[starnix] Give credentials to binder and UDS remote ends

The remote ends of remote-binder take the credentials of the
inside-Starnix remote binder process. When a Unix domain socket is
created, it takes (by default) the credentials of its creator.

These credentials will be used when transferring file descriptors
across: any access done through these fds will use the socket/binder
credentials.

Bug: 404739824
Change-Id: Iae5317d270ccaef3ef10f2efb2f455643bc209c4
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/1336524
Reviewed-by: Wez <[email protected]>
Commit-Queue: Ambre Williams <[email protected]>

Author: ambr-e

src/starnix/kernel/fs/fuchsia/remote.rs

@@ -8,7 +8,7 @@ use crate::fs::fuchsia::sync_file::{SyncFence, SyncFile, SyncPoint, Timeline};
 use crate::mm::memory::MemoryObject;
 use crate::mm::{ProtectionFlags, VMEX_RESOURCE};
 use crate::security;
-use crate::task::{CurrentTask, EncryptionKeyId, Kernel};
+use crate::task::{CurrentTask, EncryptionKeyId, FullCredentials, Kernel};
 use crate::vfs::buffers::{InputBuffer, OutputBuffer, with_iovec_segments};
 use crate::vfs::fsverity::FsVerityState;
 use crate::vfs::socket::{Socket, SocketFile, ZxioBackedSocket};
@@ -356,7 +356,8 @@ pub fn new_remote_file<L>(
 where
     L: LockEqualOrBefore<FileOpsCore>,
 {
-    let (attrs, ops) = remote_file_attrs_and_ops(handle)?;
+    let remote_creds = current_task.full_current_creds();
+    let (attrs, ops) = remote_file_attrs_and_ops(handle, remote_creds)?;
     let mut rights = fio::Flags::empty();
     if flags.can_read() {
         rights |= fio::PERM_READABLE;
@@ -374,13 +375,17 @@ where
 // Create a FileOps from a zx::Handle.
 //
 // The handle must satisfy the same requirements as `new_remote_file`.
-pub fn new_remote_file_ops(handle: zx::Handle) -> Result<Box<dyn FileOps>, Errno> {
-    let (_, ops) = remote_file_attrs_and_ops(handle)?;
+pub fn new_remote_file_ops(
+    handle: zx::Handle,
+    creds: FullCredentials,
+) -> Result<Box<dyn FileOps>, Errno> {
+    let (_, ops) = remote_file_attrs_and_ops(handle, creds)?;
     Ok(ops)
 }
 
 fn remote_file_attrs_and_ops(
     mut handle: zx::Handle,
+    remote_creds: FullCredentials,
 ) -> Result<(zxio_node_attr, Box<dyn FileOps>), Errno> {
     let handle_type =
         handle.basic_info().map_err(|status| from_status_like_fdio!(status))?.object_type;
@@ -391,7 +396,8 @@ fn remote_file_attrs_and_ops(
         let queryable = funknown::QueryableSynchronousProxy::new(channel);
         if let Ok(name) = queryable.query(zx::MonotonicInstant::INFINITE) {
             if name == fbinder::UnixDomainSocketMarker::PROTOCOL_NAME.as_bytes() {
-                let socket_ops = RemoteUnixDomainSocket::new(queryable.into_channel())?;
+                let socket_ops =
+                    RemoteUnixDomainSocket::new(queryable.into_channel(), remote_creds)?;
                 let socket = Socket::new_with_ops(Box::new(socket_ops))?;
                 let file_ops = SocketFile::new(socket);
                 let attr = zxio_node_attr {

src/starnix/kernel/fs/fuchsia/remote_unix_domain_socket.rs

@@ -4,7 +4,8 @@
 
 use crate::fs::fuchsia::{OpenFlags, new_remote_file};
 use crate::task::{
-    CurrentTask, EventHandler, SignalHandler, SignalHandlerInner, WaitCanceler, Waiter,
+    CurrentTask, EventHandler, FullCredentials, SignalHandler, SignalHandlerInner, WaitCanceler,
+    Waiter,
 };
 use crate::vfs::buffers::{InputBuffer, OutputBuffer};
 use crate::vfs::socket::{
@@ -29,10 +30,11 @@ static WRITABLE_SIGNAL: zx::Signals =
 pub struct RemoteUnixDomainSocket {
     client: fbinder::UnixDomainSocketSynchronousProxy,
     event: zx::EventPair,
+    remote_creds: FullCredentials,
 }
 
