1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <android/binder_libbinder.h>
18 #include <android/binder_manager.h>
19 #include <android/binder_stability.h>
20 #include <binder/Binder.h>
21 #include <binder/IBinder.h>
22 #include <binder/IPCThreadState.h>
23 #include <binder/IServiceManager.h>
24 #include <binder/Parcel.h>
25 #include <binder/Stability.h>
26 #include <gtest/gtest.h>
27
28 #include <sys/prctl.h>
29
30 #include "aidl/BnBinderStabilityTest.h"
31 #include "BnBinderStabilityTest.h"
32
33 using namespace android;
34 using namespace ndk;
35 using android::binder::Status;
36 using android::internal::Stability; // for testing only!
37
38 const String16 kSystemStabilityServer = String16("binder_stability_test_service_system");
39
40 // This is handwritten so that we can test different stability levels w/o having the AIDL
41 // compiler assign them. Hand-writing binder interfaces is considered a bad practice
42 // sanity reasons. YOU SHOULD DEFINE AN AIDL INTERFACE INSTEAD!
43 class BadStableBinder : public BBinder {
44 public:
45 static constexpr uint32_t USER_TRANSACTION = IBinder::FIRST_CALL_TRANSACTION;
46 static String16 kDescriptor;
47
48 bool gotUserTransaction = false;
49
doUserTransaction(const sp<IBinder> & binder)50 static status_t doUserTransaction(const sp<IBinder>& binder) {
51 Parcel data, reply;
52 data.writeInterfaceToken(kDescriptor);
53 return binder->transact(USER_TRANSACTION, data, &reply, 0/*flags*/);
54 }
55
onTransact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)56 status_t onTransact(uint32_t code,
57 const Parcel& data, Parcel* reply, uint32_t flags) override {
58 if (code == USER_TRANSACTION) {
59 // not interested in this kind of stability. Make sure
60 // we have a test failure
61 LOG_ALWAYS_FATAL_IF(!data.enforceInterface(kDescriptor));
62
63 gotUserTransaction = true;
64
65 ALOGE("binder stability: Got user transaction");
66 return OK;
67 }
68 return BBinder::onTransact(code, data, reply, flags);
69 }
70
undef()71 static sp<BadStableBinder> undef() {
72 sp<BadStableBinder> iface = new BadStableBinder();
73 return iface;
74 }
75
system()76 static sp<BadStableBinder> system() {
77 sp<BadStableBinder> iface = new BadStableBinder();
78 Stability::markCompilationUnit(iface.get()); // <- for test only
79 return iface;
80 }
81
vintf()82 static sp<BadStableBinder> vintf() {
83 sp<BadStableBinder> iface = new BadStableBinder();
84 Stability::markVintf(iface.get()); // <- for test only
85 return iface;
86 }
87
vendor()88 static sp<BadStableBinder> vendor() {
89 sp<BadStableBinder> iface = new BadStableBinder();
90 Stability::markVndk(iface.get()); // <- for test only
91 return iface;
92 }
93 };
94 String16 BadStableBinder::kDescriptor = String16("BadStableBinder.test");
95
96 // NO! NO! NO! Do not even think of doing something like this!
97 // This is for testing! If a class like this was actually used in production,
98 // it would ruin everything!
