libbinder: support calls over sockets
Minimal-ish change for basic binder RPC.
This enables binder to work over sockets. The main change to core code
is in 'Parcel' and 'BpBinder'. The Parcel format is now associated with
the binder that it is either for or a reply from (we no longer have
binder 'objects' for the kernel). BpBinder is extended to support
talking over sockets (ideally, this would be a subclass, but
IBinder::localBinder/remoteBinder mean there is a lot of code which
presupposes what type of binder we have).
In addition, we have a few new objects:
- RpcServer - set this up to serve a connection
- RpcConnection - symmetrical object handling dispatch to a known
server/client
- RpcAddress - (this will definitely change) randomly generated
addresses - this might include things like host VM context, ip
address, or similar in the future. In that case, the address
generation should be cryptographically secure.
- RpcState - this keeps track of known binders, their refcounts, and
async transactions, and it understand the binder socket wire
protocol
The connection itself looks like N socket accepts to a server (the
server might have M socket accepts back to the client for symmetrical
connections, that is connections which need more than nested
transactions). The number of these socket connections controls how many
synchronous transactions can be made. Wherever possible, the behavior
here seeks to mimick the binder driver, and some differences are
documented in the code.
After this CL merges, the future work I intend on completing includes:
- support to work over vsock
- performance benchmarking
- optimization of the socket code here (may include delaying refcounts)
- support to pass 'transitive' binders (pass a binder from one service
to a different service, to let it setup a new connection). This task
may be excluded from my efforts as a security hedge if I can manage.
- fuzzer for this wire format
- support for linkToDeath
- support for transaction encryption
- support for promoting from a weak pointer
- handling SIGPIPE for dead connections
- and many more! :)
Bug: 167966510
Test: binderRpcTest
Change-Id: I276c6e312f584b57f4e7a14389ea4a1d63cfa2f4
diff --git a/libs/binder/BpBinder.cpp b/libs/binder/BpBinder.cpp
index ddda024..825a821 100644
--- a/libs/binder/BpBinder.cpp
+++ b/libs/binder/BpBinder.cpp
@@ -21,6 +21,7 @@
#include <binder/IPCThreadState.h>
#include <binder/IResultReceiver.h>
+#include <binder/RpcConnection.h>
#include <binder/Stability.h>
#include <cutils/compiler.h>
#include <utils/Log.h>
@@ -133,25 +134,56 @@
}
sTrackingMap[trackedUid]++;
}
- return new BpBinder(handle, trackedUid);
+ return new BpBinder(BinderHandle{handle}, trackedUid);
}
-BpBinder::BpBinder(int32_t handle, int32_t trackedUid)
- : mStability(0)
- , mHandle(handle)
- , mAlive(1)
- , mObitsSent(0)
- , mObituaries(nullptr)
- , mTrackedUid(trackedUid)
-{
- ALOGV("Creating BpBinder %p handle %d\n", this, mHandle);
+BpBinder* BpBinder::create(const sp<RpcConnection>& connection, const RpcAddress& address) {
+ LOG_ALWAYS_FATAL_IF(connection == nullptr, "BpBinder::create null connection");
+ // These are not currently tracked, since there is no UID or other
+ // identifier to track them with. However, if similar functionality is
+ // needed, connection objects keep track of all BpBinder objects on a
+ // per-connection basis.
