1 /*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <android-base/logging.h>
18 #include <android/binder_ibinder.h>
19 #include <android/binder_ibinder_platform.h>
20 #include <android/binder_stability.h>
21 #include <android/binder_status.h>
22 #include <binder/IPCThreadState.h>
23 #include <binder/IResultReceiver.h>
24 #include <private/android_filesystem_config.h>
25
26 #include "ibinder_internal.h"
27 #include "parcel_internal.h"
28 #include "status_internal.h"
29
30 using DeathRecipient = ::android::IBinder::DeathRecipient;
31
32 using ::android::IBinder;
33 using ::android::IResultReceiver;
34 using ::android::Parcel;
35 using ::android::sp;
36 using ::android::status_t;
37 using ::android::statusToString;
38 using ::android::String16;
39 using ::android::String8;
40 using ::android::wp;
41
42 namespace ABBinderTag {
43
44 static const void* kId = "ABBinder";
45 static void* kValue = static_cast<void*>(new bool{true});
clean(const void *,void *,void *)46 void clean(const void* /*id*/, void* /*obj*/, void* /*cookie*/){/* do nothing */};
47
attach(const sp<IBinder> & binder)48 static void attach(const sp<IBinder>& binder) {
49 // can only attach once
50 CHECK_EQ(nullptr, binder->attachObject(kId, kValue, nullptr /*cookie*/, clean));
51 }
has(const sp<IBinder> & binder)52 static bool has(const sp<IBinder>& binder) {
53 return binder != nullptr && binder->findObject(kId) == kValue;
54 }
55
56 } // namespace ABBinderTag
57
58 namespace ABpBinderTag {
59
60 static const void* kId = "ABpBinder";
61 struct Value {
62 wp<ABpBinder> binder;
63 };
clean(const void * id,void * obj,void * cookie)64 void clean(const void* id, void* obj, void* cookie) {
65 // be weary of leaks!
66 // LOG(INFO) << "Deleting an ABpBinder";
67
68 CHECK(id == kId) << id << " " << obj << " " << cookie;
69
70 delete static_cast<Value*>(obj);
71 };
72
73 } // namespace ABpBinderTag
74
AIBinder(const AIBinder_Class * clazz)75 AIBinder::AIBinder(const AIBinder_Class* clazz) : mClazz(clazz) {}
~AIBinder()76 AIBinder::~AIBinder() {}
77
78 // b/175635923 libcxx causes "implicit-conversion" with a string with invalid char
SanitizeString(const String16 & str)79 static std::string SanitizeString(const String16& str) {
80 std::string sanitized{String8(str)};
81 for (auto& c : sanitized) {
82 if (!isprint(c)) {
83 c = '?';
84 }
85 }
86 return sanitized;
87 }
88
associateClass(const AIBinder_Class * clazz)89 bool AIBinder::associateClass(const AIBinder_Class* clazz) {
90 if (clazz == nullptr) return false;
91
92 // If mClazz is non-null, this must have been called and cached
93 // already. So, we can safely call this first. Due to the implementation
94 // of getInterfaceDescriptor (at time of writing), two simultaneous calls
95 // may lead to extra binder transactions, but this is expected to be
96 // exceedingly rare. Once we have a binder, when we get it again later,
97 // we won't make another binder transaction here.
98 const String16& descriptor = getBinder()->getInterfaceDescriptor();
99 const String16& newDescriptor = clazz->getInterfaceDescriptor();
100
101 std::lock_guard<std::mutex> lock(mClazzMutex);
102 if (mClazz == clazz) return true;
103
104 // If this is an ABpBinder, the first class object becomes the canonical one. The implication
105 // of this is that no API can require a proxy information to get information on how to behave.
106 // from the class itself - which should only store the interface descriptor. The functionality
107 // should be implemented by adding AIBinder_* APIs to set values on binders themselves, by
108 // setting things on AIBinder_Class which get transferred along with the binder, so that they
109 // can be read along with the BpBinder, or by modifying APIs directly (e.g. an option in
110 // onTransact).
