Merge "getCallingPid: document when to use it" into main

Steven Moreland · Android (Google) Code Review · commit 77d30b045886 · 2024-12-30T11:14:53.000-08:00
diff --git a/libs/binder/include/binder/IPCThreadState.h b/libs/binder/include/binder/IPCThreadState.h
@@ -64,7 +64,10 @@ class IPCThreadState {
      * Returns the PID of the process which has made the current binder
      * call. If not in a binder call, this will return getpid.
      *
-     * Warning: oneway transactions do not receive PID. Even if you expect
+     * Warning do not use this as a security identifier! PID is unreliable
+     * as it may be re-used. This should mostly be used for debugging.
+     *
+     * oneway transactions do not receive PID. Even if you expect
      * a transaction to be synchronous, a misbehaving client could send it
      * as an asynchronous call and result in a 0 PID here. Additionally, if
      * there is a race and the calling process dies, the PID may still be
diff --git a/libs/binder/ndk/include_ndk/android/binder_ibinder.h b/libs/binder/ndk/include_ndk/android/binder_ibinder.h
@@ -419,6 +419,9 @@ binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient
  * This can be used with higher-level system services to determine the caller's identity and check
  * permissions.
  *
+ * Warning do not use this as a security identifier! PID is unreliable as it may be re-used. This
+ * should mostly be used for debugging.
+ *
  * Available since API level 29.
  *
  * \return calling uid or the current process's UID if this thread isn't processing a transaction.
diff --git a/libs/binder/rust/src/state.rs b/libs/binder/rust/src/state.rs
@@ -101,7 +101,10 @@ impl ThreadState {
     /// dies and is replaced with another process with elevated permissions and
     /// the same PID.
     ///
-    /// Warning: oneway transactions do not receive PID. Even if you expect
+    /// Warning: do not use this as a security identifier! PID is unreliable
+    /// as it may be re-used. This should mostly be used for debugging.
+    ///
+    /// oneway transactions do not receive PID. Even if you expect
     /// a transaction to be synchronous, a misbehaving client could send it
     /// as a synchronous call and result in a 0 PID here. Additionally, if
     /// there is a race and the calling process dies, the PID may still be

Original file line number	Diff line number	Diff line change
`@@ -419,6 +419,9 @@ binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient`
`419`	`419`	`* This can be used with higher-level system services to determine the caller's identity and check`
`420`	`420`	`* permissions.`
`421`	`421`	`*`
	`422`	`+ * Warning do not use this as a security identifier! PID is unreliable as it may be re-used. This`
	`423`	`+ * should mostly be used for debugging.`
	`424`	`+ *`
`422`	`425`	`* Available since API level 29.`
`423`	`426`	`*`
`424`	`427`	`* \return calling uid or the current process's UID if this thread isn't processing a transaction.`