99 class MyBinderStabilityTest : public BnBinderStabilityTest {
100 public:
sendBinder(const sp<IBinder> &)101 Status sendBinder(const sp<IBinder>& /*binder*/) override {
102 return Status::ok();
103 }
sendAndCallBinder(const sp<IBinder> & binder)104 Status sendAndCallBinder(const sp<IBinder>& binder) override {
105 ALOGI("Debug log stability: %s", Stability::debugToString(binder).c_str());
106 return Status::fromExceptionCode(BadStableBinder::doUserTransaction(binder));
107 }
returnNoStabilityBinder(sp<IBinder> * _aidl_return)108 Status returnNoStabilityBinder(sp<IBinder>* _aidl_return) override {
109 *_aidl_return = BadStableBinder::undef();
110 return Status::ok();
111 }
returnLocalStabilityBinder(sp<IBinder> * _aidl_return)112 Status returnLocalStabilityBinder(sp<IBinder>* _aidl_return) override {
113 *_aidl_return = BadStableBinder::system();
114 return Status::ok();
115 }
returnVintfStabilityBinder(sp<IBinder> * _aidl_return)116 Status returnVintfStabilityBinder(sp<IBinder>* _aidl_return) override {
117 *_aidl_return = BadStableBinder::vintf();
118 return Status::ok();
119 }
returnVendorStabilityBinder(sp<IBinder> * _aidl_return)120 Status returnVendorStabilityBinder(sp<IBinder>* _aidl_return) override {
121 *_aidl_return = BadStableBinder::vendor();
122 return Status::ok();
123 }
124 };
125
TEST(BinderStability,OnlyVintfStabilityBinderNeedsVintfDeclaration)126 TEST(BinderStability, OnlyVintfStabilityBinderNeedsVintfDeclaration) {
127 EXPECT_FALSE(Stability::requiresVintfDeclaration(nullptr));
128 EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::undef()));
129 EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::system()));
130 EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::vendor()));
131
132 EXPECT_TRUE(Stability::requiresVintfDeclaration(BadStableBinder::vintf()));
133 }
134
TEST(BinderStability,ForceDowngradeToLocalStability)135 TEST(BinderStability, ForceDowngradeToLocalStability) {
136 sp<IBinder> someBinder = BadStableBinder::vintf();
137
138 EXPECT_TRUE(Stability::requiresVintfDeclaration(someBinder));
139
140 // silly to do this after already using the binder, but it's for the test
141 Stability::forceDowngradeToLocalStability(someBinder);
142
143 EXPECT_FALSE(Stability::requiresVintfDeclaration(someBinder));
144 }
145
TEST(BinderStability,NdkForceDowngradeToLocalStability)146 TEST(BinderStability, NdkForceDowngradeToLocalStability) {
147 sp<IBinder> someBinder = BadStableBinder::vintf();
148
149 EXPECT_TRUE(Stability::requiresVintfDeclaration(someBinder));
150
151 // silly to do this after already using the binder, but it's for the test
152 AIBinder_forceDowngradeToLocalStability(AIBinder_fromPlatformBinder(someBinder));
153
154 EXPECT_FALSE(Stability::requiresVintfDeclaration(someBinder));
155 }
156
TEST(BinderStability,ForceDowngradeToVendorStability)157 TEST(BinderStability, ForceDowngradeToVendorStability) {
158 sp<IBinder> serverBinder = android::defaultServiceManager()->getService(kSystemStabilityServer);
159 auto server = interface_cast<IBinderStabilityTest>(serverBinder);
160
161 ASSERT_NE(nullptr, server.get());
162 ASSERT_NE(nullptr, IInterface::asBinder(server)->remoteBinder());
163
164 {
165 sp<BadStableBinder> binder = BadStableBinder::vintf();
166
167 EXPECT_TRUE(Stability::requiresVintfDeclaration(binder));
168 EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
169 EXPECT_TRUE(binder->gotUserTransaction);
170 }
171 {
172 sp<BadStableBinder> binder = BadStableBinder::vintf();
173
174 // This method should never be called directly. This is done only for the test.
175 Stability::forceDowngradeToVendorStability(binder);
176
177 // Binder downgraded to vendor stability, cannot be called from system context
178 EXPECT_FALSE(Stability::requiresVintfDeclaration(binder));
179 EXPECT_EQ(BAD_TYPE, server->sendAndCallBinder(binder).exceptionCode());
180 EXPECT_FALSE(binder->gotUserTransaction);
181 }
182 }
183
TEST(BinderStability,VintfStabilityServerMustBeDeclaredInManifest)184 TEST(BinderStability, VintfStabilityServerMustBeDeclaredInManifest) {
185 sp<IBinder> vintfServer = BadStableBinder::vintf();
186
187 for (const char* instance8 : {
188 ".", "/", "/.", "a.d.IFoo", "foo", "a.d.IFoo/foo"
189 }) {
190 String16 instance (instance8);
191
192 EXPECT_EQ(Status::EX_ILLEGAL_ARGUMENT,
193 android::defaultServiceManager()->addService(String16("."), vintfServer)) << instance8;
194 EXPECT_FALSE(android::defaultServiceManager()->isDeclared(instance)) << instance8;
195 EXPECT_EQ(std::nullopt, android::defaultServiceManager()->updatableViaApex(instance))
196 << instance8;
197 }
198 }
199
TEST(BinderStability,ConnectionInfoRequiresManifestEntries)200 TEST(BinderStability, ConnectionInfoRequiresManifestEntries) {
201 sp<IServiceManager> sm = android::defaultServiceManager();
