• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <android/binder_libbinder.h>
18 #include <android/binder_manager.h>
19 #include <android/binder_stability.h>
20 #include <binder/Binder.h>
21 #include <binder/IBinder.h>
22 #include <binder/IPCThreadState.h>
23 #include <binder/IServiceManager.h>
24 #include <binder/Parcel.h>
25 #include <binder/Stability.h>
26 #include <gtest/gtest.h>
27 
28 #include <sys/prctl.h>
29 
30 #include "aidl/BnBinderStabilityTest.h"
31 #include "BnBinderStabilityTest.h"
32 
33 using namespace android;
34 using namespace ndk;
35 using android::binder::Status;
36 using android::internal::Stability; // for testing only!
37 
38 const String16 kSystemStabilityServer = String16("binder_stability_test_service_system");
39 
40 // This is handwritten so that we can test different stability levels w/o having the AIDL
41 // compiler assign them. Hand-writing binder interfaces is considered a bad practice
42 // sanity reasons. YOU SHOULD DEFINE AN AIDL INTERFACE INSTEAD!
43 class BadStableBinder : public BBinder {
44 public:
45     static constexpr uint32_t USER_TRANSACTION = IBinder::FIRST_CALL_TRANSACTION;
46     static String16 kDescriptor;
47 
48     bool gotUserTransaction = false;
49 
doUserTransaction(const sp<IBinder> & binder)50     static status_t doUserTransaction(const sp<IBinder>& binder) {
51         Parcel data, reply;
52         data.writeInterfaceToken(kDescriptor);
53         return binder->transact(USER_TRANSACTION, data, &reply, 0/*flags*/);
54     }
55 
onTransact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)56     status_t onTransact(uint32_t code,
57             const Parcel& data, Parcel* reply, uint32_t flags) override {
58         if (code == USER_TRANSACTION) {
59             // not interested in this kind of stability. Make sure
60             // we have a test failure
61             LOG_ALWAYS_FATAL_IF(!data.enforceInterface(kDescriptor));
62 
63             gotUserTransaction = true;
64 
65             ALOGE("binder stability: Got user transaction");
66             return OK;
67         }
68         return BBinder::onTransact(code, data, reply, flags);
69     }
70 
undef()71     static sp<BadStableBinder> undef() {
72         sp<BadStableBinder> iface = new BadStableBinder();
73         return iface;
74     }
75 
system()76     static sp<BadStableBinder> system() {
77         sp<BadStableBinder> iface = new BadStableBinder();
78         Stability::markCompilationUnit(iface.get()); // <- for test only
79         return iface;
80     }
81 
vintf()82     static sp<BadStableBinder> vintf() {
83         sp<BadStableBinder> iface = new BadStableBinder();
84         Stability::markVintf(iface.get()); // <- for test only
85         return iface;
86     }
87 
vendor()88     static sp<BadStableBinder> vendor() {
89         sp<BadStableBinder> iface = new BadStableBinder();
90         Stability::markVndk(iface.get()); // <- for test only
91         return iface;
92     }
93 };
94 String16 BadStableBinder::kDescriptor = String16("BadStableBinder.test");
95 
96 // NO! NO! NO! Do not even think of doing something like this!
97 // This is for testing! If a class like this was actually used in production,
98 // it would ruin everything!
