diff options
author | Ben Murdoch <benm@google.com> | 2014-04-24 10:50:13 +0100 |
---|---|---|
committer | Ben Murdoch <benm@google.com> | 2014-04-24 10:50:13 +0100 |
commit | 0529e5d033099cbfc42635f6f6183833b09dff6e (patch) | |
tree | badea60062e611382d8a37e3b0bfda8d69760c2b /sandbox | |
parent | 8346740f6fb555ccbb9b4148ab63402ae8f6e4ca (diff) | |
download | chromium_org-0529e5d033099cbfc42635f6f6183833b09dff6e.tar.gz |
Merge from Chromium at DEPS revision 265802
This commit was generated by merge_to_master.py.
Change-Id: I6fac2dbbce472b18ca943b6e6f247835b0bd6281
Diffstat (limited to 'sandbox')
31 files changed, 182 insertions, 47 deletions
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi index 75f37c935c..0cccd2e9eb 100644 --- a/sandbox/linux/sandbox_linux.gypi +++ b/sandbox/linux/sandbox_linux.gypi @@ -57,6 +57,22 @@ ], }, { + 'target_name': 'sandbox_linux_test_utils', + 'type': 'static_library', + 'dependencies': [ + '../testing/gtest.gyp:gtest', + ], + 'include_dirs': [ + '../..', + ], + 'sources': [ + 'tests/test_utils.cc', + 'tests/test_utils.h', + 'tests/unit_tests.cc', + 'tests/unit_tests.h', + ], + }, + { # The main sandboxing test target. 'target_name': 'sandbox_linux_unittests', 'includes': [ @@ -294,10 +310,6 @@ 'type': 'none', 'variables': { 'test_suite_name': 'sandbox_linux_jni_unittests', - 'input_shlib_path': - '<(SHARED_LIB_DIR)/<(SHARED_LIB_PREFIX)' - 'sandbox_linux_jni_unittests' - '<(SHARED_LIB_SUFFIX)', }, 'dependencies': [ 'sandbox_linux_jni_unittests', diff --git a/sandbox/linux/sandbox_linux_test_sources.gypi b/sandbox/linux/sandbox_linux_test_sources.gypi index 01db0e94df..ffbf9c6191 100644 --- a/sandbox/linux/sandbox_linux_test_sources.gypi +++ b/sandbox/linux/sandbox_linux_test_sources.gypi @@ -7,6 +7,7 @@ { 'dependencies': [ 'sandbox', + 'sandbox_linux_test_utils', '../base/base.gyp:base', '../base/base.gyp:test_support_base', '../testing/gtest.gyp:gtest', @@ -16,10 +17,6 @@ ], 'sources': [ 'tests/main.cc', - 'tests/test_utils.cc', - 'tests/test_utils.h', - 'tests/unit_tests.cc', - 'tests/unit_tests.h', 'tests/unit_tests_unittest.cc', 'services/broker_process_unittest.cc', 'services/scoped_process_unittest.cc', diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc index 4cefa4cca2..47c9989299 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc @@ -13,6 +13,11 @@ #include "build/build_config.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" +#define SECCOMP_MESSAGE_COMMON_CONTENT "seccomp-bpf failure" +#define SECCOMP_MESSAGE_CLONE_CONTENT "clone() failure" +#define SECCOMP_MESSAGE_PRCTL_CONTENT "prctl() failure" +#define SECCOMP_MESSAGE_IOCTL_CONTENT "ioctl() failure" + namespace { inline bool IsArchitectureX86_64() { @@ -54,7 +59,7 @@ void PrintSyscallError(uint32_t sysno) { sysno_base10[i] = '0' + mod; } static const char kSeccompErrorPrefix[] = - __FILE__":**CRASHING**:seccomp-bpf failure in syscall "; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_COMMON_CONTENT " in syscall "; static const char kSeccompErrorPostfix[] = "\n"; WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1); WriteToStdErr(sysno_base10, sizeof(sysno_base10)); @@ -95,7 +100,7 @@ intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) { intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { static const char kSeccompCloneError[] = - __FILE__":**CRASHING**:clone() failure\n"; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_CLONE_CONTENT "\n"; WriteToStdErr(kSeccompCloneError, sizeof(kSeccompCloneError) - 