+
+ return new BpBinder(SocketHandle{connection, address});
+}
+
+BpBinder::BpBinder(Handle&& handle)
+ : mStability(0),
+ mHandle(handle),
+ mAlive(true),
+ mObitsSent(false),
+ mObituaries(nullptr),
+ mTrackedUid(-1) {
extendObjectLifetime(OBJECT_LIFETIME_WEAK);
- IPCThreadState::self()->incWeakHandle(handle, this);
}
-int32_t BpBinder::handle() const {
- return mHandle;
+BpBinder::BpBinder(BinderHandle&& handle, int32_t trackedUid) : BpBinder(Handle(handle)) {
+ mTrackedUid = trackedUid;
+
+ ALOGV("Creating BpBinder %p handle %d\n", this, this->binderHandle());
+
+ IPCThreadState::self()->incWeakHandle(this->binderHandle(), this);
+}
+
+BpBinder::BpBinder(SocketHandle&& handle) : BpBinder(Handle(handle)) {
+ LOG_ALWAYS_FATAL_IF(rpcConnection() == nullptr, "BpBinder created w/o connection object");
+}
+
+bool BpBinder::isRpcBinder() const {
+ return std::holds_alternative<SocketHandle>(mHandle);
+}
+
+const RpcAddress& BpBinder::rpcAddress() const {
+ return std::get<SocketHandle>(mHandle).address;
+}
+
+const sp<RpcConnection>& BpBinder::rpcConnection() const {
+ return std::get<SocketHandle>(mHandle).connection;
+}
+
+int32_t BpBinder::binderHandle() const {
+ return std::get<BinderHandle>(mHandle).handle;
}
bool BpBinder::isDescriptorCached() const {
@@ -190,9 +222,10 @@
status_t BpBinder::pingBinder()
{
- Parcel send;
+ Parcel data;
+ data.markForBinder(this);
Parcel reply;
- return transact(PING_TRANSACTION, send, &reply);
+ return transact(PING_TRANSACTION, data, &reply);
}
status_t BpBinder::dump(int fd, const Vector<String16>& args)
@@ -236,8 +269,13 @@
}
}
- status_t status = IPCThreadState::self()->transact(
- mHandle, code, data, reply, flags);
+ status_t status;
+ if (CC_UNLIKELY(isRpcBinder())) {
+ status = rpcConnection()->transact(rpcAddress(), code, data, reply, flags);
+ } else {
+ status = IPCThreadState::self()->transact(binderHandle(), code, data, reply, flags);
+ }
+
if (status == DEAD_OBJECT) mAlive = 0;
return status;
@@ -250,6 +288,8 @@
status_t BpBinder::linkToDeath(
const sp<DeathRecipient>& recipient, void* cookie, uint32_t flags)
{
+ if (isRpcBinder()) return UNKNOWN_TRANSACTION;
+
Obituary ob;
ob.recipient = recipient;
ob.cookie = cookie;
@@ -267,10 +307,10 @@
if (!mObituaries) {
return NO_MEMORY;
}
- ALOGV("Requesting death notification: %p handle %d\n", this, mHandle);
+ ALOGV("Requesting death notification: %p handle %d\n", this, binderHandle());
getWeakRefs()->incWeak(this);
IPCThreadState* self = IPCThreadState::self();
- self->requestDeathNotification(mHandle, this);
+ self->requestDeathNotification(binderHandle(), this);
self->flushCommands();
}
ssize_t res = mObituaries->add(ob);
@@ -286,6 +326,8 @@
const wp<DeathRecipient>& recipient, void* cookie, uint32_t flags,
wp<DeathRecipient>* outRecipient)
{
+ if (isRpcBinder()) return UNKNOWN_TRANSACTION;
+
AutoMutex _l(mLock);
if (mObitsSent) {
@@ -303,9 +345,9 @@
}
mObituaries->removeAt(i);
if (mObituaries->size() == 0) {
- ALOGV("Clearing death notification: %p handle %d\n", this, mHandle);
+ ALOGV("Clearing death notification: %p handle %d\n", this, binderHandle());
IPCThreadState* self = IPCThreadState::self();
- self->clearDeathNotification(mHandle, this);
+ self->clearDeathNotification(binderHandle(), this);
self->flushCommands();
delete mObituaries;
mObituaries = nullptr;
@@ -319,8 +361,10 @@
void BpBinder::sendObituary()
{