 impl RemoteUnixDomainSocket {
-    pub fn new(channel: zx::Channel) -> Result<Self, Errno> {
+    pub fn new(channel: zx::Channel, remote_creds: FullCredentials) -> Result<Self, Errno> {
         let client = fbinder::UnixDomainSocketSynchronousProxy::from_channel(channel);
         let response = client
             .get_event(
@@ -42,7 +44,7 @@ impl RemoteUnixDomainSocket {
             .map_err(|_| errno!(ECONNREFUSED))?
             .map_err(|e: i32| from_status_like_fdio!(zx::Status::from_raw(e)))?;
         let event = response.event.ok_or_else(|| errno!(ECONNREFUSED))?;
-        Ok(Self { client, event })
+        Ok(Self { client, event, remote_creds })
     }
 
     fn get_signals_from_events(events: FdEvents) -> zx::Signals {
@@ -66,6 +68,14 @@ impl RemoteUnixDomainSocket {
         }
         events
     }
+
+    /// Perform an action using the credentials of the remote task.
+    fn with_remote_creds<F, R>(&self, current_task: &CurrentTask, f: F) -> Result<R, Errno>
+    where
+        F: FnOnce() -> Result<R, Errno>,
+    {
+        current_task.override_creds(|temp_creds| *temp_creds = self.remote_creds.clone(), f)
+    }
 }
 
 impl SocketOps for RemoteUnixDomainSocket {
@@ -145,9 +155,19 @@ impl SocketOps for RemoteUnixDomainSocket {
 
         let mut file_handles: Vec<FileHandle> = vec![];
         if let Some(handles) = response.handles {
-            for handle in handles {
-                file_handles.push(new_remote_file(locked, current_task, handle, OpenFlags::RDWR)?);
-            }
+            // Use the remote task's credentials to create the remote_file object. This ensures
+            // that the SID associated to the fd is set to the correct value.
+            self.with_remote_creds(current_task, || {
+                for handle in handles {
+                    file_handles.push(new_remote_file(
+                        locked,
+                        current_task,
+                        handle,
+                        OpenFlags::RDWR,
+                    )?);
+                }
+                Ok(())
+            })?;
         }
         let ancillary_data = vec![AncillaryData::Unix(UnixControlData::Rights(file_handles))];
 
@@ -173,12 +193,16 @@ impl SocketOps for RemoteUnixDomainSocket {
         for data in ancillary_data {
             match data {
                 AncillaryData::Unix(UnixControlData::Rights(file_handles)) => {
-                    for file_handle in file_handles {
-                        let Some(handle) = file_handle.to_handle(current_task)? else {
-                            return error!(EINVAL);
-                        };
-                        handles.push(handle);
-                    }
+                    // Access the served files with the credentials of the remote end.
+                    self.with_remote_creds(current_task, || {
+                        for file_handle in file_handles {
+                            let Some(handle) = file_handle.to_handle(current_task)? else {
+                                return error!(EINVAL);
+                            };
+                            handles.push(handle);
+                        }
+                        Ok(())
+                    })?;
                 }
                 _ => return error!(EINVAL),
             }

src/starnix/kernel/task/current_task.rs

@@ -283,7 +283,7 @@ impl CurrentTask {
     /// actions performed by the task.
     pub fn current_creds(&self) -> Credentials {
         match self.overridden_creds.borrow().as_ref() {
-            Some(x) => x.creds.clone(),
+            Some(full_creds) => full_creds.creds.clone(),
             None => self.real_creds(),
         }
     }
@@ -298,6 +298,17 @@ impl CurrentTask {
         }
     }
 
+    /// Returns the current subjective credentials of the task, including the security state.
+    pub fn full_current_creds(&self) -> FullCredentials {
+        match self.overridden_creds.borrow().as_ref() {
+            Some(full_creds) => full_creds.clone(),
+            None => FullCredentials {
+                creds: self.real_creds(),
+                security_state: self.security_state.clone(),
+            },
+        }
+    }
+
     pub fn current_fscred(&self) -> FsCred {
         self.with_current_creds(|creds| creds.as_fscred())
     }