1); // "flags" is the first argument in the kernel's clone(). // Mark as volatile to be able to find the value on the stack in a minidump. @@ -115,7 +120,7 @@ intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) { intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* /* aux */) { static const char kSeccompPrctlError[] = - __FILE__":**CRASHING**:prctl() failure\n"; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_PRCTL_CONTENT "\n"; WriteToStdErr(kSeccompPrctlError, sizeof(kSeccompPrctlError) - 1); // Mark as volatile to be able to find the value on the stack in a minidump. volatile uint64_t option = args.args[0]; @@ -129,7 +134,7 @@ intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* /* aux */) { static const char kSeccompIoctlError[] = - __FILE__":**CRASHING**:ioctl() failure\n"; + __FILE__":**CRASHING**:" SECCOMP_MESSAGE_IOCTL_CONTENT "\n"; WriteToStdErr(kSeccompIoctlError, sizeof(kSeccompIoctlError) - 1); // Make "request" volatile so that we can see it on the stack in a minidump. volatile uint64_t request = args.args[1]; @@ -142,4 +147,20 @@ intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, _exit(1); } +const char* GetErrorMessageContentForTests() { + return SECCOMP_MESSAGE_COMMON_CONTENT; +} + +const char* GetCloneErrorMessageContentForTests() { + return SECCOMP_MESSAGE_CLONE_CONTENT; +} + +const char* GetPrctlErrorMessageContentForTests() { + return SECCOMP_MESSAGE_PRCTL_CONTENT; +} + +const char* GetIoctlErrorMessageContentForTests() { + return SECCOMP_MESSAGE_IOCTL_CONTENT; +} + } // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h index 0bada37aa0..b8f626aec6 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h @@ -39,6 +39,13 @@ SANDBOX_EXPORT intptr_t SANDBOX_EXPORT intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux); +// Following four functions return substrings of error messages used +// in the above four functions. They are useful in death tests. +SANDBOX_EXPORT const char* GetErrorMessageContentForTests(); +SANDBOX_EXPORT const char* GetCloneErrorMessageContentForTests(); +SANDBOX_EXPORT const char* GetPrctlErrorMessageContentForTests(); +SANDBOX_EXPORT const char* GetIoctlErrorMessageContentForTests(); + } // namespace sandbox. #endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_ diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h index cc3fc252fb..357e29c731 100644 --- a/sandbox/linux/seccomp-bpf/bpf_tests.h +++ b/sandbox/linux/seccomp-bpf/bpf_tests.h @@ -44,6 +44,12 @@ namespace sandbox { // Assertions are handled exactly the same as with a normal SANDBOX_TEST() #define BPF_ASSERT SANDBOX_ASSERT +#define BPF_ASSERT_EQ(x, y) BPF_ASSERT((x) == (y)) +#define BPF_ASSERT_NE(x, y) BPF_ASSERT((x) != (y)) +#define BPF_ASSERT_LT(x, y) BPF_ASSERT((x) < (y)) +#define BPF_ASSERT_GT(x, y) BPF_ASSERT((x) > (y)) +#define BPF_ASSERT_LE(x, y) BPF_ASSERT((x) <= (y)) +#define BPF_ASSERT_GE(x, y) BPF_ASSERT((x) >= (y)) // The "Aux" type is optional. We use an "empty" type by default, so that if // the caller doesn't provide any type, all the BPF_AUX related data compiles diff --git a/sandbox/linux/services/broker_process_unittest.cc b/sandbox/linux/services/broker_process_unittest.cc index 073eba827a..a1f38df3ae 100644 --- a/sandbox/linux/services/broker_process_unittest.cc +++ b/sandbox/linux/services/broker_process_unittest.cc @@ -6,6 +6,7 @@ #include <errno.h> #include <fcntl.h> +#include <sys/resource.