- ALOGV("Sending obituary for proxy %p handle %d, mObitsSent=%s\n",
- this, mHandle, mObitsSent ? "true" : "false");
+ LOG_ALWAYS_FATAL_IF(isRpcBinder(), "Cannot send obituary for remote binder.");
+
+ ALOGV("Sending obituary for proxy %p handle %d, mObitsSent=%s\n", this, binderHandle(),
+ mObitsSent ? "true" : "false");
mAlive = 0;
if (mObitsSent) return;
@@ -328,9 +372,9 @@
mLock.lock();
Vector<Obituary>* obits = mObituaries;
if(obits != nullptr) {
- ALOGV("Clearing sent death notification: %p handle %d\n", this, mHandle);
+ ALOGV("Clearing sent death notification: %p handle %d\n", this, binderHandle());
IPCThreadState* self = IPCThreadState::self();
- self->clearDeathNotification(mHandle, this);
+ self->clearDeathNotification(binderHandle(), this);
self->flushCommands();
mObituaries = nullptr;
}
@@ -388,7 +432,9 @@
BpBinder::~BpBinder()
{
- ALOGV("Destroying BpBinder %p handle %d\n", this, mHandle);
+ ALOGV("Destroying BpBinder %p handle %d\n", this, binderHandle());
+
+ if (CC_UNLIKELY(isRpcBinder())) return;
IPCThreadState* ipc = IPCThreadState::self();
@@ -396,7 +442,8 @@
AutoMutex _l(sTrackingLock);
uint32_t trackedValue = sTrackingMap[mTrackedUid];
if (CC_UNLIKELY((trackedValue & COUNTING_VALUE_MASK) == 0)) {
- ALOGE("Unexpected Binder Proxy tracking decrement in %p handle %d\n", this, mHandle);
+ ALOGE("Unexpected Binder Proxy tracking decrement in %p handle %d\n", this,
+ binderHandle());
} else {
if (CC_UNLIKELY(
(trackedValue & LIMIT_REACHED_MASK) &&
@@ -413,26 +460,31 @@
}
if (ipc) {
- ipc->expungeHandle(mHandle, this);
- ipc->decWeakHandle(mHandle);
+ ipc->expungeHandle(binderHandle(), this);
+ ipc->decWeakHandle(binderHandle());
}
}
void BpBinder::onFirstRef()
{
- ALOGV("onFirstRef BpBinder %p handle %d\n", this, mHandle);
+ ALOGV("onFirstRef BpBinder %p handle %d\n", this, binderHandle());
+ if (CC_UNLIKELY(isRpcBinder())) return;
IPCThreadState* ipc = IPCThreadState::self();
- if (ipc) ipc->incStrongHandle(mHandle, this);
+ if (ipc) ipc->incStrongHandle(binderHandle(), this);
}
void BpBinder::onLastStrongRef(const void* /*id*/)
{
- ALOGV("onLastStrongRef BpBinder %p handle %d\n", this, mHandle);
+ ALOGV("onLastStrongRef BpBinder %p handle %d\n", this, binderHandle());
+ if (CC_UNLIKELY(isRpcBinder())) {
+ (void)rpcConnection()->sendDecStrong(rpcAddress());
+ return;
+ }
IF_ALOGV() {
printRefs();
}
IPCThreadState* ipc = IPCThreadState::self();
- if (ipc) ipc->decStrongHandle(mHandle);
+ if (ipc) ipc->decStrongHandle(binderHandle());
mLock.lock();
Vector<Obituary>* obits = mObituaries;
@@ -442,7 +494,7 @@
mDescriptorCache.size() ? String8(mDescriptorCache).c_str() : "<uncached descriptor>");
}
- if (ipc) ipc->clearDeathNotification(mHandle, this);
+ if (ipc) ipc->clearDeathNotification(binderHandle(), this);
mObituaries = nullptr;
}
mLock.unlock();
@@ -457,9 +509,12 @@
bool BpBinder::onIncStrongAttempted(uint32_t /*flags*/, const void* /*id*/)
{
- ALOGV("onIncStrongAttempted BpBinder %p handle %d\n", this, mHandle);
+ // RPC binder doesn't currently support inc from weak binders
+ if (CC_UNLIKELY(isRpcBinder())) return false;
+
+ ALOGV("onIncStrongAttempted BpBinder %p handle %d\n", this, binderHandle());
IPCThreadState* ipc = IPCThreadState::self();
- return ipc ? ipc->attemptIncStrongHandle(mHandle) == NO_ERROR : false;
+ return ipc ? ipc->attemptIncStrongHandle(binderHandle()) == NO_ERROR : false;
}
uint32_t BpBinder::getBinderProxyCount(uint32_t uid)