +172,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -212,9 +215,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
@@ -229,9 +232,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
diff --git a/sandbox/sandbox_services.target.linux-x86_64.mk b/sandbox/sandbox_services.target.linux-x86_64.mk
index f1db3d3..ce9dfb8 100644
--- a/sandbox/sandbox_services.target.linux-x86_64.mk
+++ b/sandbox/sandbox_services.target.linux-x86_64.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_sandbox_services_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -83,6 +84,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -170,6 +172,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -212,9 +215,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
@@ -229,9 +232,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
diff --git a/sandbox/sandbox_services_headers.target.darwin-arm.mk b/sandbox/sandbox_services_headers.target.darwin-arm.mk
index 5d63c8e..054f04c 100644
--- a/sandbox/sandbox_services_headers.target.darwin-arm.mk
+++ b/sandbox/sandbox_services_headers.target.darwin-arm.mk
@@ -7,8 +7,9 @@
LOCAL_MODULE_STEM := sandbox_services_headers
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -211,6 +212,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -218,3 +220,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox_services_headers.target.darwin-x86.mk b/sandbox/sandbox_services_headers.target.darwin-x86.mk
index 48d4e33..a9f35a9 100644
--- a/sandbox/sandbox_services_headers.target.darwin-x86.mk
+++ b/sandbox/sandbox_services_headers.target.darwin-x86.mk
@@ -7,8 +7,9 @@
LOCAL_MODULE_STEM := sandbox_services_headers
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -211,6 +212,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -218,3 +220,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox_services_headers.target.darwin-x86_64.mk b/sandbox/sandbox_services_headers.target.darwin-x86_64.mk
index 866ac0d..bc9fbc3 100644
--- a/sandbox/sandbox_services_headers.target.darwin-x86_64.mk
+++ b/sandbox/sandbox_services_headers.target.darwin-x86_64.mk
@@ -7,8 +7,9 @@
LOCAL_MODULE_STEM := sandbox_services_headers
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -211,6 +212,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -218,3 +220,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox_services_headers.target.linux-arm.mk b/sandbox/sandbox_services_headers.target.linux-arm.mk
index 5d63c8e..054f04c 100644
--- a/sandbox/sandbox_services_headers.target.linux-arm.mk
+++ b/sandbox/sandbox_services_headers.target.linux-arm.mk
@@ -7,8 +7,9 @@
LOCAL_MODULE_STEM := sandbox_services_headers
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -211,6 +212,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -218,3 +220,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox_services_headers.target.linux-x86.mk b/sandbox/sandbox_services_headers.target.linux-x86.mk
index 48d4e33..a9f35a9 100644
--- a/sandbox/sandbox_services_headers.target.linux-x86.mk
+++ b/sandbox/sandbox_services_headers.target.linux-x86.mk
@@ -7,8 +7,9 @@
LOCAL_MODULE_STEM := sandbox_services_headers
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -211,6 +212,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -218,3 +220,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/sandbox_services_headers.target.linux-x86_64.mk b/sandbox/sandbox_services_headers.target.linux-x86_64.mk
index 866ac0d..bc9fbc3 100644
--- a/sandbox/sandbox_services_headers.target.linux-x86_64.mk
+++ b/sandbox/sandbox_services_headers.target.linux-x86_64.mk
@@ -7,8 +7,9 @@
LOCAL_MODULE_STEM := sandbox_services_headers
LOCAL_MODULE_SUFFIX := .stamp
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -211,6 +212,7 @@
LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
LOCAL_UNINSTALLABLE_MODULE := true
+LOCAL_2ND_ARCH_VAR_PREFIX := $(GYP_VAR_PREFIX)
include $(BUILD_SYSTEM)/base_rules.mk
@@ -218,3 +220,5 @@
$(hide) echo "Gyp timestamp: $@"
$(hide) mkdir -p $(dir $@)
$(hide) touch $@
+
+LOCAL_2ND_ARCH_VAR_PREFIX :=
diff --git a/sandbox/seccomp_bpf.target.darwin-arm.mk b/sandbox/seccomp_bpf.target.darwin-arm.mk
index aebe3e6..12bd54e 100644
--- a/sandbox/seccomp_bpf.target.darwin-arm.mk
+++ b/sandbox/seccomp_bpf.target.darwin-arm.mk
@@ -6,12 +6,13 @@
LOCAL_MODULE := sandbox_seccomp_bpf_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp)/sandbox_services_headers.stamp
+ $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_services_headers.stamp
GYP_GENERATED_OUTPUTS :=
@@ -87,6 +88,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -173,6 +175,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -215,9 +218,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
@@ -234,9 +237,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