src/starnix/kernel/vfs/file_object.rs

@@ -7,8 +7,8 @@ use crate::mm::{DesiredAddress, MappingName, MappingOptions, MemoryAccessorExt,
 use crate::power::OnWakeOps;
 use crate::security;
 use crate::task::{
-    CurrentTask, CurrentTaskAndLocked, EncryptionKeyId, EventHandler, FullCredentials, Task,
-    ThreadGroupKey, WaitCallback, WaitCanceler, Waiter, register_delayed_release,
+    CurrentTask, CurrentTaskAndLocked, EncryptionKeyId, EventHandler, Task, ThreadGroupKey,
+    WaitCallback, WaitCanceler, Waiter, register_delayed_release,
 };
 use crate::vfs::buffers::{InputBuffer, OutputBuffer};
 use crate::vfs::file_server::serve_file;
@@ -425,7 +425,7 @@ pub trait FileOps: Send + Sync + AsAny + 'static {
         file: &FileObject,
         current_task: &CurrentTask,
     ) -> Result<Option<zx::Handle>, Errno> {
-        serve_file(current_task, file, FullCredentials::for_kernel())
+        serve_file(current_task, file, current_task.full_current_creds())
             .map(|c| Some(c.0.into_handle()))
     }
 

src/starnix/modules/binderfs/binder.rs

@@ -17,8 +17,8 @@ use starnix_core::mm::{
 };
 use starnix_core::mutable_state::Guard;
 use starnix_core::task::{
-    CurrentTask, CurrentTaskAndLocked, EventHandler, Kernel, SchedulerState, SimpleWaiter, Task,
-    ThreadGroupKey, WaitCanceler, WaitQueue, Waiter,
+    CurrentTask, CurrentTaskAndLocked, EventHandler, FullCredentials, Kernel, SchedulerState,
+    SimpleWaiter, Task, ThreadGroupKey, WaitCanceler, WaitQueue, Waiter,
 };
 use starnix_core::vfs::buffers::{InputBuffer, OutputBuffer, VecInputBuffer};
 use starnix_core::vfs::pseudo::simple_file::BytesFile;
@@ -3229,6 +3229,7 @@ fn get_resource_accessor<'a>(
 struct RemoteResourceAccessor {
     process: zx::Process,
     process_accessor: fbinder::ProcessAccessorSynchronousProxy,
+    remote_creds: FullCredentials,
 }
 
 impl RemoteResourceAccessor {
@@ -3242,6 +3243,13 @@ impl RemoteResourceAccessor {
             .map_err(|_| errno!(ENOENT))?;
         result.map_err(|e| errno_from_code!(e.into_primitive() as i16))
     }
+
+    fn with_remote_creds<F, T>(&self, current_task: &CurrentTask, f: F) -> Result<T, Errno>
+    where
+        F: FnOnce() -> Result<T, Errno>,
+    {
+        current_task.override_creds(|temp_creds| *temp_creds = self.remote_creds.clone(), f)
+    }
 }
 
 impl std::fmt::Debug for RemoteResourceAccessor {
@@ -3406,28 +3414,30 @@ impl ResourceAccessor for RemoteResourceAccessor {
         let num_fds = fds.len();
         let mut files = Vec::with_capacity(num_fds);
 
-        for chunk in fds.chunks(fbinder::MAX_REQUEST_COUNT as usize) {
-            let response = self.run_file_request(fbinder::FileRequest {
-                get_requests: Some(chunk.into_iter().map(|fd| fd.raw()).collect()),
-                ..Default::default()
-            })?;
-            for fbinder::FileHandle { file, flags, .. } in
-                response.get_responses.into_iter().flatten()
-            {
-                let Some(flags) = flags else {
-                    log_warn!("Incorrect response to file request. Missing flags.");
-                    return error!(ENOENT);
-                };
-                let file = if let Some(file) = file {
-                    new_remote_file(locked, current_task, file, flags.into_fidl())?
-                } else {
-                    new_null_file(locked, current_task, flags.into_fidl())
-                };
-                files.push((file, FdFlags::empty()));
+        self.with_remote_creds(current_task, || {
+            for chunk in fds.chunks(fbinder::MAX_REQUEST_COUNT as usize) {
+                let response = self.run_file_request(fbinder::FileRequest {
+                    get_requests: Some(chunk.into_iter().map(|fd| fd.raw()).collect()),
+                    ..Default::default()
+                })?;
+                for fbinder::FileHandle { file, flags, .. } in
+                    response.get_responses.into_iter().flatten()
+                {
+                    let Some(flags) = flags else {
+                        log_warn!("Incorrect response to file request. Missing flags.");
+                        return error!(ENOENT);
+                    };
+                    let file = if let Some(file) = file {
+                        new_remote_file(locked, current_task, file, flags.into_fidl())?
+                    } else {
+                        new_null_file(locked, current_task, flags.into_fidl())
+                    };
+                    files.push((file, FdFlags::empty()));
+                }
             }
-        }
 