202 sp<IBinder> systemBinder = BadStableBinder::system();
203 EXPECT_EQ(OK, sm->addService(String16("no.connection.foo"), systemBinder));
204 std::optional<android::IServiceManager::ConnectionInfo> connectionInfo;
205 connectionInfo = sm->getConnectionInfo(String16("no.connection.foo"));
206 EXPECT_EQ(connectionInfo, std::nullopt);
207 }
TEST(BinderStability,CantCallVendorBinderInSystemContext)208 TEST(BinderStability, CantCallVendorBinderInSystemContext) {
209 sp<IBinder> serverBinder = android::defaultServiceManager()->getService(kSystemStabilityServer);
210 auto server = interface_cast<IBinderStabilityTest>(serverBinder);
211
212 ASSERT_NE(nullptr, server.get());
213 ASSERT_NE(nullptr, IInterface::asBinder(server)->remoteBinder());
214
215 EXPECT_TRUE(server->sendBinder(BadStableBinder::undef()).isOk());
216 EXPECT_TRUE(server->sendBinder(BadStableBinder::system()).isOk());
217 EXPECT_TRUE(server->sendBinder(BadStableBinder::vintf()).isOk());
218 EXPECT_TRUE(server->sendBinder(BadStableBinder::vendor()).isOk());
219
220 {
221 sp<BadStableBinder> binder = BadStableBinder::undef();
222 EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
223 EXPECT_TRUE(binder->gotUserTransaction);
224 }
225 {
226 sp<BadStableBinder> binder = BadStableBinder::system();
227 EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
228 EXPECT_TRUE(binder->gotUserTransaction);
229 }
230 {
231 sp<BadStableBinder> binder = BadStableBinder::vintf();
232 EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
233 EXPECT_TRUE(binder->gotUserTransaction);
234 }
235 {
236 // !!! user-defined transaction may not be stable for remote server !!!
237 // !!! so, it does not work !!!
238 sp<BadStableBinder> binder = BadStableBinder::vendor();
239 EXPECT_EQ(BAD_TYPE, server->sendAndCallBinder(binder).exceptionCode());
240 EXPECT_FALSE(binder->gotUserTransaction);
241 }
242
243 sp<IBinder> out;
244 EXPECT_TRUE(server->returnNoStabilityBinder(&out).isOk());
245 ASSERT_NE(nullptr, out.get());
246 EXPECT_EQ(OK, out->pingBinder());
247 EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
248
249 EXPECT_TRUE(server->returnLocalStabilityBinder(&out).isOk());
250 ASSERT_NE(nullptr, out.get());
251 EXPECT_EQ(OK, out->pingBinder());
252 EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
253
254 EXPECT_TRUE(server->returnVintfStabilityBinder(&out).isOk());
255 ASSERT_NE(nullptr, out.get());
256 EXPECT_EQ(OK, out->pingBinder());
257 EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
258
259 EXPECT_TRUE(server->returnVendorStabilityBinder(&out).isOk());
260 ASSERT_NE(nullptr, out.get());
261
262 // !!! libbinder-defined transaction works !!!
263 EXPECT_EQ(OK, out->pingBinder());
264
265 // !!! user-defined transaction may not be stable !!!
266 // !!! so, it does not work !!!
267 EXPECT_EQ(BAD_TYPE, BadStableBinder::doUserTransaction(out));
268 }
269
270 // This is handwritten so that we can test different stability levels w/o having the AIDL
271 // compiler assign them. Hand-writing binder interfaces is considered a bad practice
272 // sanity reasons. YOU SHOULD DEFINE AN AIDL INTERFACE INSTEAD!
273
274 struct NdkBinderStable_DataClass {
275 bool gotUserTransaction = false;
276 };
NdkBadStableBinder_Class_onCreate(void * args)277 void* NdkBadStableBinder_Class_onCreate(void* args) {
278 LOG_ALWAYS_FATAL_IF(args != nullptr, "Takes no args");
279 return static_cast<void*>(new NdkBinderStable_DataClass);
280 }
NdkBadStableBinder_Class_onDestroy(void * userData)281 void NdkBadStableBinder_Class_onDestroy(void* userData) {
282 delete static_cast<NdkBinderStable_DataClass*>(userData);
283 }
NdkBadStableBinder_getUserData(AIBinder * binder)284 NdkBinderStable_DataClass* NdkBadStableBinder_getUserData(AIBinder* binder) {
285 LOG_ALWAYS_FATAL_IF(binder == nullptr);
286 void* userData = AIBinder_getUserData(binder);
287 LOG_ALWAYS_FATAL_IF(userData == nullptr, "null data - binder is remote?");
288
289 return static_cast<NdkBinderStable_DataClass*>(userData);
290 }
NdkBadStableBinder_Class_onTransact(AIBinder * binder,transaction_code_t code,const AParcel *,AParcel *)291 binder_status_t NdkBadStableBinder_Class_onTransact(
292 AIBinder* binder, transaction_code_t code, const AParcel* /*in*/, AParcel* /*out*/) {
293
294 if (code == BadStableBinder::USER_TRANSACTION) {
295 ALOGE("ndk binder stability: Got user transaction");
296 NdkBadStableBinder_getUserData(binder)->gotUserTransaction = true;
297 return STATUS_OK;
298 }
299
300 return STATUS_UNKNOWN_TRANSACTION;
301 }
302
303 static AIBinder_Class* kNdkBadStableBinder =
304 AIBinder_Class_define(String8(BadStableBinder::kDescriptor).c_str(),
305 NdkBadStableBinder_Class_onCreate,
306 NdkBadStableBinder_Class_onDestroy,
307 NdkBadStableBinder_Class_onTransact);
308
309 // for testing only to get around __ANDROID_VNDK__ guard.
