1 /*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #pragma once
18
19 #include <android/binder_ibinder.h>
20 #include <android/binder_shell.h>
21 #include "ibinder_internal.h"
22
23 #include <atomic>
24 #include <mutex>
25 #include <optional>
26 #include <vector>
27
28 #include <binder/Binder.h>
29 #include <binder/IBinder.h>
30 #include <utils/Vector.h>
31
isUserCommand(transaction_code_t code)32 inline bool isUserCommand(transaction_code_t code) {
33 return code >= FIRST_CALL_TRANSACTION && code <= LAST_CALL_TRANSACTION;
34 }
35
36 struct ABBinder;
37 struct ABpBinder;
38
39 struct AIBinder : public virtual ::android::RefBase {
40 explicit AIBinder(const AIBinder_Class* clazz);
41 virtual ~AIBinder();
42
43 bool associateClass(const AIBinder_Class* clazz);
getClassAIBinder44 const AIBinder_Class* getClass() const { return mClazz; }
45
46 virtual ::android::sp<::android::IBinder> getBinder() = 0;
asABBinderAIBinder47 virtual ABBinder* asABBinder() { return nullptr; }
asABpBinderAIBinder48 virtual ABpBinder* asABpBinder() { return nullptr; }
49
isRemoteAIBinder50 bool isRemote() const {
51 ::android::sp<::android::IBinder> binder = const_cast<AIBinder*>(this)->getBinder();
52 return binder->remoteBinder() != nullptr;
53 }
54 virtual void addDeathRecipient(const ::android::sp<AIBinder_DeathRecipient>& recipient,
55 void* cookie) = 0;
56
57 private:
58 // AIBinder instance is instance of this class for a local object. In order to transact on a
59 // remote object, this also must be set for simplicity (although right now, only the
60 // interfaceDescriptor from it is used).
61 //
62 // WARNING: When multiple classes exist with the same interface descriptor in different
63 // linkernamespaces, the first one to be associated with mClazz becomes the canonical one
64 // and the only requirement on this is that the interface descriptors match. If this
65 // is an ABpBinder, no other state can be referenced from mClazz.
66 const AIBinder_Class* mClazz;
67 std::mutex mClazzMutex;
68 };
69
70 // This is a local AIBinder object with a known class.
71 struct ABBinder : public AIBinder, public ::android::BBinder {
72 virtual ~ABBinder();
73
getUserDataABBinder74 void* getUserData() { return mUserData; }
75
getBinderABBinder76 ::android::sp<::android::IBinder> getBinder() override { return this; }
asABBinderABBinder77 ABBinder* asABBinder() override { return this; }
78
79 const ::android::String16& getInterfaceDescriptor() const override;
80 ::android::status_t dump(int fd, const ::android::Vector<::android::String16>& args) override;
81 ::android::status_t onTransact(uint32_t code, const ::android::Parcel& data,
82 ::android::Parcel* reply, binder_flags_t flags) override;
83 void addDeathRecipient(const ::android::sp<AIBinder_DeathRecipient>& /* recipient */,
84 void* /* cookie */) override;
85
86 private:
87 ABBinder(const AIBinder_Class* clazz, void* userData);
88
89 // only thing that should create an ABBinder
90 friend AIBinder* AIBinder_new(const AIBinder_Class*, void*);
91
92 // Can contain implementation if this is a local binder. This can still be nullptr for a local
93 // binder. If it is nullptr, the implication is the implementation state is entirely external to
94 // this object and the functionality provided in the AIBinder_Class is sufficient.
95 void* mUserData;
96 };
97
98 // This binder object may be remote or local (even though it is 'Bp'). The implication if it is
99 // local is that it is an IBinder object created outside of the domain of libbinder_ndk.
100 struct ABpBinder : public AIBinder {
101 // Looks up to see if this object has or is an existing ABBinder or ABpBinder object, otherwise
102 // it creates an ABpBinder object.