diff --git a/sandbox/seccomp_bpf.target.darwin-x86.mk b/sandbox/seccomp_bpf.target.darwin-x86.mk
index 7db65f1..2fdb8d4 100644
--- a/sandbox/seccomp_bpf.target.darwin-x86.mk
+++ b/sandbox/seccomp_bpf.target.darwin-x86.mk
@@ -6,12 +6,13 @@
LOCAL_MODULE := sandbox_seccomp_bpf_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp)/sandbox_services_headers.stamp
+ $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_services_headers.stamp
GYP_GENERATED_OUTPUTS :=
@@ -88,6 +89,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -174,6 +176,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -215,9 +218,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
@@ -232,9 +235,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
diff --git a/sandbox/seccomp_bpf.target.darwin-x86_64.mk b/sandbox/seccomp_bpf.target.darwin-x86_64.mk
index 273a08de..236ee5a 100644
--- a/sandbox/seccomp_bpf.target.darwin-x86_64.mk
+++ b/sandbox/seccomp_bpf.target.darwin-x86_64.mk
@@ -6,12 +6,13 @@
LOCAL_MODULE := sandbox_seccomp_bpf_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp)/sandbox_services_headers.stamp
+ $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_services_headers.stamp
GYP_GENERATED_OUTPUTS :=
@@ -88,6 +89,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -174,6 +176,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -215,9 +218,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
@@ -232,9 +235,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
diff --git a/sandbox/seccomp_bpf.target.linux-arm.mk b/sandbox/seccomp_bpf.target.linux-arm.mk
index aebe3e6..12bd54e 100644
--- a/sandbox/seccomp_bpf.target.linux-arm.mk
+++ b/sandbox/seccomp_bpf.target.linux-arm.mk
@@ -6,12 +6,13 @@
LOCAL_MODULE := sandbox_seccomp_bpf_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp)/sandbox_services_headers.stamp
+ $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_services_headers.stamp
GYP_GENERATED_OUTPUTS :=
@@ -87,6 +88,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -173,6 +175,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -215,9 +218,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
@@ -234,9 +237,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
diff --git a/sandbox/seccomp_bpf.target.linux-x86.mk b/sandbox/seccomp_bpf.target.linux-x86.mk
index 7db65f1..2fdb8d4 100644
--- a/sandbox/seccomp_bpf.target.linux-x86.mk
+++ b/sandbox/seccomp_bpf.target.linux-x86.mk
@@ -6,12 +6,13 @@
LOCAL_MODULE := sandbox_seccomp_bpf_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp)/sandbox_services_headers.stamp
+ $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_services_headers.stamp
GYP_GENERATED_OUTPUTS :=
@@ -88,6 +89,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -174,6 +176,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -215,9 +218,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
@@ -232,9 +235,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
diff --git a/sandbox/seccomp_bpf.target.linux-x86_64.mk b/sandbox/seccomp_bpf.target.linux-x86_64.mk
index 273a08de..236ee5a 100644
--- a/sandbox/seccomp_bpf.target.linux-x86_64.mk
+++ b/sandbox/seccomp_bpf.target.linux-x86_64.mk
@@ -6,12 +6,13 @@
LOCAL_MODULE := sandbox_seccomp_bpf_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES := \
- $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp)/sandbox_services_headers.stamp
+ $(call intermediates-dir-for,GYP,sandbox_sandbox_services_headers_gyp,,,$(GYP_VAR_PREFIX))/sandbox_services_headers.stamp
GYP_GENERATED_OUTPUTS :=
@@ -88,6 +89,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -174,6 +176,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -215,9 +218,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
@@ -232,9 +235,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk b/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk
index 76120d4..f313af5 100644
--- a/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk
+++ b/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -81,6 +82,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -97,6 +99,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Debug := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -166,6 +169,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -183,6 +187,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Release := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -207,9 +212,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
@@ -226,9 +231,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk b/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk
index 0170ddf..a7625f0 100644
--- a/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk