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.cc b/sandbox/linux/suid/client/setuid_sandbox_client.cc index 8feec040e0..3300cb440f 100644 --- a/sandbox/linux/suid/client/setuid_sandbox_client.cc +++ b/sandbox/linux/suid/client/setuid_sandbox_client.cc @@ -4,6 +4,7 @@ #include "sandbox/linux/suid/client/setuid_sandbox_client.h" +#include <fcntl.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> @@ -13,10 +14,13 @@ #include "base/environment.h" #include "base/file_util.h" #include "base/files/file_path.h" +#include "base/files/scoped_file.h" #include "base/logging.h" +#include "base/macros.h" #include "base/memory/scoped_ptr.h" #include "base/path_service.h" #include "base/posix/eintr_wrapper.h" +#include "base/process/launch.h" #include "base/process/process_metrics.h" #include "base/strings/string_number_conversions.h" #include "sandbox/linux/services/init_process_reaper.h" @@ -25,6 +29,11 @@ namespace { +bool IsFileSystemAccessDenied() { + base::ScopedFD self_exe(HANDLE_EINTR(open(base::kProcSelfExe, O_RDONLY))); + return !self_exe.is_valid(); +} + // Set an environment variable that reflects the API version we expect from the // setuid sandbox. Old versions of the sandbox will ignore this. void SetSandboxAPIEnvironmentVariable(base::Environment* env) { @@ -32,6 +41,26 @@ void SetSandboxAPIEnvironmentVariable(base::Environment* env) { base::IntToString(sandbox::kSUIDSandboxApiNumber)); } +// Unset environment variables that are expected to be set by the setuid +// sandbox. This is to allow nesting of one instance of the SUID sandbox +// inside another. +void UnsetExpectedEnvironmentVariables(base::EnvironmentMap* env_map) { + DCHECK(env_map); + const base::NativeEnvironmentString environment_vars[] = { + sandbox::kSandboxDescriptorEnvironmentVarName, + sandbox::kSandboxHelperPidEnvironmentVarName, + sandbox::kSandboxEnvironmentApiProvides, + sandbox::kSandboxPIDNSEnvironmentVarName, + sandbox::kSandboxNETNSEnvironmentVarName, + }; + + for (size_t i = 0; i < arraysize(environment_vars); ++i) { + // Setting values in EnvironmentMap to an empty-string will make + // sure that they get unset from the environment via AlterEnvironment(). + (*env_map)[environment_vars[i]] = base::NativeEnvironmentString(); + } +} + // Wrapper around a shared C function. // Returns the "saved" environment variable name corresponding to |envvar| // in a new string or NULL. @@ -157,6 +186,7 @@ bool SetuidSandboxClient::ChrootMe() { // We now consider ourselves "fully sandboxed" as far as the // setuid sandbox is concerned. + CHECK(IsFileSystemAccessDenied()); sandboxed_ = true; return true; } @@ -196,6 +226,12 @@ bool SetuidSandboxClient::IsDisabledViaEnvironment() { return false; } +int SetuidSandboxClient::GetUniqueToChildFileDescriptor() { + // The setuid binary is hard-wired to close this in the helper process it + // creates. + return kZygoteIdFd; +} + base::FilePath SetuidSandboxClient::GetSandboxBinaryPath() { base::FilePath sandbox_binary; base::FilePath exe_dir; @@ -220,8 +256,8 @@ base::FilePath SetuidSandboxClient::GetSandboxBinaryPath() { return sandbox_binary; } -void SetuidSandboxClient::PrependWrapper(base::CommandLine* cmd_line) { - DCHECK(cmd_line); +void SetuidSandboxClient::PrependWrapper(base::CommandLine* cmd_line, + base::LaunchOptions* options) { std::string sandbox_binary(GetSandboxBinaryPath().value()); struct stat st; if (sandbox_binary.empty() || stat(sandbox_binary.c_str(), &st) != 0) { @@ -237,10 +273,17 @@ void SetuidSandboxClient::PrependWrapper(base::CommandLine* cmd_line) { "configured