99 class MyBinderStabilityTest : public BnBinderStabilityTest {
100 public:
sendBinder(const sp<IBinder> &)101     Status sendBinder(const sp<IBinder>& /*binder*/) override {
102         return Status::ok();
103     }
sendAndCallBinder(const sp<IBinder> & binder)104     Status sendAndCallBinder(const sp<IBinder>& binder) override {
105         Stability::debugLogStability("sendAndCallBinder got binder", binder);
106         return Status::fromExceptionCode(BadStableBinder::doUserTransaction(binder));
107     }
returnNoStabilityBinder(sp<IBinder> * _aidl_return)108     Status returnNoStabilityBinder(sp<IBinder>* _aidl_return) override {
109         *_aidl_return = BadStableBinder::undef();
110         return Status::ok();
111     }
returnLocalStabilityBinder(sp<IBinder> * _aidl_return)112     Status returnLocalStabilityBinder(sp<IBinder>* _aidl_return) override {
113         *_aidl_return = BadStableBinder::system();
114         return Status::ok();
115     }
returnVintfStabilityBinder(sp<IBinder> * _aidl_return)116     Status returnVintfStabilityBinder(sp<IBinder>* _aidl_return) override {
117         *_aidl_return = BadStableBinder::vintf();
118         return Status::ok();
119     }
returnVendorStabilityBinder(sp<IBinder> * _aidl_return)120     Status returnVendorStabilityBinder(sp<IBinder>* _aidl_return) override {
121         *_aidl_return = BadStableBinder::vendor();
122         return Status::ok();
123     }
124 };
125 
TEST(BinderStability,OnlyVintfStabilityBinderNeedsVintfDeclaration)126 TEST(BinderStability, OnlyVintfStabilityBinderNeedsVintfDeclaration) {
127     EXPECT_FALSE(Stability::requiresVintfDeclaration(nullptr));
128     EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::undef()));
129     EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::system()));
130     EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::vendor()));
131 
132     EXPECT_TRUE(Stability::requiresVintfDeclaration(BadStableBinder::vintf()));
133 }
134 
TEST(BinderStability,ForceDowngradeToLocalStability)135 TEST(BinderStability, ForceDowngradeToLocalStability) {
136     sp<IBinder> someBinder = BadStableBinder::vintf();
137 
138     EXPECT_TRUE(Stability::requiresVintfDeclaration(someBinder));
139 
140     // silly to do this after already using the binder, but it's for the test
141     Stability::forceDowngradeToLocalStability(someBinder);
142 
143     EXPECT_FALSE(Stability::requiresVintfDeclaration(someBinder));
144 }
145 
TEST(BinderStability,NdkForceDowngradeToLocalStability)146 TEST(BinderStability, NdkForceDowngradeToLocalStability) {
147     sp<IBinder> someBinder = BadStableBinder::vintf();
148 
149     EXPECT_TRUE(Stability::requiresVintfDeclaration(someBinder));
150 
151     // silly to do this after already using the binder, but it's for the test
152     AIBinder_forceDowngradeToLocalStability(AIBinder_fromPlatformBinder(someBinder));
153 
154     EXPECT_FALSE(Stability::requiresVintfDeclaration(someBinder));
155 }
156 
TEST(BinderStability,ForceDowngradeToVendorStability)157 TEST(BinderStability, ForceDowngradeToVendorStability) {
158     sp<IBinder> serverBinder = android::defaultServiceManager()->getService(kSystemStabilityServer);
159     auto server = interface_cast<IBinderStabilityTest>(serverBinder);
160 
161     ASSERT_NE(nullptr, server.get());
162     ASSERT_NE(nullptr, IInterface::asBinder(server)->remoteBinder());
163 
164     {
165         sp<BadStableBinder> binder = BadStableBinder::vintf();
166 
167         EXPECT_TRUE(Stability::requiresVintfDeclaration(binder));
168         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
169         EXPECT_TRUE(binder->gotUserTransaction);
170     }
171     {
172         sp<BadStableBinder> binder = BadStableBinder::vintf();
173 
174         // This method should never be called directly. This is done only for the test.
175         Stability::forceDowngradeToVendorStability(binder);
176 
177         // Binder downgraded to vendor stability, cannot be called from system context
178         EXPECT_FALSE(Stability::requiresVintfDeclaration(binder));
179         EXPECT_EQ(BAD_TYPE, server->sendAndCallBinder(binder).exceptionCode());
180         EXPECT_FALSE(binder->gotUserTransaction);
181     }
182 }
183 
TEST(BinderStability,VintfStabilityServerMustBeDeclaredInManifest)184 TEST(BinderStability, VintfStabilityServerMustBeDeclaredInManifest) {
185     sp<IBinder> vintfServer = BadStableBinder::vintf();
186 
187     for (const char* instance8 : {
188         ".", "/", "/.", "a.d.IFoo", "foo", "a.d.IFoo/foo"
189     }) {
190         String16 instance (instance8);
191 
192         EXPECT_EQ(Status::EX_ILLEGAL_ARGUMENT,
193             android::defaultServiceManager()->addService(String16("."), vintfServer)) << instance8;
194         EXPECT_FALSE(android::defaultServiceManager()->isDeclared(instance)) << instance8;
195         EXPECT_EQ(std::nullopt, android::defaultServiceManager()->updatableViaApex(instance))
196                 << instance8;
197     }
198 }
199 
TEST(BinderStability,CantCallVendorBinderInSystemContext)200 TEST(BinderStability, CantCallVendorBinderInSystemContext) {
201     sp<IBinder> serverBinder = android::defaultServiceManager()->getService(kSystemStabilityServer);
202     auto server = interface_cast<IBinderStabilityTest>(serverBinder);
203 
204     ASSERT_NE(nullptr, server.get());
205     ASSERT_NE(nullptr, IInterface::asBinder(server)->remoteBinder());
206 
207     EXPECT_TRUE(server->sendBinder(BadStableBinder::undef()).isOk());
208     EXPECT_TRUE(server->sendBinder(BadStableBinder::system()).isOk());
209     EXPECT_TRUE(server->sendBinder(BadStableBinder::vintf()).isOk());
210     EXPECT_TRUE(server->sendBinder(BadStableBinder::vendor()).isOk());
211 
212     {
213         sp<BadStableBinder> binder = BadStableBinder::undef();
214         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
215         EXPECT_TRUE(binder->gotUserTransaction);
216     }
217     {
218         sp<BadStableBinder> binder = BadStableBinder::system();
219         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
220         EXPECT_TRUE(binder->gotUserTransaction);
221     }
222     {
223         sp<BadStableBinder> binder = BadStableBinder::vintf();
224         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
225         EXPECT_TRUE(binder->gotUserTransaction);
226     }
227     {
228         // !!! user-defined transaction may not be stable for remote server !!!
