gralloc1: security hardening

Add support for getTransportSize, validateBufferSize and importBuffer
to gralloc1.

Bug: 66876469
Test: Manual

Change-Id: Ie3435297cff2d3272df658af262905c13f403e4b
diff --git a/include/hardware/gralloc1.h b/include/hardware/gralloc1.h
index 0a6843f..03e8432 100644
--- a/include/hardware/gralloc1.h
+++ b/include/hardware/gralloc1.h
@@ -155,7 +155,10 @@
     GRALLOC1_FUNCTION_UNLOCK = 20,
     GRALLOC1_FUNCTION_SET_LAYER_COUNT = 21,
     GRALLOC1_FUNCTION_GET_LAYER_COUNT = 22,
-    GRALLOC1_LAST_FUNCTION = 22,
+    GRALLOC1_FUNCTION_VALIDATE_BUFFER_SIZE = 23,
+    GRALLOC1_FUNCTION_GET_TRANSPORT_SIZE = 24,
+    GRALLOC1_FUNCTION_IMPORT_BUFFER = 25,
+    GRALLOC1_LAST_FUNCTION = 25,
 } gralloc1_function_descriptor_t;
 
 typedef enum {
@@ -670,6 +673,65 @@
 typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_GET_STRIDE)(
         gralloc1_device_t* device, buffer_handle_t buffer, uint32_t* outStride);
 
+/* getTransportSize(..., outNumFds, outNumInts)
+ * Function descriptor: GRALLOC1_FUNCTION_GET_TRANSPORT_SIZE
+ * This function is optional for all gralloc1 devices.
+ *
+ * Get the transport size of a buffer. An imported buffer handle is a raw
+ * buffer handle with the process-local runtime data appended. This
+ * function, for example, allows a caller to omit the process-local
+ * runtime data at the tail when serializing the imported buffer handle.
+ *
+ * Note that a client might or might not omit the process-local runtime
+ * data when sending an imported buffer handle. The mapper must support
+ * both cases on the receiving end.
+ *
+ * Parameters:
+ *   outNumFds - the number of file descriptors needed for transport
+ *   outNumInts - the number of integers needed for transport
+ *
+ * Returns GRALLOC1_ERROR_NONE or one of the following errors:
+ *   GRALLOC1_ERROR_BAD_HANDLE - the buffer handle is invalid
+ *   GRALLOC1_ERROR_UNSUPPORTED - the device is unable to retrieve the numFds
+ *       and numInts; see note [1] in this section's header for more information
+ */
+typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_GET_TRANSPORT_SIZE)(
+        gralloc1_device_t* device, buffer_handle_t buffer, uint32_t *outNumFds,
+        uint32_t *outNumInts);
+
+typedef struct gralloc1_buffer_descriptor_info {
+    uint32_t width;
+    uint32_t height;
+    uint32_t layerCount;
+    int32_t /*android_pixel_format_t*/ format;
+    uint64_t producerUsage;
+    uint64_t consumerUsage;
+} gralloc1_buffer_descriptor_info_t;
+
+/* validateBufferSize(..., )
+ * Function descriptor: GRALLOC1_FUNCTION_VALIDATE_BUFFER_SIZE
+ * This function is optional for all gralloc1 devices.
+ *
+ * Validate that the buffer can be safely accessed by a caller who assumes
+ * the specified descriptorInfo and stride. This must at least validate
+ * that the buffer size is large enough. Validating the buffer against
+ * individual buffer attributes is optional.
+ *
+ * Parameters:
+ *   descriptor - specifies the attributes of the buffer
+ *   stride - the buffer stride returned by IAllocator::allocate
+ *
+ * Returns GRALLOC1_ERROR_NONE or one of the following errors:
+ *   GRALLOC1_ERROR_BAD_HANDLE - the buffer handle is invalid
+ *   GRALLOC1_ERROR_BAD_VALUE - when buffer cannot be safely accessed
+ *   GRALLOC1_ERROR_UNSUPPORTED - the device is unable to validate the buffer
+ *       size; see note [1] in this section's header for more information
+ */
+typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_VALIDATE_BUFFER_SIZE)(
+        gralloc1_device_t* device, buffer_handle_t buffer,
+        const gralloc1_buffer_descriptor_info_t* descriptorInfo,
+        uint32_t stride);
+
 /*
  * Buffer management functions
  */
@@ -723,6 +785,37 @@
         const gralloc1_buffer_descriptor_t* descriptors,
         buffer_handle_t* outBuffers);
 
+/* importBuffer(..., rawHandle, outBuffer);
+ * Function descriptor: GRALLOC1_FUNCTION_IMPORT_BUFFER
+ * This function is optional for all gralloc1 devices.
+ * When supported, GRALLOC1_CAPABILITY_RELEASE_IMPLY_DELETE must also be
+ * supported.
+ *
+ * Explictly imports a buffer into a proccess.
+ *
+ * This function can be called in place of retain when a raw buffer handle is
+ * received by a remote process. Import producess a import handle that can
+ * be used to access the underlying graphic buffer. The new import handle has a
+ * ref count of 1.
+ *
+ * This function must at least validate the raw handle before creating the
+ * imported handle. It must also support importing the same raw handle
+ * multiple times to create multiple imported handles. The imported handle
+ * must be considered valid everywhere in the process.
+ *
+ * Parameters:
+ *   rawHandle - the raw buffer handle to import
+ *   outBuffer - a handle to the newly imported buffer
+ *
+ * Returns GRALLOC1_ERROR_NONE or one of the following errors:
+ *   GRALLOC1_ERROR_BAD_HANDLE - the buffer handle is invalid
+ *   GRALLOC1_ERROR_NO_RESOURCES - it is not possible to add a import to this
+ *       buffer at this time
+ */
+typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_IMPORT_BUFFER)(
+        gralloc1_device_t* device, const buffer_handle_t rawHandle,
+        buffer_handle_t* outBuffer);
+
 /* retain(..., buffer)
  * Function descriptor: GRALLOC1_FUNCTION_RETAIN
  * Must be provided by all gralloc1 devices