libbinder: allow fd transport in trusty by default

cukie · cukie · commit 33d6d19d48f1 · 2025-02-26T16:32:41.000-05:00
Changes the default protocol version of 0 for trusty servers and
keeps them in line with the latest stable RPC_WIRE_PROTOCOL_VERSION
(currently 1). It seems that hardcoding to version 0 happened before
aosp/2534786 where RPC_WIRE_PROTOCOL_VERSION_EXPERIMENTAL was the
default.

Version 1 allows parcels to contain FDs. This should be safe because
rpc binder negotiates a protocol version using the min value of the
client and server configurations. Older clients will be able to
downgrade the protocol version (but not transact with fds in their
parcels) and newer clients will see their protocol versions
negotiated down to the server's version on connection.

This change also adds supported file descriptor transport modes to
servers by default. In trusty, tipc allows handles to be transmitted by
default so this is in line with the current security posture.

Bug: 377907450
Test:  trusty/vendor/google/aosp/scripts/build.py \
    --test "boot-test:com.android.trusty.binderRpcTest" \
    qemu-generic-arm64-test-debug
Test: trusty/vendor/google/aosp/scripts/build.py qemu-generic-arm64-test-debug \
        --test="boot-test:com.android.trusty.rust.service_manager_tests.test

Change-Id: I0efbd7781f0fd2bc81981b01ae1b1d0d149b12b6
diff --git a/libs/binder/trusty/include/binder/RpcServerTrusty.h b/libs/binder/trusty/include/binder/RpcServerTrusty.h
@@ -94,9 +94,8 @@ class RpcServerTrusty final : public virtual RefBase {
     static sp<RpcServer> makeRpcServer(std::unique_ptr<RpcTransportCtx> ctx) {
         auto rpcServer = sp<RpcServer>::make(std::move(ctx));
 
-        // TODO(b/266741352): follow-up to prevent needing this in the future
-        // Trusty needs to be set to the latest stable version that is in prebuilts there.
-        LOG_ALWAYS_FATAL_IF(!rpcServer->setProtocolVersion(0));
+        // By default we use the latest stable version.
+        LOG_ALWAYS_FATAL_IF(!rpcServer->setProtocolVersion(RPC_WIRE_PROTOCOL_VERSION));
 
         return rpcServer;
     }
diff --git a/libs/binder/trusty/rust/binder_rpc_server_bindgen/cpp/ARpcServerTrusty.cpp b/libs/binder/trusty/rust/binder_rpc_server_bindgen/cpp/ARpcServerTrusty.cpp
@@ -27,6 +27,13 @@ using android::RpcTransportCtxFactoryTipcTrusty;
 using android::sp;
 using android::wp;
 
+// The default behavior in trusty is to allow handles to be passed with tipc IPC.
+// We add mode NONE so that servers do not reject connections from clients who do
+// not change their default transport mode.
+static const std::vector<RpcSession::FileDescriptorTransportMode> TRUSTY_SERVER_SUPPORTED_FD_MODES =
+        {RpcSession::FileDescriptorTransportMode::TRUSTY,
+         RpcSession::FileDescriptorTransportMode::NONE};
+
 struct ARpcServerTrusty {
     sp<RpcServer> mRpcServer;
 
@@ -53,6 +60,8 @@ ARpcServerTrusty* ARpcServerTrusty_newPerSession(AIBinder* (*cb)(const void*, si
         return nullptr;
     }
 
+    rpcServer->setSupportedFileDescriptorTransportModes(TRUSTY_SERVER_SUPPORTED_FD_MODES);
+
     rpcServer->setPerSessionRootObject(
             [cb, cbArgSp](wp<RpcSession> /*session*/, const void* addrPtr, size_t len) {
                 auto* aib = (*cb)(addrPtr, len, cbArgSp.get());
