Make building seccomp-bpf a GYP condition

content/common/sandbox_linux/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/types.h>
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "build/build_config.h"
 #include "content/public/common/content_switches.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 
-// These are the only architectures supported for now.
-#if defined(__i386__) || defined(__x86_64__) || \
-    (defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__)))
-#define SECCOMP_BPF_SANDBOX
-#endif
+#if defined(USE_SECCOMP_BPF)
 
-#if defined(SECCOMP_BPF_SANDBOX)
 #include "base/posix/eintr_wrapper.h"
 #include "content/common/sandbox_linux/bpf_cros_arm_gpu_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_ppapi_policy_linux.h"
 #include "content/common/sandbox_linux/bpf_renderer_policy_linux.h"
 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
 using sandbox::BaselinePolicy;
 using sandbox::SyscallSets;
 
+#else
+
+// Make sure that seccomp-bpf does not get disabled by mistake. Also make sure
+// that we think twice about this when adding a new architecture.
+#if !defined(ARCH_CPU_MIPS_FAMILY)
+#error "Seccomp-bpf disabled on supported architecture!"
+#endif  // !defined(ARCH_CPU_MIPS_FAMILY)
+
+#endif  //
+
 namespace content {
 
+#if defined(USE_SECCOMP_BPF)
 namespace {
 
 void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy);
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
@@ skipping 149 matching lines @@
   // Avoid -Wunused-function with no-op code.
   ignore_result(IsChromeOS);
   ignore_result(IsArchitectureArm);
   ignore_result(RunSandboxSanityChecks);
   return false;
 }
 #endif  // !defined(IN_NACL_HELPER)
 
 }  // namespace
 
-#endif  // SECCOMP_BPF_SANDBOX
+#endif  // USE_SECCOMP_BPF
 
 // Is seccomp BPF globally enabled?
 bool SandboxSeccompBPF::IsSeccompBPFDesired() {
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   if (!command_line.HasSwitch(switches::kNoSandbox) &&
       !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) {
     return true;
   } else {
     return false;
   }
 }
 
 bool SandboxSeccompBPF::ShouldEnableSeccompBPF(
     const std::string& process_type) {
-#if defined(SECCOMP_BPF_SANDBOX)
+#if defined(USE_SECCOMP_BPF)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
   if (process_type == switches::kGpuProcess)
     return !command_line.HasSwitch(switches::kDisableGpuSandbox);
 
   return true;
-#endif  // SECCOMP_BPF_SANDBOX
+#endif  // USE_SECCOMP_BPF
   return false;
 }
 
 bool SandboxSeccompBPF::SupportsSandbox() {
-#if defined(SECCOMP_BPF_SANDBOX)
+#if defined(USE_SECCOMP_BPF)
   // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
   // here.
   SandboxBPF::SandboxStatus bpf_sandbox_status =
       SandboxBPF::SupportsSeccompSandbox(-1);
   // Kernel support is what we are interested in here. Other status
   // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support.
   // We make this a negative check, since if there is a bug, we would rather
   // "fail closed" (expect a sandbox to be available and try to start it).
   if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) {
     return true;
   }
 #endif
   return false;
 }
 
 bool SandboxSeccompBPF::StartSandbox(const std::string& process_type) {
-#if defined(SECCOMP_BPF_SANDBOX)
+#if defined(USE_SECCOMP_BPF)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
 
   if (IsSeccompBPFDesired() &&  // Global switches policy.
       ShouldEnableSeccompBPF(process_type) &&  // Process-specific policy.
       SupportsSandbox()) {
     // If the kernel supports the sandbox, and if the command line says we
     // should enable it, enable it or die.
     bool started_sandbox = StartBPFSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 bool SandboxSeccompBPF::StartSandboxWithExternalPolicy(
     scoped_ptr<sandbox::SandboxBPFPolicy> policy) {
-#if defined(SECCOMP_BPF_SANDBOX)
+#if defined(USE_SECCOMP_BPF)
   if (IsSeccompBPFDesired() && SupportsSandbox()) {
     CHECK(policy);
     StartSandboxWithPolicy(policy.release());
     return true;
   }
-#endif  // defined(SECCOMP_BPF_SANDBOX)
+#endif  // defined(USE_SECCOMP_BPF)
   return false;
 }
 
 scoped_ptr<sandbox::SandboxBPFPolicy>
 SandboxSeccompBPF::GetBaselinePolicy() {
-#if defined(SECCOMP_BPF_SANDBOX)
+#if defined(USE_SECCOMP_BPF)
   return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy);
 #else
   return scoped_ptr<sandbox::SandboxBPFPolicy>();
-#endif  // defined(SECCOMP_BPF_SANDBOX)
+#endif  // defined(USE_SECCOMP_BPF)
 }
 
 }  // namespace content