111 //
112 // While this check is required to support linkernamespaces, one downside of it is that
113 // you may parcel code to communicate between things in the same process. However, comms
114 // between linkernamespaces like this already happen for cross-language calls like Java<->C++
115 // or Rust<->Java, and there are good stability guarantees here. This interacts with
116 // binder Stability checks exactly like any other in-process call. The stability is known
117 // to the IBinder object, so that it doesn't matter if a class object comes from
118 // a different stability level.
119 if (mClazz != nullptr && !asABpBinder()) {
120 const String16& currentDescriptor = mClazz->getInterfaceDescriptor();
121 if (newDescriptor == currentDescriptor) {
122 LOG(ERROR) << __func__ << ": Class descriptors '" << currentDescriptor
123 << "' match during associateClass, but they are different class objects ("
124 << clazz << " vs " << mClazz << "). Class descriptor collision?";
125 } else {
126 LOG(ERROR) << __func__
127 << ": Class cannot be associated on object which already has a class. "
128 "Trying to associate to '"
129 << newDescriptor << "' but already set to '" << currentDescriptor << "'.";
130 }
131
132 // always a failure because we know mClazz != clazz
133 return false;
134 }
135
136 // This will always be an O(n) comparison, but it's expected to be extremely rare.
137 // since it's an error condition. Do the comparison after we take the lock and
138 // check the pointer equality fast path. By always taking the lock, it's also
139 // more flake-proof. However, the check is not dependent on the lock.
140 if (descriptor != newDescriptor) {
141 if (getBinder()->isBinderAlive()) {
142 LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor
143 << "' but descriptor is actually '" << SanitizeString(descriptor) << "'.";
144 } else {
145 // b/155793159
146 LOG(ERROR) << __func__ << ": Cannot associate class '" << newDescriptor
147 << "' to dead binder with cached descriptor '" << SanitizeString(descriptor)
148 << "'.";
149 }
150 return false;
151 }
152
153 // A local binder being set for the first time OR
154 // ignoring a proxy binder which is set multiple time, by considering the first
155 // associated class as the canonical one.
156 if (mClazz == nullptr) {
157 mClazz = clazz;
158 }
159
160 return true;
161 }
162
ABBinder(const AIBinder_Class * clazz,void * userData)163 ABBinder::ABBinder(const AIBinder_Class* clazz, void* userData)
164 : AIBinder(clazz), BBinder(), mUserData(userData) {
165 CHECK(clazz != nullptr);
166 }
~ABBinder()167 ABBinder::~ABBinder() {
168 getClass()->onDestroy(mUserData);
169 }
170
getInterfaceDescriptor() const171 const String16& ABBinder::getInterfaceDescriptor() const {
172 return getClass()->getInterfaceDescriptor();
173 }
174
dump(int fd,const::android::Vector<String16> & args)175 status_t ABBinder::dump(int fd, const ::android::Vector<String16>& args) {
176 AIBinder_onDump onDump = getClass()->onDump;
177
178 if (onDump == nullptr) {
179 return STATUS_OK;
180 }
181
182 // technically UINT32_MAX would be okay here, but INT32_MAX is expected since this may be
183 // null in Java
184 if (args.size() > INT32_MAX) {
185 LOG(ERROR) << "ABBinder::dump received too many arguments: " << args.size();
186 return STATUS_BAD_VALUE;
187 }
188
189 std::vector<String8> utf8Args; // owns memory of utf8s
190 utf8Args.reserve(args.size());
191 std::vector<const char*> utf8Pointers; // what can be passed over NDK API
192 utf8Pointers.reserve(args.size());
193
194 for (size_t i = 0; i < args.size(); i++) {
195 utf8Args.push_back(String8(args[i]));
196 utf8Pointers.push_back(utf8Args[i].c_str());
197 }
198
199 return onDump(this, fd, utf8Pointers.data(), utf8Pointers.size());
200 }
201
onTransact(transaction_code_t code,const Parcel & data,Parcel * reply,binder_flags_t flags)202 status_t ABBinder::onTransact(transaction_code_t code, const Parcel& data, Parcel* reply,
203 binder_flags_t flags) {
204 if (isUserCommand(code)) {
205 if (getClass()->writeHeader && !data.checkInterface(this)) {
206 return STATUS_BAD_TYPE;
207 }
208
209 const AParcel in = AParcel::readOnly(this, &data);
210 AParcel out = AParcel(this, reply, false /*owns*/);
211
212 binder_status_t status = getClass()->onTransact(this, code, &in, &out);
213 return PruneStatusT(status);
214 } else if (code == SHELL_COMMAND_TRANSACTION && getClass()->handleShellCommand != nullptr) {
215 int in = data.readFileDescriptor();
216 int out = data.readFileDescriptor();
217 int err = data.readFileDescriptor();
218
219 int argc = data.readInt32();
220 std::vector<String8> utf8Args; // owns memory of utf8s
221 std::vector<const char*> utf8Pointers; // what can be passed over NDK API
222 for (int i = 0; i < argc && data.dataAvail() > 0; i++) {
223 utf8Args.push_back(String8(data.readString16()));
224 utf8Pointers.push_back(utf8Args[i].c_str());
225 }
226
227 data.readStrongBinder(); // skip over the IShellCallback
228 sp<IResultReceiver> resultReceiver = IResultReceiver::asInterface(data.readStrongBinder());
229
230 // Shell commands should only be callable by ADB.
