gralloc1: security hardening
Add support for getTransportSize, validateBufferSize and importBuffer
to gralloc1.
Bug: 66876469
Test: Manual
Change-Id: Ie3435297cff2d3272df658af262905c13f403e4b
diff --git a/include/hardware/gralloc1.h b/include/hardware/gralloc1.h
index 0a6843f..03e8432 100644
--- a/include/hardware/gralloc1.h
+++ b/include/hardware/gralloc1.h
@@ -155,7 +155,10 @@
GRALLOC1_FUNCTION_UNLOCK = 20,
GRALLOC1_FUNCTION_SET_LAYER_COUNT = 21,
GRALLOC1_FUNCTION_GET_LAYER_COUNT = 22,
- GRALLOC1_LAST_FUNCTION = 22,
+ GRALLOC1_FUNCTION_VALIDATE_BUFFER_SIZE = 23,
+ GRALLOC1_FUNCTION_GET_TRANSPORT_SIZE = 24,
+ GRALLOC1_FUNCTION_IMPORT_BUFFER = 25,
+ GRALLOC1_LAST_FUNCTION = 25,
} gralloc1_function_descriptor_t;
typedef enum {
@@ -670,6 +673,65 @@
typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_GET_STRIDE)(
gralloc1_device_t* device, buffer_handle_t buffer, uint32_t* outStride);
+/* getTransportSize(..., outNumFds, outNumInts)
+ * Function descriptor: GRALLOC1_FUNCTION_GET_TRANSPORT_SIZE
+ * This function is optional for all gralloc1 devices.
+ *
+ * Get the transport size of a buffer. An imported buffer handle is a raw
+ * buffer handle with the process-local runtime data appended. This
+ * function, for example, allows a caller to omit the process-local
+ * runtime data at the tail when serializing the imported buffer handle.
+ *
+ * Note that a client might or might not omit the process-local runtime
+ * data when sending an imported buffer handle. The mapper must support
+ * both cases on the receiving end.
+ *
+ * Parameters:
+ * outNumFds - the number of file descriptors needed for transport
+ * outNumInts - the number of integers needed for transport
+ *
+ * Returns GRALLOC1_ERROR_NONE or one of the following errors:
+ * GRALLOC1_ERROR_BAD_HANDLE - the buffer handle is invalid
+ * GRALLOC1_ERROR_UNSUPPORTED - the device is unable to retrieve the numFds
+ * and numInts; see note [1] in this section's header for more information
+ */
+typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_GET_TRANSPORT_SIZE)(
+ gralloc1_device_t* device, buffer_handle_t buffer, uint32_t *outNumFds,
+ uint32_t *outNumInts);
+
+typedef struct gralloc1_buffer_descriptor_info {
+ uint32_t width;
+ uint32_t height;
+ uint32_t layerCount;
+ int32_t /*android_pixel_format_t*/ format;
+ uint64_t producerUsage;
+ uint64_t consumerUsage;
+} gralloc1_buffer_descriptor_info_t;
+
+/* validateBufferSize(..., )
+ * Function descriptor: GRALLOC1_FUNCTION_VALIDATE_BUFFER_SIZE
+ * This function is optional for all gralloc1 devices.
+ *
+ * Validate that the buffer can be safely accessed by a caller who assumes
+ * the specified descriptorInfo and stride. This must at least validate
+ * that the buffer size is large enough. Validating the buffer against
+ * individual buffer attributes is optional.
+ *
+ * Parameters:
+ * descriptor - specifies the attributes of the buffer
+ * stride - the buffer stride returned by IAllocator::allocate
+ *
+ * Returns GRALLOC1_ERROR_NONE or one of the following errors:
+ * GRALLOC1_ERROR_BAD_HANDLE - the buffer handle is invalid
+ * GRALLOC1_ERROR_BAD_VALUE - when buffer cannot be safely accessed
+ * GRALLOC1_ERROR_UNSUPPORTED - the device is unable to validate the buffer
+ * size; see note [1] in this section's header for more information
+ */
+typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_VALIDATE_BUFFER_SIZE)(
+ gralloc1_device_t* device, buffer_handle_t buffer,
+ const gralloc1_buffer_descriptor_info_t* descriptorInfo,
+ uint32_t stride);
+
/*
* Buffer management functions
*/
@@ -723,6 +785,37 @@
const gralloc1_buffer_descriptor_t* descriptors,
buffer_handle_t* outBuffers);
+/* importBuffer(..., rawHandle, outBuffer);
+ * Function descriptor: GRALLOC1_FUNCTION_IMPORT_BUFFER
+ * This function is optional for all gralloc1 devices.
+ * When supported, GRALLOC1_CAPABILITY_RELEASE_IMPLY_DELETE must also be
+ * supported.
+ *
+ * Explictly imports a buffer into a proccess.
+ *
+ * This function can be called in place of retain when a raw buffer handle is
+ * received by a remote process. Import producess a import handle that can
+ * be used to access the underlying graphic buffer. The new import handle has a
+ * ref count of 1.
+ *
+ * This function must at least validate the raw handle before creating the
+ * imported handle. It must also support importing the same raw handle
+ * multiple times to create multiple imported handles. The imported handle
+ * must be considered valid everywhere in the process.
+ *
+ * Parameters:
+ * rawHandle - the raw buffer handle to import
+ * outBuffer - a handle to the newly imported buffer
+ *
+ * Returns GRALLOC1_ERROR_NONE or one of the following errors:
+ * GRALLOC1_ERROR_BAD_HANDLE - the buffer handle is invalid
+ * GRALLOC1_ERROR_NO_RESOURCES - it is not possible to add a import to this
+ * buffer at this time
+ */
+typedef int32_t /*gralloc1_error_t*/ (*GRALLOC1_PFN_IMPORT_BUFFER)(
+ gralloc1_device_t* device, const buffer_handle_t rawHandle,
+ buffer_handle_t* outBuffer);
+
/* retain(..., buffer)
* Function descriptor: GRALLOC1_FUNCTION_RETAIN
* Must be provided by all gralloc1 devices