+++ b/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -82,6 +83,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -98,6 +100,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Debug := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -167,6 +170,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -184,6 +188,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Release := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -207,9 +212,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
@@ -224,9 +229,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk b/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk
index 0701042..fb8cc51 100644
--- a/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk
+++ b/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -82,6 +83,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -98,6 +100,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Debug := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -167,6 +170,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -184,6 +188,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Release := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -207,9 +212,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
@@ -224,9 +229,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
diff --git a/sandbox/seccomp_bpf_helpers.target.linux-arm.mk b/sandbox/seccomp_bpf_helpers.target.linux-arm.mk
index 76120d4..f313af5 100644
--- a/sandbox/seccomp_bpf_helpers.target.linux-arm.mk
+++ b/sandbox/seccomp_bpf_helpers.target.linux-arm.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -81,6 +82,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -97,6 +99,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Debug := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -166,6 +169,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -183,6 +187,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Release := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -207,9 +212,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
@@ -226,9 +231,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-Wl,-z,relro \
diff --git a/sandbox/seccomp_bpf_helpers.target.linux-x86.mk b/sandbox/seccomp_bpf_helpers.target.linux-x86.mk
index 0170ddf..a7625f0 100644
--- a/sandbox/seccomp_bpf_helpers.target.linux-x86.mk
+++ b/sandbox/seccomp_bpf_helpers.target.linux-x86.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -82,6 +83,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -98,6 +100,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Debug := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -167,6 +170,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -184,6 +188,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Release := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -207,9 +212,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
@@ -224,9 +229,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m32 \
diff --git a/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk b/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk
index 0701042..fb8cc51 100644
--- a/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk
+++ b/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk
@@ -6,8 +6,9 @@
LOCAL_MODULE := sandbox_seccomp_bpf_helpers_gyp
LOCAL_MODULE_SUFFIX := .a
LOCAL_MODULE_TAGS := optional
-gyp_intermediate_dir := $(call local-intermediates-dir)
-gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_$(GYP_VAR_PREFIX)ARCH)
+gyp_intermediate_dir := $(call local-intermediates-dir,,$(GYP_VAR_PREFIX))
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared,,,$(GYP_VAR_PREFIX))
# Make sure our deps are built first.
GYP_TARGET_DEPENDENCIES :=
@@ -82,6 +83,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -98,6 +100,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Debug := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -167,6 +170,7 @@
'-DCLD_VERSION=1' \
'-DENABLE_PRINTING=1' \
'-DENABLE_MANAGED_USERS=1' \
+ '-DSANDBOX_IMPLEMENTATION' \
'-DUSE_OPENSSL=1' \
'-DUSE_OPENSSL_CERTS=1' \
'-D__STDC_CONSTANT_MACROS' \
@@ -184,6 +188,7 @@
# Include paths placed before CFLAGS/CPPFLAGS
LOCAL_C_INCLUDES_Release := \
+ $(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
$(LOCAL_PATH) \
$(PWD)/frameworks/wilhelm/include \
$(PWD)/bionic \
@@ -207,9 +212,9 @@
### Rules for final target.
LOCAL_LDFLAGS_Debug := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
@@ -224,9 +229,9 @@
LOCAL_LDFLAGS_Release := \
- -Wl,--fatal-warnings \
-Wl,-z,now \
-Wl,-z,relro \
+ -Wl,--fatal-warnings \
-Wl,-z,noexecstack \
-fPIC \
-m64 \
diff --git a/sandbox/win/src/broker_services.h b/sandbox/win/src/broker_services.h
index 11c10e0..d249443 100644
--- a/sandbox/win/src/broker_services.h
+++ b/sandbox/win/src/broker_services.h
@@ -36,8 +36,8 @@
// of the associated TargetProcess interface. In this implementation
// TargetProcess is a friend of BrokerServices where the later manages a
// collection of the former.