231 uid_t uid = AIBinder_getCallingUid();
232 if (uid != AID_ROOT && uid != AID_SHELL) {
233 if (resultReceiver != nullptr) {
234 resultReceiver->send(-1);
235 }
236 return STATUS_PERMISSION_DENIED;
237 }
238
239 // Check that the file descriptors are valid.
240 if (in == STATUS_BAD_TYPE || out == STATUS_BAD_TYPE || err == STATUS_BAD_TYPE) {
241 if (resultReceiver != nullptr) {
242 resultReceiver->send(-1);
243 }
244 return STATUS_BAD_VALUE;
245 }
246
247 binder_status_t status = getClass()->handleShellCommand(
248 this, in, out, err, utf8Pointers.data(), utf8Pointers.size());
249 if (resultReceiver != nullptr) {
250 resultReceiver->send(status);
251 }
252 return status;
253 } else {
254 return BBinder::onTransact(code, data, reply, flags);
255 }
256 }
257
ABpBinder(const::android::sp<::android::IBinder> & binder)258 ABpBinder::ABpBinder(const ::android::sp<::android::IBinder>& binder)
259 : AIBinder(nullptr /*clazz*/), mRemote(binder) {
260 CHECK(binder != nullptr);
261 }
~ABpBinder()262 ABpBinder::~ABpBinder() {}
263
lookupOrCreateFromBinder(const::android::sp<::android::IBinder> & binder)264 sp<AIBinder> ABpBinder::lookupOrCreateFromBinder(const ::android::sp<::android::IBinder>& binder) {
265 if (binder == nullptr) {
266 return nullptr;
267 }
268 if (ABBinderTag::has(binder)) {
269 return static_cast<ABBinder*>(binder.get());
270 }
271
272 // The following code ensures that for a given binder object (remote or local), if it is not an
273 // ABBinder then at most one ABpBinder object exists in a given process representing it.