correctly. Rather than run without sandboxing " "I'm aborting now. You need to make sure that " << sandbox_binary << " is owned by root and has mode 4755."; + } - } else { + if (cmd_line) { cmd_line->PrependWrapper(sandbox_binary); } + + if (options) { + // Launching a setuid binary requires PR_SET_NO_NEW_PRIVS to not be used. + options->allow_new_privs = true; + UnsetExpectedEnvironmentVariables(&options->environ); + } } void SetuidSandboxClient::SetupLaunchEnvironment() { diff --git a/sandbox/linux/suid/client/setuid_sandbox_client.h b/sandbox/linux/suid/client/setuid_sandbox_client.h index 20a9905f67..332c63b69c 100644 --- a/sandbox/linux/suid/client/setuid_sandbox_client.h +++ b/sandbox/linux/suid/client/setuid_sandbox_client.h @@ -13,6 +13,7 @@ namespace base { class CommandLine; class Environment; +struct LaunchOptions; } namespace sandbox { @@ -20,11 +21,30 @@ namespace sandbox { // Helper class to use the setuid sandbox. This class is to be used both // before launching the setuid helper and after being executed through the // setuid helper. +// This class is difficult to use. It has been created by refactoring very old +// code scathered through the Chromium code base. // -// A typical use would be: -// 1. The browser calls SetupLaunchEnvironment() -// 2. The browser launches a renderer through the setuid sandbox. -// 3. The renderer requests being chroot-ed through ChrootMe() and +// A typical use for "A" launching a sandboxed process "B" would be: +// 1. A calls SetupLaunchEnvironment() +// 2. A sets up a CommandLine and then amends it with +// PrependWrapper() (or manually, by relying on GetSandboxBinaryPath()). +// 3. A makes sure that GetUniqueToChildFileDescriptor() is an existing file +// descriptor that can be closed by the helper process created by the +// setuid sandbox. (This is the right file descriptor to use for magic +// "must-be-unique" sockets that are use to identify processes across +// pid namespaces.) +// 4. A launches B with base::LaunchProcess, using the amended CommandLine. +// 5. B performs various initializations that require access to the file +// system. +// 5.b (optional) B uses sandbox::Credentials::HasOpenDirectory() to verify +// that no directory is kept open (which would allow bypassing the setuid +// sandbox). +// 6. B should be prepared to assume the role of init(1). In particular, B +// cannot receive any signal from any other process, excluding SIGKILL. +// If B dies, all the processes in the namespace will die. +// B can fork() and the parent can assume the role of init(1), by using +// CreateInitProcessReaper(). +// 7. B requests being chroot-ed through ChrootMe() and // requests other sandboxing status via the status functions. class SANDBOX_EXPORT SetuidSandboxClient { public: @@ -53,14 +73,25 @@ class SANDBOX_EXPORT SetuidSandboxClient { // Are we done and fully sandboxed ? bool IsSandboxed() const; + // The setuid sandbox may still be disabled via the environment. + // This is tracked in crbug.com/245376. bool IsDisabledViaEnvironment(); + // When using the setuid sandbox, an extra helper process is created. + // Unfortunately, this helper process is hard-wired to close a specific file + // descriptor. + // The caller must make sure that GetUniqueToChildFileDescriptor() is an + // existing file descriptor that can be closed by the helper process. It's ok + // to make it a dummy, useless file descriptor if needed. + int GetUniqueToChildFileDescriptor(); // Get the sandbox binary