229         // !!! so, it does not work !!!
230         sp<BadStableBinder> binder = BadStableBinder::vendor();
231         EXPECT_EQ(BAD_TYPE, server->sendAndCallBinder(binder).exceptionCode());
232         EXPECT_FALSE(binder->gotUserTransaction);
233     }
234 
235     sp<IBinder> out;
236     EXPECT_TRUE(server->returnNoStabilityBinder(&out).isOk());
237     ASSERT_NE(nullptr, out.get());
238     EXPECT_EQ(OK, out->pingBinder());
239     EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
240 
241     EXPECT_TRUE(server->returnLocalStabilityBinder(&out).isOk());
242     ASSERT_NE(nullptr, out.get());
243     EXPECT_EQ(OK, out->pingBinder());
244     EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
245 
246     EXPECT_TRUE(server->returnVintfStabilityBinder(&out).isOk());
247     ASSERT_NE(nullptr, out.get());
248     EXPECT_EQ(OK, out->pingBinder());
249     EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
250 
251     EXPECT_TRUE(server->returnVendorStabilityBinder(&out).isOk());
252     ASSERT_NE(nullptr, out.get());
253 
254     // !!! libbinder-defined transaction works !!!
255     EXPECT_EQ(OK, out->pingBinder());
256 
257     // !!! user-defined transaction may not be stable !!!
258     // !!! so, it does not work !!!
259     EXPECT_EQ(BAD_TYPE, BadStableBinder::doUserTransaction(out));
260 }
261 
262 // This is handwritten so that we can test different stability levels w/o having the AIDL
263 // compiler assign them. Hand-writing binder interfaces is considered a bad practice
264 // sanity reasons. YOU SHOULD DEFINE AN AIDL INTERFACE INSTEAD!
265 
266 struct NdkBinderStable_DataClass {
267     bool gotUserTransaction = false;
268 };
NdkBadStableBinder_Class_onCreate(void * args)269 void* NdkBadStableBinder_Class_onCreate(void* args) {
270     LOG_ALWAYS_FATAL_IF(args != nullptr, "Takes no args");
271     return static_cast<void*>(new NdkBinderStable_DataClass);
272 }
NdkBadStableBinder_Class_onDestroy(void * userData)273 void NdkBadStableBinder_Class_onDestroy(void* userData) {
274     delete static_cast<NdkBinderStable_DataClass*>(userData);
275 }
NdkBadStableBinder_getUserData(AIBinder * binder)276 NdkBinderStable_DataClass* NdkBadStableBinder_getUserData(AIBinder* binder) {
277     LOG_ALWAYS_FATAL_IF(binder == nullptr);
278     void* userData = AIBinder_getUserData(binder);
279     LOG_ALWAYS_FATAL_IF(userData == nullptr, "null data - binder is remote?");
280 
281     return static_cast<NdkBinderStable_DataClass*>(userData);
282 }
NdkBadStableBinder_Class_onTransact(AIBinder * binder,transaction_code_t code,const AParcel *,AParcel *)283 binder_status_t NdkBadStableBinder_Class_onTransact(
284     AIBinder* binder, transaction_code_t code, const AParcel* /*in*/, AParcel* /*out*/) {
285 
286     if (code == BadStableBinder::USER_TRANSACTION) {
287         ALOGE("ndk binder stability: Got user transaction");
288         NdkBadStableBinder_getUserData(binder)->gotUserTransaction = true;
289         return STATUS_OK;
290     }
291 
292     return STATUS_UNKNOWN_TRANSACTION;
293 }
294 
295 static AIBinder_Class* kNdkBadStableBinder =
296     AIBinder_Class_define(String8(BadStableBinder::kDescriptor).c_str(),
297                           NdkBadStableBinder_Class_onCreate,
298                           NdkBadStableBinder_Class_onDestroy,
299                           NdkBadStableBinder_Class_onTransact);
300 
301 // for testing only to get around __ANDROID_VNDK__ guard.
