binder: Introduce server pre-authorization #12127
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dentity before binding.
Parameterize RobolectricBinderSecurityTest
ClusterResolverLb gets the NameResolverRegistry from LoadBalancer.Helper, so a new API was added in NameResover.Args to propagate the same object to the name resolver tree. RetryingNameResolver was exposed to xds. This is expected to be temporary, as the retrying is being removed from ManagedChannelImpl and moved into the resolvers. At that point, DnsNameResolverProvider would wrap DnsNameResolver with a similar API to RetryingNameResolver and xds would no longer be responsible.
See cl/769936336 internally
…mination (grpc#12167) # Conflicts: # binder/src/androidTest/java/io/grpc/binder/internal/BinderClientTransportTest.java # binder/src/main/java/io/grpc/binder/internal/BinderTransport.java # binder/src/testFixtures/java/io/grpc/binder/internal/SettableAsyncSecurityPolicy.java
ClusterResolverLb is still doing DNS itself, so disable it in XdsDepMan until that migration has finished. EDS is fine in XdsDepman, because XdsClient will share the result with ClusterResolverLb.
The previous code did a ping-pong to make sure the transport had enough time to process, but then proceeded to sleep 5 seconds. That sleep would have been needed without the ping-pong, but with the ping-pong we are confident all events have been drained from the transport. Deleting the unnecessary sleeps saves 10 seconds, for each of the 9 instances of this test.
…dentity before binding. # Conflicts: # binder/src/androidTest/java/io/grpc/binder/internal/BinderClientTransportTest.java # binder/src/main/java/io/grpc/binder/internal/BinderTransport.java # binder/src/test/java/io/grpc/binder/RobolectricBinderSecurityTest.java
Parameterize RobolectricBinderSecurityTest
Resolve with an explicit direct boot awareness flag # Conflicts: # binder/src/main/java/io/grpc/binder/internal/BinderTransport.java
|
@ejona86 Friendly 1 week ping |
ejona86
approved these changes
Jul 10, 2025
svc-squareup-copybara
pushed a commit
to cashapp/misk
that referenced
this pull request
Aug 27, 2025
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.launchdarkly:launchdarkly-java-server-sdk](https://github.com/launchdarkly/java-server-sdk) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `7.10.1` -> `7.10.2` | | [io.grpc:grpc-stub](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.74.0` -> `1.75.0` | | [io.grpc:grpc-protobuf](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.74.0` -> `1.75.0` | | [io.grpc:grpc-netty](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.74.0` -> `1.75.0` | | [io.grpc:protoc-gen-grpc-java](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.74.0` -> `1.75.0` | | [io.grpc:grpc-bom](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.74.0` -> `1.75.0` | | [io.grpc:grpc-api](https://github.com/grpc/grpc-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.74.0` -> `1.75.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:s3](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:regions](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.32.30` -> `2.32.31` | --- ### Release Notes <details> <summary>grpc/grpc-java (io.grpc:grpc-stub)</summary> ### [`v1.75.0`](https://github.com/grpc/grpc-java/releases/tag/v1.75.0) ##### Behavior Changes - binder: Introduce server pre-authorization ([#​12127](grpc/grpc-java#12127)). grpc-binder clients authorize servers by checking the UID of the sender of the SETUP\_TRANSPORT Binder transaction against some SecurityPolicy. But merely binding to an unauthorized server to learn its UID can enable "keep-alive" and "background activity launch" abuse, even if security policy ultimately causes the grpc connection to fail. Pre-authorization mitigates this kind of abuse by resolving addresses and authorizing a candidate server Application's UID before binding to it. Pre-auth is especially important when the server's address is not fixed in advance but discovered by PackageManager lookup. ##### Bug Fixes - core: `grpc-timeout` should always be positive ([#​12201](grpc/grpc-java#12201)) ([`6dfa03c`](grpc/grpc-java@6dfa03c51)). There is a local race between when the deadline is checked before sending the RPC and when the timeout is calculated to put on-the-wire. The code replaced negative timeouts with 0 nanoseconds. gRPC’s PROTOCOL-HTTP2 spec states that timeouts should be positive, so now non-positive values are replaced with 1 nanosecond - core: Improved DEADLINE\_EXCEEDED message for delayed calls ([`6ff8eca`](grpc/grpc-java@6ff8ecac0)). Delayed calls are the first calls on a Channel before name resolution has resolved addresses. Previously you could see confusing errors saying the deadline “will be exceeded in” X time. The message tense was simply wrong, and now will be correct: deadline “was exceeded after” X time. - xds: PriorityLB now only uses the failOverTimer to start additional priorities, not fail RPCs ([`c4256ad`](grpc/grpc-java@c4256add4)). You should no longer see “Connection timeout for priority” errors. ##### Improvements - netty: Count sent RST\_STREAMs against `NettyServerBuilder.maxRstFramesPerWindow()` limit ([#​12288](grpc/grpc-java#12288)). This extends the Rapid Reset tool to also cover MadeYouReset. the reset stream count will cause a 420 "Enhance your calm response" to be sent. This depends on Netty 4.1.124 for a bug fix to actually call the encoder by the frame writer. - xds: Convert CdsLb to `XdsDepManager` ([`297ab05`](grpc/grpc-java@297ab05ef)). This is part of gRFC A74 to have atomic xDS config updates. This is an internal change, but does change the error description seen in certain cases, especially