binder_ndk/
state.rs

1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17use crate::sys;
18
19use libc::{pid_t, uid_t};
20
21/// Static utility functions to manage Binder process state.
22pub struct ProcessState;
23
24impl ProcessState {
25    /// Start the Binder IPC thread pool
26    pub fn start_thread_pool() {
27        unsafe {
28            // Safety: Safe FFI
29            sys::ABinderProcess_startThreadPool();
30        }
31    }
32
33    /// Set the maximum number of threads that can be started in the threadpool.
34    ///
35    /// By default, after startThreadPool is called, this is 15. If it is called
36    /// additional times, it will only prevent the kernel from starting new
37    /// threads and will not delete already existing threads.
38    pub fn set_thread_pool_max_thread_count(num_threads: u32) {
39        unsafe {
40            // Safety: Safe FFI
41            sys::ABinderProcess_setThreadPoolMaxThreadCount(num_threads);
42        }
43    }
44
45    /// Block on the Binder IPC thread pool
46    pub fn join_thread_pool() {
47        unsafe {
48            // Safety: Safe FFI
49            sys::ABinderProcess_joinThreadPool();
50        }
51    }
52}
53
54/// Static utility functions to manage Binder thread state.
55pub struct ThreadState;
56
57impl ThreadState {
58    /// This returns the calling UID assuming that this thread is called from a
59    /// thread that is processing a binder transaction (for instance, in the
60    /// implementation of
61    /// [`Remotable::on_transact`](crate::Remotable::on_transact)).
62    ///
63    /// This can be used with higher-level system services to determine the
64    /// caller's identity and check permissions.
65    ///
66    /// Available since API level 29.
67    ///
68    /// \return calling uid or the current process's UID if this thread isn't
69    /// processing a transaction.
70    pub fn get_calling_uid() -> uid_t {
71        unsafe {
72            // Safety: Safe FFI
73            sys::AIBinder_getCallingUid()
74        }
75    }
76
77    /// This returns the calling PID assuming that this thread is called from a
78    /// thread that is processing a binder transaction (for instance, in the
79    /// implementation of
80    /// [`Remotable::on_transact`](crate::Remotable::on_transact)).
81    ///
82    /// This can be used with higher-level system services to determine the
83    /// caller's identity and check permissions. However, when doing this, one
84    /// should be aware of possible TOCTOU problems when the calling process
85    /// dies and is replaced with another process with elevated permissions and
86    /// the same PID.
87    ///
88    /// Available since API level 29.
89    ///
90    /// \return calling pid or the current process's PID if this thread isn't
91    /// processing a transaction.
92    ///
93    /// If the transaction being processed is a oneway transaction, then this
94    /// method will return 0.
95    pub fn get_calling_pid() -> pid_t {
96        unsafe {
97            // Safety: Safe FFI
98            sys::AIBinder_getCallingPid()
99        }
100    }
101
102    /// Determine whether the current thread is currently executing an incoming transaction.
103    ///
104    /// \return true if the current thread is currently executing an incoming transaction, and false
105    /// otherwise.
106    pub fn is_handling_transaction() -> bool {
107        unsafe {
108            // Safety: Safe FFI
109            sys::AIBinder_isHandlingTransaction()
110        }
111    }
112
113    /// This function makes the client's security context available to the
114    /// service calling this function. This can be used for access control.
115    /// It does not suffer from the TOCTOU issues of get_calling_pid.
116    ///
117    /// Implementations of `check_permission` should use the given CStr
118    /// argument as context for selinux permission checks. If `None` is
119    /// given, the implementation should fall back to using the PID
120    /// instead.
121    ///
122    /// Note: `None` may be passed to the callback if the caller did not
123    /// `set_requesting_sid` on the serviced binder, or if the underlying
124    /// kernel is too old to support this feature.
125    pub fn with_calling_sid<T, F>(check_permission: F) -> T
126    where
127        for<'a> F: FnOnce(Option<&'a std::ffi::CStr>) -> T,
128    {
129        // Safety: AIBinder_getCallingSid returns a c-string pointer
130        // that is valid for a transaction. Also, the string returned
131        // is thread local. By restricting the lifetime of the CStr
132        // reference to the scope of the callback, we prevent it being
133        // used beyond the guaranteed lifetime.
134        check_permission(unsafe {
135            let sid = sys::AIBinder_getCallingSid();
136            // AIBinder_getCallingSid() returns a '\0' terminated string
137            // or NULL.
138            if sid.is_null() {
139                None
140            } else {
141                Some(std::ffi::CStr::from_ptr(sid))
142            }
143        })
144    }
145}