-class BrokerServicesBase : public BrokerServices,
- public SingletonBase<BrokerServicesBase> {
+class BrokerServicesBase FINAL : public BrokerServices,
+ public SingletonBase<BrokerServicesBase> {
public:
BrokerServicesBase();
diff --git a/sandbox/win/src/interception.cc b/sandbox/win/src/interception.cc
index 597b937..5439db6 100644
--- a/sandbox/win/src/interception.cc
+++ b/sandbox/win/src/interception.cc
@@ -17,7 +17,6 @@
#include "sandbox/win/src/interception_internal.h"
#include "sandbox/win/src/interceptors.h"
#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_utils.h"
#include "sandbox/win/src/service_resolver.h"
#include "sandbox/win/src/target_interceptions.h"
#include "sandbox/win/src/target_process.h"
@@ -483,8 +482,6 @@
thunk = new Wow64W8ResolverThunk(child_->Process(), relaxed_);
else
thunk = new Wow64ResolverThunk(child_->Process(), relaxed_);
- } else if (!IsXPSP2OrLater()) {
- thunk = new Win2kResolverThunk(child_->Process(), relaxed_);
} else if (os_info->version() >= base::win::VERSION_WIN8) {
thunk = new Win8ResolverThunk(child_->Process(), relaxed_);
} else {
diff --git a/sandbox/win/src/ipc_unittest.cc b/sandbox/win/src/ipc_unittest.cc
index 53b870c..612ab84 100644
--- a/sandbox/win/src/ipc_unittest.cc
+++ b/sandbox/win/src/ipc_unittest.cc
@@ -159,7 +159,7 @@
CrossCallReturn answer;
uint32 tag1 = 666;
- const wchar_t text[] = L"98765 - 43210";
+ const wchar_t *text = L"98765 - 43210";
base::string16 copied_text;
CrossCallParamsEx* actual_params;
@@ -206,7 +206,7 @@
param_size = 1;
base::string16 copied_text_p0, copied_text_p2;
- const wchar_t text2[] = L"AeFG";
+ const wchar_t *text2 = L"AeFG";
CrossCall(client, tag1, text2, null_text, text, &answer);
actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
EXPECT_EQ(3, actual_params->GetParamsCount());
@@ -235,7 +235,7 @@
uint32 tag1 = 999;
uint32 tag2 = 111;
- const wchar_t text[] = L"godzilla";
+ const wchar_t *text = L"godzilla";
CrossCallParamsEx* actual_params;
char* mem = reinterpret_cast<char*>(client_control);
diff --git a/sandbox/win/src/policy_engine_opcodes.cc b/sandbox/win/src/policy_engine_opcodes.cc
index e8a39ed..5a03ea1 100644
--- a/sandbox/win/src/policy_engine_opcodes.cc
+++ b/sandbox/win/src/policy_engine_opcodes.cc
@@ -162,7 +162,7 @@
unsigned long upper_bound,
uint32 options) {
if (lower_bound > upper_bound) {
- return false;
+ return NULL;
}
PolicyOpcode* opcode = MakeBase(OP_ULONG_MATCH_RANGE, options,
selected_param);
diff --git a/sandbox/win/src/policy_opcodes_unittest.cc b/sandbox/win/src/policy_opcodes_unittest.cc
index e1a7ad6..c69aad8 100644
--- a/sandbox/win/src/policy_opcodes_unittest.cc
+++ b/sandbox/win/src/policy_opcodes_unittest.cc
@@ -10,9 +10,9 @@
#define INIT_GLOBAL_RTL(member) \
- g_nt.##member = reinterpret_cast<##member##Function>( \
+ g_nt.member = reinterpret_cast<member##Function>( \
::GetProcAddress(ntdll, #member)); \
- if (NULL == g_nt.##member) \
+ if (NULL == g_nt.member) \
return false
namespace sandbox {
@@ -185,8 +185,7 @@
OpcodeFactory opcode_maker(memory, sizeof(memory));
// Test basic match for unsigned longs 42 == 42 and 42 != 113377.