-        if files.len() != num_fds { error!(ENOENT) } else { Ok(files) }
+            if files.len() != num_fds { error!(ENOENT) } else { Ok(files) }
+        })
     }
 
     fn add_files_with_flags(
@@ -3441,27 +3451,30 @@ impl ResourceAccessor for RemoteResourceAccessor {
         let num_files = files.len();
         let mut fds = Vec::with_capacity(num_files);
 
-        for chunk in files.chunks(fbinder::MAX_REQUEST_COUNT as usize) {
-            let mut handles = Vec::with_capacity(chunk.len());
-            for (file, _) in chunk.into_iter() {
-                handles.push(fbinder::FileHandle {
-                    file: file.to_handle(current_task)?,
-                    flags: Some(file.flags().into_fidl()),
-                    ..fbinder::FileHandle::default()
-                });
-            }
-            let response = self.run_file_request(fbinder::FileRequest {
-                add_requests: Some(handles),
-                ..Default::default()
-            })?;
-            for fd in response.add_responses.into_iter().flatten().map(|fd| FdNumber::from_raw(fd))
-            {
-                add_action(fd);
-                fds.push(fd);
+        self.with_remote_creds(current_task, || {
+            for chunk in files.chunks(fbinder::MAX_REQUEST_COUNT as usize) {
+                let mut handles = Vec::with_capacity(chunk.len());
+                for (file, _) in chunk.into_iter() {
+                    handles.push(fbinder::FileHandle {
+                        file: file.to_handle(current_task)?,
+                        flags: Some(file.flags().into_fidl()),
+                        ..fbinder::FileHandle::default()
+                    });
+                }
+                let response = self.run_file_request(fbinder::FileRequest {
+                    add_requests: Some(handles),
+                    ..Default::default()
+                })?;
+                for fd in
+                    response.add_responses.into_iter().flatten().map(|fd| FdNumber::from_raw(fd))
+                {
+                    add_action(fd);
+                    fds.push(fd);
+                }
             }
-        }
 
-        if fds.len() != num_files { error!(ENOENT) } else { Ok(fds) }
+            if fds.len() != num_files { error!(ENOENT) } else { Ok(fds) }
+        })
     }
 
     fn as_memory_accessor(&self) -> Option<&dyn MemoryAccessor> {
@@ -3678,7 +3691,11 @@ impl BinderDriver {
             fbinder::ProcessAccessorSynchronousProxy::new(process_accessor.into_channel());
         let identifier = this.create_remote_process(
             current_task.thread_group_key.clone(),
-            RemoteResourceAccessor { process_accessor, process },
+            RemoteResourceAccessor {
+                process_accessor,
+                process,
+                remote_creds: current_task.full_current_creds(),
+            },
         );
         Arc::new(RemoteBinderConnection {
             binder_connection: BinderConnection {
@@ -9661,7 +9678,9 @@ pub mod tests {
             let process = fuchsia_runtime::process_self()
                 .duplicate(zx::Rights::SAME_RIGHTS)
                 .expect("process");
-            let remote_binder_task = Arc::new(RemoteResourceAccessor { process_accessor, process });
+            let remote_creds = FullCredentials::for_kernel();
+            let remote_binder_task =
+                Arc::new(RemoteResourceAccessor { process_accessor, process, remote_creds });
             let mut vector = Vec::with_capacity(vector_size);
             for i in 0..vector_size {
                 vector.push((i & 255) as u8);

src/starnix/modules/nanohub/socket_tunnel_file.rs

@@ -13,7 +13,7 @@ use starnix_core::device::DeviceOps;
 use starnix_core::device::kobject::Device;
 use starnix_core::fs::fuchsia::new_remote_file_ops;
 use starnix_core::fs_node_impl_not_dir;
-use starnix_core::task::CurrentTask;
+use starnix_core::task::{CurrentTask, FullCredentials};
 use starnix_core::vfs::pseudo::simple_directory::SimpleDirectoryMutator;
 use starnix_core::vfs::{FileOps, FsNode, FsNodeOps, FsStr, FsString};
 use starnix_sync::{FileOpsCore, LockEqualOrBefore, Locked};
@@ -85,8 +85,8 @@ fn connect(socket_label: Arc<FsString>) -> Result<Box<dyn FileOps>, Errno> {
         .map_err(|_| errno!(ENOENT))?
         .map_err(|_| errno!(ENOENT))?;
 
-    // This will only be reached if the status was OK
-    new_remote_file_ops(tx.into())
+    // This will only be reached if the status was OK. Credentials are ignored for sockets.
+    new_remote_file_ops(tx.into(), FullCredentials::for_kernel())
 }
 
 impl DeviceOps for SocketTunnelFile {