path. This method knows about the // CHROME_DEVEL_SANDBOX environment variable used for user-managed builds. If // the sandbox binary cannot be found, it will return an empty FilePath. base::FilePath GetSandboxBinaryPath(); - // Modify |cmd_line| to launch via the setuid sandbox. Crash if the setuid - // sandbox binary cannot be found. - void PrependWrapper(base::CommandLine* cmd_line); + // Modify |cmd_line| and |options| to launch via the setuid sandbox. Crash if + // the setuid sandbox binary cannot be found. Either can be NULL if the caller + // needs additional control. + void PrependWrapper(base::CommandLine* cmd_line, + base::LaunchOptions* options); // Set-up the environment. This should be done prior to launching the setuid // helper. void SetupLaunchEnvironment(); diff --git a/sandbox/linux/tests/main.cc b/sandbox/linux/tests/main.cc index 9ee384d6ed..a736ea2aee 100644 --- a/sandbox/linux/tests/main.cc +++ b/sandbox/linux/tests/main.cc @@ -10,6 +10,9 @@ #include "testing/gtest/include/gtest/gtest.h" namespace sandbox { + +extern const bool kAllowForkWithThreads = false; + namespace { // Check for leaks in our tests. diff --git a/sandbox/linux/tests/unit_tests.cc b/sandbox/linux/tests/unit_tests.cc index eeb5616fc7..42b85a8d6f 100644 --- a/sandbox/linux/tests/unit_tests.cc +++ b/sandbox/linux/tests/unit_tests.cc @@ -8,6 +8,7 @@ #include <stdio.h> #include <sys/resource.h> #include <sys/time.h> +#include <time.h> #include <unistd.h> #include "base/file_util.h" @@ -41,6 +42,8 @@ int CountThreads() { namespace sandbox { +extern bool kAllowForkWithThreads; + bool IsAndroid() { #if defined(OS_ANDROID) return true; @@ -109,17 +112,42 @@ void UnitTests::RunTestInProcess(UnitTests::Test test, // We need to fork(), so we can't be multi-threaded, as threads could hold // locks. int num_threads = CountThreads(); -#if defined(THREAD_SANITIZER) +#if !defined(THREAD_SANITIZER) + const int kNumExpectedThreads = 1; +#else // Under TSAN, there is a special helper thread. It should be completely // invisible to our testing, so we ignore it. It should be ok to fork() // with this thread. It's currently buggy, but it's the best we can do until // there is a way to delay the start of the thread // (https://code.google.com/p/thread-sanitizer/issues/detail?id=19). - num_threads--; + const int kNumExpectedThreads = 2; #endif - ASSERT_EQ(1, num_threads) << "Running sandbox tests with multiple threads " - << "is not supported and will make the tests " - << "flaky.\n"; + + // The kernel is at liberty to wake a thread id futex before updating /proc. + // If another test running in the same process has stopped a thread, it may + // appear as still running in /proc. + // We poll /proc, with an exponential back-off. At most, we'll sleep around + // 2^iterations nanoseconds in nanosleep(). + if (!kAllowForkWithThreads) { + for (unsigned int iteration = 0; iteration < 30; iteration++) { + struct timespec ts = {0, 1L << iteration /* nanoseconds */}; + PCHECK(0 == HANDLE_EINTR(nanosleep(&ts, &ts))); + num_threads = CountThreads(); + if (kNumExpectedThreads == num_threads) + break; + } + } + + const std::string multiple_threads_error = + "Running sandbox tests with multiple threads " + "is not supported and will make the tests flaky."; + if (!kAllowForkWithThreads) { + ASSERT_EQ(kNumExpectedThreads, num_threads) << multiple_threads_error; + } else { + if (kNumExpectedThreads != num_threads) + LOG(ERROR) << multiple_threads_error; + } + int