- PolicyOpcode* op_m42 = opcode_maker.MakeOpNumberMatch(0, unsigned long(42),
- kPolNone);
+ PolicyOpcode* op_m42 = opcode_maker.MakeOpNumberMatch(0, 42UL, kPolNone);
EXPECT_EQ(EVAL_TRUE, op_m42->Evaluate(&pp_num1, 1, NULL));
EXPECT_EQ(EVAL_FALSE, op_m42->Evaluate(&pp_num2, 1, NULL));
EXPECT_EQ(EVAL_ERROR, op_m42->Evaluate(&pp_wrong1, 1, NULL));
diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc
index 9ec19cd..0775b2d 100644
--- a/sandbox/win/src/process_mitigations.cc
+++ b/sandbox/win/src/process_mitigations.cc
@@ -8,7 +8,6 @@
#include "base/win/windows_version.h"
#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_utils.h"
#include "sandbox/win/src/win_utils.h"
namespace {
@@ -32,10 +31,6 @@
if (!CanSetProcessMitigationsPostStartup(flags))
return false;
- // We can't apply anything before Win XP, so just return cleanly.
- if (!IsXPSP2OrLater())
- return true;
-
base::win::Version version = base::win::GetVersion();
HMODULE module = ::GetModuleHandleA("kernel32.dll");
@@ -250,10 +245,6 @@
}
MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) {
- // Anything prior to XP SP2.
- if (!IsXPSP2OrLater())
- return 0;
-
base::win::Version version = base::win::GetVersion();
// Windows XP SP2+.
diff --git a/sandbox/win/src/process_mitigations_test.cc b/sandbox/win/src/process_mitigations_test.cc
index f1274c5..e6f3fc2 100644
--- a/sandbox/win/src/process_mitigations_test.cc
+++ b/sandbox/win/src/process_mitigations_test.cc
@@ -10,7 +10,6 @@
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_utils.h"
#include "sandbox/win/src/target_services.h"
#include "sandbox/win/src/win_utils.h"
#include "sandbox/win/tests/common/controller.h"
@@ -188,7 +187,7 @@
#if !defined(_WIN64) // DEP is always enabled on 64-bit.
TEST(ProcessMitigationsTest, CheckDep) {
- if (!IsXPSP2OrLater() || base::win::GetVersion() > base::win::VERSION_WIN7)
+ if (base::win::GetVersion() > base::win::VERSION_WIN7)
return;
TestRunner runner;
diff --git a/sandbox/win/src/sandbox_utils.cc b/sandbox/win/src/sandbox_utils.cc
index 8631a7c..a1b77d6 100644
--- a/sandbox/win/src/sandbox_utils.cc
+++ b/sandbox/win/src/sandbox_utils.cc
@@ -7,18 +7,10 @@
#include <windows.h>
#include "base/logging.h"
-#include "base/win/windows_version.h"
#include "sandbox/win/src/internal_types.h"
namespace sandbox {
-bool IsXPSP2OrLater() {
- base::win::Version version = base::win::GetVersion();
- return (version > base::win::VERSION_XP) ||
- ((version == base::win::VERSION_XP) &&
- (base::win::OSInfo::GetInstance()->service_pack().major >= 2));
-}
-
void InitObjectAttribs(const base::string16& name,
ULONG attributes,
HANDLE root,
diff --git a/sandbox/win/src/sandbox_utils.h b/sandbox/win/src/sandbox_utils.h
index 3043597..2a17d63 100644
--- a/sandbox/win/src/sandbox_utils.h
+++ b/sandbox/win/src/sandbox_utils.h
@@ -14,9 +14,6 @@
namespace sandbox {
-// Returns true if the current OS is Windows XP SP2 or later.