310 extern "C" void AIBinder_markVendorStability(AIBinder* binder); // <- BAD DO NOT COPY
311
TEST(BinderStability,NdkCantCallVendorBinderInSystemContext)312 TEST(BinderStability, NdkCantCallVendorBinderInSystemContext) {
313 SpAIBinder binder = SpAIBinder(AServiceManager_getService(
314 String8(kSystemStabilityServer).c_str()));
315
316 std::shared_ptr<aidl::IBinderStabilityTest> remoteServer =
317 aidl::IBinderStabilityTest::fromBinder(binder);
318
319 ASSERT_NE(nullptr, remoteServer.get());
320
321 SpAIBinder comp = SpAIBinder(AIBinder_new(kNdkBadStableBinder, nullptr /*args*/));
322 EXPECT_TRUE(remoteServer->sendBinder(comp).isOk());
323 EXPECT_TRUE(remoteServer->sendAndCallBinder(comp).isOk());
324 EXPECT_TRUE(NdkBadStableBinder_getUserData(comp.get())->gotUserTransaction);
325
326 SpAIBinder vendor = SpAIBinder(AIBinder_new(kNdkBadStableBinder, nullptr /*args*/));
327 AIBinder_markVendorStability(vendor.get());
328 EXPECT_TRUE(remoteServer->sendBinder(vendor).isOk());
329 EXPECT_FALSE(remoteServer->sendAndCallBinder(vendor).isOk());
330 EXPECT_FALSE(NdkBadStableBinder_getUserData(vendor.get())->gotUserTransaction);
331 }
332
333 class MarksStabilityInConstructor : public BBinder {
334 public:
335 static bool gDestructed;
336
MarksStabilityInConstructor()337 MarksStabilityInConstructor() {
338 Stability::markCompilationUnit(this);
339 }
~MarksStabilityInConstructor()340 ~MarksStabilityInConstructor() {
341 gDestructed = true;
342 }
343 };
344 bool MarksStabilityInConstructor::gDestructed = false;
345
TEST(BinderStability,MarkingObjectNoDestructTest)346 TEST(BinderStability, MarkingObjectNoDestructTest) {
347 ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
348
349 // best practice is to put this directly in an sp, but for this test, we
350 // want to explicitly check what happens before that happens
351 MarksStabilityInConstructor* binder = new MarksStabilityInConstructor();
352 ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
353
354 sp<MarksStabilityInConstructor> binderSp = binder;
355 ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
356
357 binderSp = nullptr;
358 ASSERT_TRUE(MarksStabilityInConstructor::gDestructed);
359 }
360
TEST(BinderStability,RemarkDies)361 TEST(BinderStability, RemarkDies) {
362 ASSERT_DEATH({
363 sp<IBinder> binder = new BBinder();
364 Stability::markCompilationUnit(binder.get()); // <-- only called for tests
365 Stability::markVndk(binder.get()); // <-- only called for tests
366 }, "Should only mark known object.");
367 }
368
main(int argc,char ** argv)369 int main(int argc, char** argv) {
370 ::testing::InitGoogleTest(&argc, argv);
371
372 if (fork() == 0) {
373 // child process
374 prctl(PR_SET_PDEATHSIG, SIGHUP);
375
376 sp<IBinder> server = new MyBinderStabilityTest;
377 android::defaultServiceManager()->addService(kSystemStabilityServer, server);
378
379 IPCThreadState::self()->joinThreadPool(true);
380 exit(1); // should not reach
381 }
382
383 // This is not racey. Just giving these services some time to register before we call
384 // getService which sleeps for much longer...
385 usleep(10000);
386
387 return RUN_ALL_TESTS();
388 }
389