1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 use crate::sys;
18 
19 use libc::{pid_t, uid_t};
20 
21 /// Static utility functions to manage Binder process state.
22 pub struct ProcessState;
23 
24 impl ProcessState {
25     /// Start the Binder IPC thread pool
start_thread_pool()26     pub fn start_thread_pool() {
27         unsafe {
28             // Safety: Safe FFI
29             sys::ABinderProcess_startThreadPool();
30         }
31     }
32 
33     /// Set the maximum number of threads that can be started in the threadpool.
34     ///
35     /// By default, after startThreadPool is called, this is 15. If it is called
36     /// additional times, it will only prevent the kernel from starting new
37     /// threads and will not delete already existing threads.
set_thread_pool_max_thread_count(num_threads: u32)38     pub fn set_thread_pool_max_thread_count(num_threads: u32) {
39         unsafe {
40             // Safety: Safe FFI
41             sys::ABinderProcess_setThreadPoolMaxThreadCount(num_threads);
42         }
43     }
44 
45     /// Block on the Binder IPC thread pool
join_thread_pool()46     pub fn join_thread_pool() {
47         unsafe {
48             // Safety: Safe FFI
49             sys::ABinderProcess_joinThreadPool();
50         }
51     }
52 }
53 
54 /// Static utility functions to manage Binder thread state.
55 pub struct ThreadState;
56 
57 impl ThreadState {
58     /// This returns the calling UID assuming that this thread is called from a
59     /// thread that is processing a binder transaction (for instance, in the
60     /// implementation of
61     /// [`Remotable::on_transact`](crate::Remotable::on_transact)).
62     ///
63     /// This can be used with higher-level system services to determine the
64     /// caller's identity and check permissions.
65     ///
66     /// Available since API level 29.
67     ///
68     /// \return calling uid or the current process's UID if this thread isn't
69     /// processing a transaction.
get_calling_uid() -> uid_t70     pub fn get_calling_uid() -> uid_t {
71         unsafe {
72             // Safety: Safe FFI
73             sys::AIBinder_getCallingUid()
74         }
75     }
76 
77     /// This returns the calling PID assuming that this thread is called from a
78     /// thread that is processing a binder transaction (for instance, in the
79     /// implementation of
80     /// [`Remotable::on_transact`](crate::Remotable::on_transact)).
81     ///
82     /// This can be used with higher-level system services to determine the
83     /// caller's identity and check permissions. However, when doing this, one
84     /// should be aware of possible TOCTOU problems when the calling process
85     /// dies and is replaced with another process with elevated permissions and
86     /// the same PID.
87     ///
88     /// Available since API level 29.
89     ///
90     /// \return calling pid or the current process's PID if this thread isn't
91     /// processing a transaction.
92     ///
93     /// If the transaction being processed is a oneway transaction, then this
94     /// method will return 0.
get_calling_pid() -> pid_t95     pub fn get_calling_pid() -> pid_t {
96         unsafe {
97             // Safety: Safe FFI
98             sys::AIBinder_getCallingPid()
99         }
100     }
101 
102     /// This function makes the client's security context available to the
103     /// service calling this function. This can be used for access control.
104     /// It does not suffer from the TOCTOU issues of get_calling_pid.
105     ///
106     /// Implementations of `check_permission` should use the given CStr
107     /// argument as context for selinux permission checks. If `None` is
108     /// given, the implementation should fall back to using the PID
109     /// instead.
110     ///
111     /// Note: `None` may be passed to the callback if the caller did not
112     /// `set_requesting_sid` on the serviced binder, or if the underlying
113     /// kernel is too old to support this feature.
with_calling_sid<T, F>(check_permission: F) -> T where for<'a> F: FnOnce(Option<&'a std::ffi::CStr>) -> T114     pub fn with_calling_sid<T, F>(check_permission: F) -> T
115     where
116         for<'a> F: FnOnce(Option<&'a std::ffi::CStr>) -> T {
117         // Safety: AIBinder_getCallingSid returns a c-string pointer
118         // that is valid for a transaction. Also, the string returned
119         // is thread local. By restricting the lifetime of the CStr
120         // reference to the scope of the callback, we prevent it being
121         // used beyond the guaranteed lifetime.
122         check_permission(unsafe {
123             let sid = sys::AIBinder_getCallingSid();
124             // AIBinder_getCallingSid() returns a '\0' terminated string
125             // or NULL.
126             if sid.is_null() {
127                 None
128             } else {
129                 Some(std::ffi::CStr::from_ptr(sid))
130             }
131         })
132     }
133 }
134