-bool IsXPSP2OrLater();
-
void InitObjectAttribs(const base::string16& name,
ULONG attributes,
HANDLE root,
diff --git a/sandbox/win/src/service_resolver.h b/sandbox/win/src/service_resolver.h
index 20486c9..76daee4 100644
--- a/sandbox/win/src/service_resolver.h
+++ b/sandbox/win/src/service_resolver.h
@@ -16,7 +16,7 @@
public:
// The service resolver needs a child process to write to.
ServiceResolverThunk(HANDLE process, bool relaxed)
- : process_(process), ntdll_base_(NULL), win2k_(false),
+ : process_(process), ntdll_base_(NULL),
relaxed_(relaxed), relative_jump_(0) {}
virtual ~ServiceResolverThunk() {}
@@ -62,10 +62,6 @@
// Handle of the child process.
HANDLE process_;
- protected:
- // Keeps track of a Windows 2000 resolver.
- bool win2k_;
-
private:
// Returns true if the code pointer by target_ corresponds to the expected
// type of function. Saves that code on the first part of the thunk pointed
@@ -123,23 +119,6 @@
};
// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll on Windows 2000 and XP pre SP2.
-class Win2kResolverThunk : public ServiceResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- Win2kResolverThunk(HANDLE process, bool relaxed)
- : ServiceResolverThunk(process, relaxed) {
- win2k_ = true;
- }
- virtual ~Win2kResolverThunk() {}
-
- private:
- virtual bool IsFunctionAService(void* local_thunk) const;
-
- DISALLOW_COPY_AND_ASSIGN(Win2kResolverThunk);
-};
-
-// This is the concrete resolver used to perform service-call type functions
// inside ntdll.dll on Windows 8.
class Win8ResolverThunk : public ServiceResolverThunk {
public:
diff --git a/sandbox/win/src/service_resolver_32.cc b/sandbox/win/src/service_resolver_32.cc
index 9b8bbf9..be9de6b 100644
--- a/sandbox/win/src/service_resolver_32.cc
+++ b/sandbox/win/src/service_resolver_32.cc
@@ -400,26 +400,6 @@
return true;
}
-bool Win2kResolverThunk::IsFunctionAService(void* local_thunk) const {
- ServiceEntry function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read))
- return false;
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMovEax != function_code.mov_eax ||
- function_code.service_id > kMaxService)
- return false;
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
-
- return true;
-}
-
bool Win8ResolverThunk::IsFunctionAService(void* local_thunk) const {
ServiceEntryW8 function_code;
SIZE_T read;
diff --git a/sandbox/win/src/service_resolver_64.cc b/sandbox/win/src/service_resolver_64.cc
index 79c6b16..03795f7 100644
--- a/sandbox/win/src/service_resolver_64.cc
+++ b/sandbox/win/src/service_resolver_64.cc
@@ -209,9 +209,4 @@
return false;
}
-bool Win2kResolverThunk::IsFunctionAService(void* local_thunk) const {
- NOTREACHED_NT();
- return false;
-}
-
} // namespace sandbox
diff --git a/sandbox/win/src/service_resolver_unittest.cc b/sandbox/win/src/service_resolver_unittest.cc
index b01fedf..c7ac7ea 100644
--- a/sandbox/win/src/service_resolver_unittest.cc
+++ b/sandbox/win/src/service_resolver_unittest.cc
@@ -58,7 +58,6 @@
typedef ResolverThunkTest<sandbox::ServiceResolverThunk> WinXpResolverTest;
#if !defined(_WIN64)
-typedef ResolverThunkTest<sandbox::Win2kResolverThunk> Win2kResolverTest;
typedef ResolverThunkTest<sandbox::Win8ResolverThunk> Win8ResolverTest;
typedef ResolverThunkTest<sandbox::Wow64ResolverThunk> Wow64ResolverTest;
typedef ResolverThunkTest<sandbox::Wow64W8ResolverThunk> Wow64W8ResolverTest;
@@ -141,9 +140,6 @@
return new Wow64ResolverTest(relaxed);
}
- if (!sandbox::IsXPSP2OrLater())
- return new Win2kResolverTest(relaxed);
-
if (os_info->version() >= base::win::VERSION_WIN8)
return new Win8ResolverTest(relaxed);