diff options
author | 2023-02-24 17:35:54 +0000 | |
---|---|---|
committer | 2023-02-24 17:35:54 +0000 | |
commit | 11a9b4824010d4ef39f9f04eb10d98adcd91d242 (patch) | |
tree | 032b39931cec232711c01fc16070894fd4940566 | |
parent | 2f5adcb938b83484b46fee2eabbce8e553f85267 (diff) | |
parent | 1310f1584ca557245d0677efd0db4dc1f1ed7c57 (diff) |
Merge "Enable isolated process to use graphics allocator"
-rw-r--r-- | libs/binder/ndk/include_platform/android/binder_manager.h | 17 | ||||
-rw-r--r-- | libs/binder/ndk/libbinder_ndk.map.txt | 2 | ||||
-rw-r--r-- | libs/binder/ndk/service_manager.cpp | 7 | ||||
-rw-r--r-- | libs/ui/Gralloc4.cpp | 13 |
4 files changed, 30 insertions, 9 deletions
diff --git a/libs/binder/ndk/include_platform/android/binder_manager.h b/libs/binder/ndk/include_platform/android/binder_manager.h index 86d5ed27b8..43159d8ba2 100644 --- a/libs/binder/ndk/include_platform/android/binder_manager.h +++ b/libs/binder/ndk/include_platform/android/binder_manager.h @@ -22,6 +22,16 @@ __BEGIN_DECLS +enum AServiceManager_AddServiceFlag : uint32_t { + /** + * This allows processes with AID_ISOLATED to get the binder of the service added. + * + * Services with methods that perform file IO, web socket creation or ways to egress data must + * not be added with this flag for privacy concerns. + */ + ADD_SERVICE_ALLOW_ISOLATED = 1, +}; + /** * This registers the service with the default service manager under this instance name. This does * not take ownership of binder. @@ -46,12 +56,13 @@ __attribute__((warn_unused_result)) binder_exception_t AServiceManager_addServic * * \param binder object to register globally with the service manager. * \param instance identifier of the service. This will be used to lookup the service. - * \param allowIsolated allows if this service can be isolated. + * \param flag an AServiceManager_AddServiceFlag enum to denote how the service should be added. * * \return EX_NONE on success. */ -__attribute__((warn_unused_result)) binder_exception_t AServiceManager_addServiceWithAllowIsolated( - AIBinder* binder, const char* instance, bool allowIsolated) __INTRODUCED_IN(34); +__attribute__((warn_unused_result)) binder_exception_t AServiceManager_addServiceWithFlag( + AIBinder* binder, const char* instance, const AServiceManager_AddServiceFlag flag) + __INTRODUCED_IN(34); /** * Gets a binder object with this specific instance name. Will return nullptr immediately if the diff --git a/libs/binder/ndk/libbinder_ndk.map.txt b/libs/binder/ndk/libbinder_ndk.map.txt index 5f2f617946..1078fb2b16 100644 --- a/libs/binder/ndk/libbinder_ndk.map.txt +++ b/libs/binder/ndk/libbinder_ndk.map.txt @@ -158,12 +158,12 @@ LIBBINDER_NDK34 { # introduced=UpsideDownCake AServiceManager_getUpdatableApexName; # systemapi AServiceManager_registerForServiceNotifications; # systemapi llndk AServiceManager_NotificationRegistration_delete; # systemapi llndk + AServiceManager_addServiceWithFlag; # systemapi llndk }; LIBBINDER_NDK_PLATFORM { global: AParcel_getAllowFds; - AServiceManager_addServiceWithAllowIsolated; extern "C++" { AIBinder_fromPlatformBinder*; AIBinder_toPlatformBinder*; diff --git a/libs/binder/ndk/service_manager.cpp b/libs/binder/ndk/service_manager.cpp index 2763ddb622..84da459454 100644 --- a/libs/binder/ndk/service_manager.cpp +++ b/libs/binder/ndk/service_manager.cpp @@ -42,14 +42,15 @@ binder_exception_t AServiceManager_addService(AIBinder* binder, const char* inst return PruneException(exception); } -binder_exception_t AServiceManager_addServiceWithAllowIsolated(AIBinder* binder, - const char* instance, - bool allowIsolated) { +binder_exception_t AServiceManager_addServiceWithFlag(AIBinder* binder, const char* instance, + const AServiceManager_AddServiceFlag flag) { if (binder == nullptr || instance == nullptr) { return EX_ILLEGAL_ARGUMENT; } sp<IServiceManager> sm = defaultServiceManager(); + + bool allowIsolated = flag & AServiceManager_AddServiceFlag::ADD_SERVICE_ALLOW_ISOLATED; status_t exception = sm->addService(String16(instance), binder->getBinder(), allowIsolated); return PruneException(exception); } diff --git a/libs/ui/Gralloc4.cpp b/libs/ui/Gralloc4.cpp index f6ab7b2a5e..53372c9866 100644 --- a/libs/ui/Gralloc4.cpp +++ b/libs/ui/Gralloc4.cpp @@ -22,6 +22,8 @@ #include <aidlcommonsupport/NativeHandle.h> #include <android/binder_enums.h> #include <android/binder_manager.h> +#include <cutils/android_filesystem_config.h> +#include <cutils/multiuser.h> #include <gralloctypes/Gralloc4.h> #include <hidl/ServiceManagement.h> #include <hwbinder/IPCThreadState.h> @@ -1195,8 +1197,15 @@ Gralloc4Allocator::Gralloc4Allocator(const Gralloc4Mapper& mapper) : mMapper(map mAllocator = IAllocator::getService(); if (__builtin_available(android 31, *)) { if (hasIAllocatorAidl()) { - mAidlAllocator = AidlIAllocator::fromBinder(ndk::SpAIBinder( - AServiceManager_waitForService(kAidlAllocatorServiceName.c_str()))); + // TODO(b/269517338): Perform the isolated checking for this in service manager instead. + uid_t aid = multiuser_get_app_id(getuid()); + if (aid >= AID_ISOLATED_START && aid <= AID_ISOLATED_END) { + mAidlAllocator = AidlIAllocator::fromBinder(ndk::SpAIBinder( + AServiceManager_getService(kAidlAllocatorServiceName.c_str()))); + } else { + mAidlAllocator = AidlIAllocator::fromBinder(ndk::SpAIBinder( + AServiceManager_waitForService(kAidlAllocatorServiceName.c_str()))); + } ALOGE_IF(!mAidlAllocator, "AIDL IAllocator declared but failed to get service"); } } |