103 static ::android::sp<AIBinder> lookupOrCreateFromBinder(
104 const ::android::sp<::android::IBinder>& binder);
105
106 virtual ~ABpBinder();
107
getBinderABpBinder108 ::android::sp<::android::IBinder> getBinder() override { return mRemote; }
asABpBinderABpBinder109 ABpBinder* asABpBinder() override { return this; }
110
isServiceFuzzingABpBinder111 bool isServiceFuzzing() const { return mServiceFuzzing; }
setServiceFuzzingABpBinder112 void setServiceFuzzing() { mServiceFuzzing = true; }
113 void addDeathRecipient(const ::android::sp<AIBinder_DeathRecipient>& recipient,
114 void* cookie) override;
115
116 private:
117 friend android::sp<ABpBinder>;
118 explicit ABpBinder(const ::android::sp<::android::IBinder>& binder);
119 ::android::sp<::android::IBinder> mRemote;
120 bool mServiceFuzzing = false;
121 struct DeathRecipientInfo {
122 android::wp<AIBinder_DeathRecipient> recipient;
123 void* cookie;
124 };
125 std::mutex mDeathRecipientsMutex;
126 std::vector<DeathRecipientInfo> mDeathRecipients;
127 };
128
129 struct AIBinder_Class {
130 AIBinder_Class(const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate,
131 AIBinder_Class_onDestroy onDestroy, AIBinder_Class_onTransact onTransact);
132
getInterfaceDescriptorAIBinder_Class133 const ::android::String16& getInterfaceDescriptor() const { return mWideInterfaceDescriptor; }
getInterfaceDescriptorUtf8AIBinder_Class134 const char* getInterfaceDescriptorUtf8() const { return mInterfaceDescriptor.c_str(); }
135 bool setTransactionCodeMap(const char** transactionCodeMap, size_t transactionCodeMapSize);
136 const char* getFunctionName(transaction_code_t code) const;
getTransactionCodeToFunctionLengthAIBinder_Class137 size_t getTransactionCodeToFunctionLength() const { return mTransactionCodeToFunctionLength; }
138
139 // whether a transaction header should be written
140 bool writeHeader = true;
141
142 // required to be non-null, implemented for every class
143 const AIBinder_Class_onCreate onCreate = nullptr;
144 const AIBinder_Class_onDestroy onDestroy = nullptr;
145 const AIBinder_Class_onTransact onTransact = nullptr;
146
147 // optional methods for a class
148 AIBinder_onDump onDump = nullptr;
149 AIBinder_handleShellCommand handleShellCommand = nullptr;
150
151 private:
152 // Copy of the raw char string for when we don't have to return UTF-16
153 const std::string mInterfaceDescriptor;
154 // This must be a String16 since BBinder virtual getInterfaceDescriptor returns a reference to
155 // one.
156 const ::android::String16 mWideInterfaceDescriptor;
157 // Array which holds names of the functions
158 const char** mTransactionCodeToFunction = nullptr;
159 // length of mmTransactionCodeToFunctionLength array
160 size_t mTransactionCodeToFunctionLength = 0;
161 };
162
163 // Ownership is like this (when linked to death):
164 //
165 // AIBinder_DeathRecipient -sp-> TransferDeathRecipient <-wp-> IBinder
166 //
167 // When the AIBinder_DeathRecipient is dropped, so are the actual underlying death recipients. When
168 // the IBinder dies, only a wp to it is kept.
169 struct AIBinder_DeathRecipient : ::android::RefBase {
170 // One of these is created for every linkToDeath. This is to be able to recover data when a
171 // binderDied receipt only gives us information about the IBinder.
172 struct TransferDeathRecipient : ::android::IBinder::DeathRecipient {
TransferDeathRecipientAIBinder_DeathRecipient::TransferDeathRecipient173 TransferDeathRecipient(const ::android::wp<::android::IBinder>& who, void* cookie,
174 const ::android::wp<AIBinder_DeathRecipient>& parentRecipient,
175 const AIBinder_DeathRecipient_onBinderDied onDied,
176 const AIBinder_DeathRecipient_onBinderUnlinked onUnlinked)
177 : mWho(who),
178 mCookie(cookie),
179 mParentRecipient(parentRecipient),
180 mOnDied(onDied),
181 mOnUnlinked(onUnlinked) {}
182 ~TransferDeathRecipient();
183
184 void binderDied(const ::android::wp<::android::IBinder>& who) override;
185
getWhoAIBinder_DeathRecipient::TransferDeathRecipient186 const ::android::wp<::android::IBinder>& getWho() { return mWho; }
getCookieAIBinder_DeathRecipient::TransferDeathRecipient187 void* getCookie() { return mCookie; }
188
189 private:
190 ::android::wp<::android::IBinder> mWho;
191 void* mCookie;
192
193 ::android::wp<AIBinder_DeathRecipient> mParentRecipient;
194
195 // This is kept separately from AIBinder_DeathRecipient in case the death recipient is
196 // deleted while the death notification is fired
197 const AIBinder_DeathRecipient_onBinderDied mOnDied;
198 const AIBinder_DeathRecipient_onBinderUnlinked mOnUnlinked;
199 };
200
201 explicit AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied);
202 binder_status_t linkToDeath(const ::android::sp<::android::IBinder>&, void* cookie);
203 binder_status_t unlinkToDeath(const ::android::sp<::android::IBinder>& binder, void* cookie);
204 void setOnUnlinked(AIBinder_DeathRecipient_onBinderUnlinked onUnlinked);
205 void pruneThisTransferEntry(const ::android::sp<::android::IBinder>&, void* cookie);
206
207 private:
208 // When the user of this API deletes a Bp object but not the death recipient, the
209 // TransferDeathRecipient object can't be cleaned up. This is called whenever a new
210 // TransferDeathRecipient is linked, and it ensures that mDeathRecipients can't grow unbounded.
211 void pruneDeadTransferEntriesLocked();
212
213 std::mutex mDeathRecipientsMutex;
214 std::vector<::android::sp<TransferDeathRecipient>> mDeathRecipients;
215 AIBinder_DeathRecipient_onBinderDied mOnDied;
216 AIBinder_DeathRecipient_onBinderUnlinked mOnUnlinked;
217 };
218