302 extern "C" void AIBinder_markVendorStability(AIBinder* binder); // <- BAD DO NOT COPY
303 
TEST(BinderStability,NdkCantCallVendorBinderInSystemContext)304 TEST(BinderStability, NdkCantCallVendorBinderInSystemContext) {
305     SpAIBinder binder = SpAIBinder(AServiceManager_getService(
306         String8(kSystemStabilityServer).c_str()));
307 
308     std::shared_ptr<aidl::IBinderStabilityTest> remoteServer =
309         aidl::IBinderStabilityTest::fromBinder(binder);
310 
311     ASSERT_NE(nullptr, remoteServer.get());
312 
313     SpAIBinder comp = SpAIBinder(AIBinder_new(kNdkBadStableBinder, nullptr /*args*/));
314     EXPECT_TRUE(remoteServer->sendBinder(comp).isOk());
315     EXPECT_TRUE(remoteServer->sendAndCallBinder(comp).isOk());
316     EXPECT_TRUE(NdkBadStableBinder_getUserData(comp.get())->gotUserTransaction);
317 
318     SpAIBinder vendor = SpAIBinder(AIBinder_new(kNdkBadStableBinder, nullptr /*args*/));
319     AIBinder_markVendorStability(vendor.get());
320     EXPECT_TRUE(remoteServer->sendBinder(vendor).isOk());
321     EXPECT_FALSE(remoteServer->sendAndCallBinder(vendor).isOk());
322     EXPECT_FALSE(NdkBadStableBinder_getUserData(vendor.get())->gotUserTransaction);
323 }
324 
325 class MarksStabilityInConstructor : public BBinder {
326 public:
327     static bool gDestructed;
328 
MarksStabilityInConstructor()329     MarksStabilityInConstructor() {
330         Stability::markCompilationUnit(this);
331     }
~MarksStabilityInConstructor()332     ~MarksStabilityInConstructor() {
333         gDestructed = true;
334     }
335 };
336 bool MarksStabilityInConstructor::gDestructed = false;
337 
TEST(BinderStability,MarkingObjectNoDestructTest)338 TEST(BinderStability, MarkingObjectNoDestructTest) {
339     ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
340 
341     // best practice is to put this directly in an sp, but for this test, we
342     // want to explicitly check what happens before that happens
343     MarksStabilityInConstructor* binder = new MarksStabilityInConstructor();
344     ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
345 
346     sp<MarksStabilityInConstructor> binderSp = binder;
347     ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
348 
349     binderSp = nullptr;
350     ASSERT_TRUE(MarksStabilityInConstructor::gDestructed);
351 }
352 
TEST(BinderStability,RemarkDies)353 TEST(BinderStability, RemarkDies) {
354     ASSERT_DEATH({
355         sp<IBinder> binder = new BBinder();
356         Stability::markCompilationUnit(binder.get()); // <-- only called for tests
357         Stability::markVndk(binder.get()); // <-- only called for tests
358     }, "Should only mark known object.");
359 }
360 
main(int argc,char ** argv)361 int main(int argc, char** argv) {
362     ::testing::InitGoogleTest(&argc, argv);
363 
364     if (fork() == 0) {
365         // child process
366         prctl(PR_SET_PDEATHSIG, SIGHUP);
367 
368         sp<IBinder> server = new MyBinderStabilityTest;
369         android::defaultServiceManager()->addService(kSystemStabilityServer, server);
370 
371         IPCThreadState::self()->joinThreadPool(true);
372         exit(1);  // should not reach
373     }
374 
375     // This is not racey. Just giving these services some time to register before we call
376     // getService which sleeps for much longer...
377     usleep(10000);
378 
379     return RUN_ALL_TESTS();
380 }
381