diff options
| author | Lasse Collin <lasse.collin@tukaani.org> | 2023-10-09 18:37:32 +0300 |
|---|---|---|
| committer | Lasse Collin <lasse.collin@tukaani.org> | 2023-10-22 19:03:52 +0300 |
| commit | 3f53870c249945d657ca3d75e0993e6267d71f75 (patch) | |
| tree | 546ea33f43f2040176f13ebcbb5e39be0659122c | |
| parent | Simplify detection of Capsicum support. (diff) | |
| download | xz-3f53870c249945d657ca3d75e0993e6267d71f75.tar.xz | |
CMake: Add sandboxing support.
| -rw-r--r-- | CMakeLists.txt | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 2d3dabec..f37fd9b9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -10,7 +10,6 @@ # On some platforms this builds also xz and xzdec, but these are # highly experimental and meant for testing only: # - No large file support on those 32-bit platforms that need it -# - No sandboxing support # - No translations # # Other missing things: @@ -1241,6 +1240,55 @@ if(NOT MSVC OR MSVC_VERSION GREATER_EQUAL 1900) endif() endif() + # Sandboxing: + # ON Use sandboxing if a supported method is available in the OS. + # OFF Disable sandboxing. + # capsicum Require Capsicum (FreeBSD >= 10.2) and fail if not found. + # pledge Require pledge(2) (OpenBSD >= 5.9) and fail if not found. + set(SUPPORTED_SANDBOX_METHODS ON OFF capsicum pledge) + + set(ENABLE_SANDBOX ON CACHE STRING "Sandboxing method to use in 'xz'") + + set_property(CACHE ENABLE_SANDBOX + PROPERTY STRINGS "${SUPPORTED_SANDBOX_METHODS}") + + if(NOT ENABLE_SANDBOX IN_LIST SUPPORTED_SANDBOX_METHODS) + message(FATAL_ERROR "'${ENABLE_SANDBOX}' is not a supported " + "sandboxing method") + endif() + + # When autodetecting, the search order is fixed and we must not find + # more than one method. + if(ENABLE_SANDBOX STREQUAL "OFF") + set(SANDBOX_FOUND ON) + else() + set(SANDBOX_FOUND OFF) + endif() + + # Sandboxing: Capsicum + if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^capsicum$") + check_symbol_exists(cap_rights_limit sys/capsicum.h + HAVE_CAP_RIGHTS_LIMIT) + if(HAVE_CAP_RIGHTS_LIMIT) + target_compile_definitions(xz PRIVATE HAVE_CAP_RIGHTS_LIMIT) + set(SANDBOX_FOUND ON) + endif() + endif() + + # Sandboxing: pledge(2) + if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^pledge$") + check_symbol_exists(pledge unistd.h HAVE_PLEDGE) + if(HAVE_PLEDGE) + target_compile_definitions(xz PRIVATE HAVE_PLEDGE) + set(SANDBOX_FOUND ON) + endif() + endif() + + if(NOT SANDBOX_FOUND AND NOT ENABLE_SANDBOX MATCHES "^ON$|^OFF$") + message(SEND_ERROR "ENABLE_SANDBOX=${ENABLE_SANDBOX} was used but " + "support for the sandboxing method wasn't found.") + endif() + install(TARGETS xz RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT xz) |