fds[2]; ASSERT_EQ(0, pipe(fds)); // Check that our pipe is not on one of the standard file descriptor. diff --git a/sandbox/linux/tests/unit_tests.h b/sandbox/linux/tests/unit_tests.h index 0cb682b061..bc1939c9a1 100644 --- a/sandbox/linux/tests/unit_tests.h +++ b/sandbox/linux/tests/unit_tests.h @@ -19,6 +19,12 @@ bool IsArchitectureArm(); // Is Valgrind currently being used? bool IsRunningOnValgrind(); +#if defined(ADDRESS_SANITIZER) +#define DISABLE_ON_ASAN(test_name) DISABLED_##test_name +#else +#define DISABLE_ON_ASAN(test_name) test_name +#endif // defined(ADDRESS_SANITIZER) + #if defined(THREAD_SANITIZER) #define DISABLE_ON_TSAN(test_name) DISABLED_##test_name #else diff --git a/sandbox/sandbox_services.target.darwin-arm.mk b/sandbox/sandbox_services.target.darwin-arm.mk index 288876138d..3a93b3ea19 100644 --- a/sandbox/sandbox_services.target.darwin-arm.mk +++ b/sandbox/sandbox_services.target.darwin-arm.mk @@ -227,7 +227,6 @@ LOCAL_LDFLAGS_Debug := \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ -Wl,--icf=safe \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.darwin-mips.mk b/sandbox/sandbox_services.target.darwin-mips.mk index a3fc1e0950..eefac82d3d 100644 --- a/sandbox/sandbox_services.target.darwin-mips.mk +++ b/sandbox/sandbox_services.target.darwin-mips.mk @@ -223,7 +223,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.darwin-x86.mk b/sandbox/sandbox_services.target.darwin-x86.mk index a8ec83ef31..47be915aed 100644 --- a/sandbox/sandbox_services.target.darwin-x86.mk +++ b/sandbox/sandbox_services.target.darwin-x86.mk @@ -225,7 +225,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.darwin-x86_64.mk b/sandbox/sandbox_services.target.darwin-x86_64.mk index ce9dfb8a62..5982b2c1fe 100644 --- a/sandbox/sandbox_services.target.darwin-x86_64.mk +++ b/sandbox/sandbox_services.target.darwin-x86_64.mk @@ -225,7 +225,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.linux-arm.mk b/sandbox/sandbox_services.target.linux-arm.mk index 288876138d..3a93b3ea19 100644 --- a/sandbox/sandbox_services.target.linux-arm.mk +++ b/sandbox/sandbox_services.target.linux-arm.mk @@ -227,7 +227,6 @@ LOCAL_LDFLAGS_Debug := \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ -Wl,--icf=safe \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.linux-mips.mk b/sandbox/sandbox_services.target.linux-mips.mk index a3fc1e0950..eefac82d3d 100644 --- a/sandbox/sandbox_services.target.linux-mips.mk +++ b/sandbox/sandbox_services.target.linux-mips.mk @@ -223,7 +223,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.linux-x86.mk b/sandbox/sandbox_services.target.linux-x86.mk index a8ec83ef31..47be915aed 100644 --- a/sandbox/sandbox_services.target.linux-x86.mk +++ b/sandbox/sandbox_services.target.linux-x86.mk @@ -225,7 +225,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/sandbox_services.target.linux-x86_64.mk b/sandbox/sandbox_services.target.linux-x86_64.mk index ce9dfb8a62..5982b2c1fe 100644 --- a/sandbox/sandbox_services.target.linux-x86_64.mk +++ b/sandbox/sandbox_services.target.linux-x86_64.mk @@ -225,7 +225,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf.target.darwin-arm.mk b/sandbox/seccomp_bpf.target.darwin-arm.mk index 12bd54e32c..97a5d03e8d 100644 --- a/sandbox/seccomp_bpf.target.darwin-arm.mk +++ b/sandbox/seccomp_bpf.target.darwin-arm.mk @@ -230,7 +230,6 @@ LOCAL_LDFLAGS_Debug := \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ -Wl,--icf=safe \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf.target.darwin-x86.mk