274
275 auto* value = static_cast<ABpBinderTag::Value*>(binder->findObject(ABpBinderTag::kId));
276 if (value == nullptr) {
277 value = new ABpBinderTag::Value;
278 auto oldValue = static_cast<ABpBinderTag::Value*>(
279 binder->attachObject(ABpBinderTag::kId, static_cast<void*>(value),
280 nullptr /*cookie*/, ABpBinderTag::clean));
281
282 // allocated by another thread
283 if (oldValue) {
284 delete value;
285 value = oldValue;
286 }
287 }
288
289 sp<ABpBinder> ret;
290 binder->withLock([&]() {
291 ret = value->binder.promote();
292 if (ret == nullptr) {
293 ret = sp<ABpBinder>::make(binder);
294 value->binder = ret;
295 }
296 });
297
298 return ret;
299 }
300
301 struct AIBinder_Weak {
302 wp<AIBinder> binder;
303 };
AIBinder_Weak_new(AIBinder * binder)304 AIBinder_Weak* AIBinder_Weak_new(AIBinder* binder) {
305 if (binder == nullptr) {
306 return nullptr;
307 }
308
309 return new AIBinder_Weak{wp<AIBinder>(binder)};
310 }
AIBinder_Weak_delete(AIBinder_Weak * weakBinder)311 void AIBinder_Weak_delete(AIBinder_Weak* weakBinder) {
312 delete weakBinder;
313 }
AIBinder_Weak_promote(AIBinder_Weak * weakBinder)314 AIBinder* AIBinder_Weak_promote(AIBinder_Weak* weakBinder) {
315 if (weakBinder == nullptr) {
316 return nullptr;
317 }
318
319 sp<AIBinder> binder = weakBinder->binder.promote();
320 AIBinder_incStrong(binder.get());
321 return binder.get();
322 }
323
AIBinder_Weak_clone(const AIBinder_Weak * weak)324 AIBinder_Weak* AIBinder_Weak_clone(const AIBinder_Weak* weak) {
325 if (weak == nullptr) {
326 return nullptr;
327 }
328
329 return new AIBinder_Weak{weak->binder};
330 }
331
AIBinder_lt(const AIBinder * lhs,const AIBinder * rhs)332 bool AIBinder_lt(const AIBinder* lhs, const AIBinder* rhs) {
333 if (lhs == nullptr || rhs == nullptr) return lhs < rhs;
334
335 return const_cast<AIBinder*>(lhs)->getBinder() < const_cast<AIBinder*>(rhs)->getBinder();
336 }
337
AIBinder_Weak_lt(const AIBinder_Weak * lhs,const AIBinder_Weak * rhs)338 bool AIBinder_Weak_lt(const AIBinder_Weak* lhs, const AIBinder_Weak* rhs) {
339 if (lhs == nullptr || rhs == nullptr) return lhs < rhs;
340
341 return lhs->binder < rhs->binder;
342 }
343
344 // WARNING: When multiple classes exist with the same interface descriptor in different
345 // linkernamespaces, the first one to be associated with mClazz becomes the canonical one
346 // and the only requirement on this is that the interface descriptors match. If this
347 // is an ABpBinder, no other state can be referenced from mClazz.
AIBinder_Class(const char * interfaceDescriptor,AIBinder_Class_onCreate onCreate,AIBinder_Class_onDestroy onDestroy,AIBinder_Class_onTransact onTransact)348 AIBinder_Class::AIBinder_Class(const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate,
349 AIBinder_Class_onDestroy onDestroy,
350 AIBinder_Class_onTransact onTransact)
351 : onCreate(onCreate),
352 onDestroy(onDestroy),
353 onTransact(onTransact),
354 mInterfaceDescriptor(interfaceDescriptor),
355 mWideInterfaceDescriptor(interfaceDescriptor) {}
356
AIBinder_Class_define(const char * interfaceDescriptor,AIBinder_Class_onCreate onCreate,AIBinder_Class_onDestroy onDestroy,AIBinder_Class_onTransact onTransact)357 AIBinder_Class* AIBinder_Class_define(const char* interfaceDescriptor,
358 AIBinder_Class_onCreate onCreate,
359 AIBinder_Class_onDestroy onDestroy,
360 AIBinder_Class_onTransact onTransact) {
361 if (interfaceDescriptor == nullptr || onCreate == nullptr || onDestroy == nullptr ||
362 onTransact == nullptr) {
363 return nullptr;
364 }
365