DEADLINE\_EXCEEDED on a brand-new channel. - census: APIs for stats and tracing ([#​12050](grpc/grpc-java#12050)) ([`9193701`](grpc/grpc-java@919370172)). Client channel and server builders with interceptors and factories respectively for stats and tracing. - stub: simplify `BlockingClientCall` infinite blocking ([#​12217](grpc/grpc-java#12217)) ([`ba0a732`](grpc/grpc-java@ba0a7329d)). Move deadline computation into overloads with finite timeouts. Blocking calls without timeouts now do not have to read the clock. - xds: Do RLS fallback policy eagar start ([#​12211](grpc/grpc-java#12211)) ([`42e1829`](grpc/grpc-java@42e1829b3)). In gRPC-Java, the xDS clusters were lazily subscribed, which meant the fallback target which is returned in the RLS config wasn’t subscribed until a RPC actually falls back to it. The delayed resource subscription process in gRPC Java made it more susceptible to the effects of the INITIAL\_RESOURCE\_FETCH\_TIMEOUT compared to other programming languages. It also had impact beyond the RLS cache expiration case, for example, when the first time the client initialized the channel, we couldn't fallback when the intended target times out, because of the lazy subscription. This change starts the fallback LB policy for the default target at the start of RLS policy instead of only when falling back to the default target, which fixes the above mentioned problems. - xds: Aggregate cluster fixes (A75) ([#​12186](grpc/grpc-java#12186)) ([`7e982e4`](grpc/grpc-java@7e982e48a)). The earlier implementation of aggregate clusters concatenated the priorities from the underlying clusters into a single list, so that it could use a single LB policy defined at the aggregate cluster layer to choose a priority from that combined list. However, it turns out that aggregate clusters don't actually define the LB policy in the aggregate cluster; instead, the aggregate cluster uses a special cluster-provided LB policy that first chooses the underlying cluster and then delegates to the LB policy of the underlying cluster. This change implements that. - api: set size correctly for sets and maps in handling `Metadata` values to be exchanged during a call ([#​12229](grpc/grpc-java#12229)) ([`8021727`](grpc/grpc-java@80217275d)) - xds: xdsClient cache transient error for new watchers ([#​12291](grpc/grpc-java#12291)). When a resource update is NACKed, cache the error and update new watchers that get added with that error instead of making them hang. - xds: Avoid PriorityLb re-enabling timer on duplicate CONNECTING ([#​12289](grpc/grpc-java#12289)). If a LB policy gives extraneous updates with state CONNECTING, then it was possible to re-create `failOverTimer` which would then wait the 10 seconds for the child to finish CONNECTING. We only want to give the child one opportunity after transitioning out of READY/IDLE. - xds: Use a different log name for `XdsClientImpl` and `ControlPlaneClient` ([#​12287](grpc/grpc-java#12287)). `ControlPlaneClient` uses "xds-cp-client" now instead of "xds-client" while logging. ##### Dependencies Changes - Upgrade to Netty 4.1.124.Final ([#​12286](grpc/grpc-java#12286)). This implicitly disables `NettyAdaptiveCumulator` ([#​11284](grpc/grpc-java#11284)), which can have a performance impact. We delayed upgrading Netty to give time to rework the optimization, but we've gone too long already without upgrading which causes problems for vulnerability tracking. - bazel: Use `jar_jar` to avoid xds deps ([#​12243](grpc/grpc-java#12243)) ([`8f09b96`](grpc/grpc-java@8f09b9689)). The //xds and //xds:orca targets now use `jar_jar` to shade the protobuf generated code. This allows them to use their own private copy of the protos and drop direct Bazel dependencies on cel-spec, grpc, rules\_go, com\_github\_cncf\_xds, envoy\_api, com\_envoyproxy\_protoc\_gen\_validate, and opencensus\_proto. This mirrors the shading of protobuf messages done for grpc-xds provided on Maven Central and should simplify dependency management ##### Documentation - Clarify requirements for creating a cross-user Channel. ([#​12181](grpc/grpc-java#12181)). The `@SystemApi` runtime visibility requirement isn't really new. It has always been implicit in the required INTERACT\_ACROSS\_USERS permission, which can only be held by system apps in production. Now deprecated `BinderChannelBuilder#bindAsUser` has always required SDK\_INT >= 30. This change just copies that requirement forward to its replacement APIs in `AndroidComponentAddress` and the TARGET\_ANDROID\_USER `NameResolver.Args`. - api: Add more Javadoc for `NameResolver.Listener2` interface ([#​12220](grpc/grpc-java#12220)) ([`d352540`](grpc/grpc-java@d352540a0)) ##### Thanks to [@​benjaminp](https://github.com/benjaminp) [@​werkt](https://github.com/werkt) [@​kilink](https://github.com/kilink) [@​vimanikag](https://github.com/vimanikag) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 27d0400bbd8eed72194f02f1d1589e84b85c9e1a
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
grpc-binder clients authorize servers by checking the UID of the sender of the SETUP_TRANSPORT Binder transaction against some SecurityPolicy. But merely binding to an unauthorized server to learn its UID can enable "keep-alive" and "background activity launch" abuse, even if security policy ultimately causes the grpc connection to fail. Pre-authorization mitigates this kind of abuse by resolving addresses and authorizing a candidate server Application's UID before binding to it. Pre-auth is especially important when the server's address is not fixed in advance but discovered by PackageManager lookup.
Design at: go/grpc-binder-service-discovery "Mitigating Keep-Alive Attacks"
Note internal LGTM at CR/769886275.