b/sandbox/seccomp_bpf.target.darwin-x86.mk index 2fdb8d4dec..1feffcddc3 100644 --- a/sandbox/seccomp_bpf.target.darwin-x86.mk +++ b/sandbox/seccomp_bpf.target.darwin-x86.mk @@ -228,7 +228,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf.target.darwin-x86_64.mk b/sandbox/seccomp_bpf.target.darwin-x86_64.mk index 236ee5a8fa..677a5ef678 100644 --- a/sandbox/seccomp_bpf.target.darwin-x86_64.mk +++ b/sandbox/seccomp_bpf.target.darwin-x86_64.mk @@ -228,7 +228,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf.target.linux-arm.mk b/sandbox/seccomp_bpf.target.linux-arm.mk index 12bd54e32c..97a5d03e8d 100644 --- a/sandbox/seccomp_bpf.target.linux-arm.mk +++ b/sandbox/seccomp_bpf.target.linux-arm.mk @@ -230,7 +230,6 @@ LOCAL_LDFLAGS_Debug := \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ -Wl,--icf=safe \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf.target.linux-x86.mk b/sandbox/seccomp_bpf.target.linux-x86.mk index 2fdb8d4dec..1feffcddc3 100644 --- a/sandbox/seccomp_bpf.target.linux-x86.mk +++ b/sandbox/seccomp_bpf.target.linux-x86.mk @@ -228,7 +228,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf.target.linux-x86_64.mk b/sandbox/seccomp_bpf.target.linux-x86_64.mk index 236ee5a8fa..677a5ef678 100644 --- a/sandbox/seccomp_bpf.target.linux-x86_64.mk +++ b/sandbox/seccomp_bpf.target.linux-x86_64.mk @@ -228,7 +228,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk b/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk index f313af5704..891944d7c7 100644 --- a/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk +++ b/sandbox/seccomp_bpf_helpers.target.darwin-arm.mk @@ -224,7 +224,6 @@ LOCAL_LDFLAGS_Debug := \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ -Wl,--icf=safe \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk b/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk index a7625f0b66..9f6a44238d 100644 --- a/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk +++ b/sandbox/seccomp_bpf_helpers.target.darwin-x86.mk @@ -222,7 +222,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk b/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk index fb8cc51945..1309413df3 100644 --- a/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk +++ b/sandbox/seccomp_bpf_helpers.target.darwin-x86_64.mk @@ -222,7 +222,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf_helpers.target.linux-arm.mk b/sandbox/seccomp_bpf_helpers.target.linux-arm.mk index f313af5704..891944d7c7 100644 --- a/sandbox/seccomp_bpf_helpers.target.linux-arm.mk +++ b/sandbox/seccomp_bpf_helpers.target.linux-arm.mk @@ -224,7 +224,6 @@ LOCAL_LDFLAGS_Debug := \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ -Wl,--icf=safe \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf_helpers.target.linux-x86.mk b/sandbox/seccomp_bpf_helpers.target.linux-x86.mk index a7625f0b66..9f6a44238d 100644 --- a/sandbox/seccomp_bpf_helpers.target.linux-x86.mk +++ b/sandbox/seccomp_bpf_helpers.target.linux-x86.mk @@ -222,7 +222,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed diff --git a/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk b/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk index fb8cc51945..1309413df3 100644 --- a/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk +++ b/sandbox/seccomp_bpf_helpers.target.linux-x86_64.mk @@ -222,7 +222,6 @@ LOCAL_LDFLAGS_Debug := \ -nostdlib \ -Wl,--no-undefined \ -Wl,--exclude-libs=ALL \ - -Wl,--gc-sections \ -Wl,--warn-shared-textrel \ -Wl,-O1 \ -Wl,--as-needed |