diff options
Diffstat (limited to 'grpc/include/grpcpp/security/binder_security_policy.h')
-rw-r--r-- | grpc/include/grpcpp/security/binder_security_policy.h | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/grpc/include/grpcpp/security/binder_security_policy.h b/grpc/include/grpcpp/security/binder_security_policy.h new file mode 100644 index 00000000..e1c951fc --- /dev/null +++ b/grpc/include/grpcpp/security/binder_security_policy.h @@ -0,0 +1,82 @@ +// Copyright 2021 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef GRPCPP_SECURITY_BINDER_SECURITY_POLICY_H +#define GRPCPP_SECURITY_BINDER_SECURITY_POLICY_H + +#include <memory> + +#ifdef GPR_ANDROID + +#include <jni.h> + +#endif + +namespace grpc { +namespace experimental { +namespace binder { + +// EXPERIMENTAL Determinines if a connection is allowed to be +// established on Android. See https://source.android.com/security/app-sandbox +// for more info about UID. +class SecurityPolicy { + public: + virtual ~SecurityPolicy() = default; + // Returns true if the UID is authorized to connect. + // Must return the same value for the same inputs so callers can safely cache + // the result. + virtual bool IsAuthorized(int uid) = 0; +}; + +// EXPERIMENTAL Allows all connection. Anything on the Android device will be +// able to connect, use with caution! +class UntrustedSecurityPolicy : public SecurityPolicy { + public: + UntrustedSecurityPolicy(); + ~UntrustedSecurityPolicy() override; + bool IsAuthorized(int uid) override; +}; + +// EXPERIMENTAL Only allows the connections from processes with the same UID. In +// most cases this means "from the same APK". +class InternalOnlySecurityPolicy : public SecurityPolicy { + public: + InternalOnlySecurityPolicy(); + ~InternalOnlySecurityPolicy() override; + bool IsAuthorized(int uid) override; +}; + +#ifdef GPR_ANDROID + +// EXPERIMENTAL Only allows the connections from the APK that have the same +// signature. +class SameSignatureSecurityPolicy : public SecurityPolicy { + public: + // `context` is required for getting PackageManager Java class + SameSignatureSecurityPolicy(JavaVM* jvm, jobject context); + ~SameSignatureSecurityPolicy() override; + bool IsAuthorized(int uid) override; + + private: + JavaVM* jvm_; + jobject context_; +}; + +#endif + +} // namespace binder +} // namespace experimental +} // namespace grpc + +#endif // GRPCPP_SECURITY_BINDER_SECURITY_POLICY_H |