366 return new AIBinder_Class(interfaceDescriptor, onCreate, onDestroy, onTransact);
367 }
368
AIBinder_Class_setOnDump(AIBinder_Class * clazz,AIBinder_onDump onDump)369 void AIBinder_Class_setOnDump(AIBinder_Class* clazz, AIBinder_onDump onDump) {
370 CHECK(clazz != nullptr) << "setOnDump requires non-null clazz";
371
372 // this is required to be called before instances are instantiated
373 clazz->onDump = onDump;
374 }
375
AIBinder_Class_disableInterfaceTokenHeader(AIBinder_Class * clazz)376 void AIBinder_Class_disableInterfaceTokenHeader(AIBinder_Class* clazz) {
377 CHECK(clazz != nullptr) << "disableInterfaceTokenHeader requires non-null clazz";
378
379 clazz->writeHeader = false;
380 }
381
AIBinder_Class_setHandleShellCommand(AIBinder_Class * clazz,AIBinder_handleShellCommand handleShellCommand)382 void AIBinder_Class_setHandleShellCommand(AIBinder_Class* clazz,
383 AIBinder_handleShellCommand handleShellCommand) {
384 CHECK(clazz != nullptr) << "setHandleShellCommand requires non-null clazz";
385
386 clazz->handleShellCommand = handleShellCommand;
387 }
388
AIBinder_Class_getDescriptor(const AIBinder_Class * clazz)389 const char* AIBinder_Class_getDescriptor(const AIBinder_Class* clazz) {
390 CHECK(clazz != nullptr) << "getDescriptor requires non-null clazz";
391
392 return clazz->getInterfaceDescriptorUtf8();
393 }
394
~TransferDeathRecipient()395 AIBinder_DeathRecipient::TransferDeathRecipient::~TransferDeathRecipient() {
396 if (mOnUnlinked != nullptr) {
397 mOnUnlinked(mCookie);
398 }
399 }
400
binderDied(const wp<IBinder> & who)401 void AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(const wp<IBinder>& who) {
402 CHECK(who == mWho) << who.unsafe_get() << "(" << who.get_refs() << ") vs " << mWho.unsafe_get()
403 << " (" << mWho.get_refs() << ")";
404
405 mOnDied(mCookie);
406
407 sp<AIBinder_DeathRecipient> recipient = mParentRecipient.promote();
408 sp<IBinder> strongWho = who.promote();
409
410 // otherwise this will be cleaned up later with pruneDeadTransferEntriesLocked
411 if (recipient != nullptr && strongWho != nullptr) {
412 status_t result = recipient->unlinkToDeath(strongWho, mCookie);
413 if (result != ::android::DEAD_OBJECT) {
414 LOG(WARNING) << "Unlinking to dead binder resulted in: " << result;
415 }
416 }
417
418 mWho = nullptr;
419 }
420
AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied)421 AIBinder_DeathRecipient::AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied)
422 : mOnDied(onDied), mOnUnlinked(nullptr) {
423 CHECK(onDied != nullptr);
424 }
425
pruneDeadTransferEntriesLocked()426 void AIBinder_DeathRecipient::pruneDeadTransferEntriesLocked() {
427 mDeathRecipients.erase(std::remove_if(mDeathRecipients.begin(), mDeathRecipients.end(),
428 [](const sp<TransferDeathRecipient>& tdr) {
429 return tdr->getWho() == nullptr;
430 }),
431 mDeathRecipients.end());
432 }
433
linkToDeath(const sp<IBinder> & binder,void * cookie)434 binder_status_t AIBinder_DeathRecipient::linkToDeath(const sp<IBinder>& binder, void* cookie) {
435 CHECK(binder != nullptr);
436
437 std::lock_guard<std::mutex> l(mDeathRecipientsMutex);
438
439 sp<TransferDeathRecipient> recipient =
440 new TransferDeathRecipient(binder, cookie, this, mOnDied, mOnUnlinked);
441
442 status_t status = binder->linkToDeath(recipient, cookie, 0 /*flags*/);
443 if (status != STATUS_OK) {
444 // When we failed to link, the destructor of TransferDeathRecipient runs here, which
445 // ensures that mOnUnlinked is called before we return with an error from this method.
446 return PruneStatusT(status);
447 }
448
449 mDeathRecipients.push_back(recipient);
450
451 pruneDeadTransferEntriesLocked();
452 return STATUS_OK;
453 }
454
unlinkToDeath(const sp<IBinder> & binder,void * cookie)455 binder_status_t AIBinder_DeathRecipient::unlinkToDeath(const sp<IBinder>& binder, void* cookie) {
456 CHECK(binder != nullptr);
457
458 std::lock_guard<std::mutex> l(mDeathRecipientsMutex);
459
460 for (auto it = mDeathRecipients.rbegin(); it != mDeathRecipients.rend(); ++it) {
461 sp<TransferDeathRecipient> recipient = *it;
462
463 if (recipient->getCookie() == cookie && recipient->getWho() == binder) {
464 mDeathRecipients.erase(it.base() - 1);
465
466 status_t status = binder->unlinkToDeath(recipient, cookie, 0 /*flags*/);
467 if (status != ::android::OK) {
468 LOG(ERROR) << __func__
469 << ": removed reference to death recipient but unlink failed: "
470 << statusToString(status);
471 }
472 return PruneStatusT(status);
473 }
474 }
475
476 return STATUS_NAME_NOT_FOUND;
477 }
478
setOnUnlinked(AIBinder_DeathRecipient_onBinderUnlinked onUnlinked)479 void AIBinder_DeathRecipient::setOnUnlinked(AIBinder_DeathRecipient_onBinderUnlinked onUnlinked) {
480 mOnUnlinked = onUnlinked;
481 }
482
483 // start of C-API methods
484
AIBinder_new(const AIBinder_Class * clazz,void * args)485 AIBinder* AIBinder_new(const AIBinder_Class* clazz, void* args) {
486 if (clazz == nullptr) {
487 LOG(ERROR) << __func__ << ": Must provide class to construct local binder.";
488 return nullptr;
489 }
490
491 void* userData = clazz->onCreate(args);
492
493 sp<AIBinder> ret = new ABBinder(clazz, userData);
494 ABBinderTag::attach(ret->getBinder());
495
496 AIBinder_incStrong(ret.get());
497 return ret.get();
498 }
499
AIBinder_isRemote(const AIBinder * binder)500 bool AIBinder_isRemote(const AIBinder* binder) {
501 if (binder == nullptr) {
502 return false;
503 }
504
505 return binder->isRemote();
506 }
507
AIBinder_isAlive(const AIBinder * binder)508 bool AIBinder_isAlive(const AIBinder* binder) {
509 if (binder == nullptr) {
510 return false;
511 }
512
513 return const_cast<AIBinder*>(binder)->getBinder()->isBinderAlive();
514 }
515
AIBinder_ping(AIBinder * binder)516 binder_status_t AIBinder_ping(AIBinder* binder) {
517 if (binder == nullptr) {
518 return STATUS_UNEXPECTED_NULL;
519 }
520
521 return PruneStatusT(binder->getBinder()->pingBinder());
522 }
523
AIBinder_dump(AIBinder * binder,int fd,const char ** args,uint32_t numArgs)524 binder_status_t AIBinder_dump(AIBinder* binder, int fd, const char** args, uint32_t numArgs) {
525 if (binder == nullptr) {
526 return STATUS_UNEXPECTED_NULL;
527 }
528
529 ABBinder* bBinder = binder->asABBinder();
530 if (bBinder != nullptr) {
531 AIBinder_onDump onDump = binder->getClass()->onDump;
532 if (onDump == nullptr) {
533 return STATUS_OK;
534 }
535 return PruneStatusT(onDump(bBinder, fd, args, numArgs));
536 }
537
538 ::android::Vector<String16> utf16Args;
539 utf16Args.setCapacity(numArgs);
540 for (uint32_t i = 0; i < numArgs; i++) {
541 utf16Args.push(String16(String8(args[i])));
542 }
543
544 status_t status = binder->getBinder()->dump(fd, utf16Args);
545 return PruneStatusT(status);
546 }
547
AIBinder_linkToDeath(AIBinder * binder,AIBinder_DeathRecipient * recipient,void * cookie)548 binder_status_t AIBinder_linkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
549 void* cookie) {
550 if (binder == nullptr || recipient == nullptr) {
551 LOG(ERROR) << __func__ << ": Must provide binder (" << binder << ") and recipient ("
552 << recipient << ")";
553 return STATUS_UNEXPECTED_NULL;
554 }
555
556 // returns binder_status_t
557 return recipient->linkToDeath(binder->getBinder(), cookie);
558 }
559
AIBinder_unlinkToDeath(AIBinder * binder,AIBinder_DeathRecipient * recipient,void * cookie)560 binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
561 void* cookie) {
562 if (binder == nullptr || recipient == nullptr) {
563 LOG(ERROR) << __func__ << ": Must provide binder (" << binder << ") and recipient ("
564 << recipient << ")";
565 return STATUS_UNEXPECTED_NULL;
566 }
567
568 // returns binder_status_t
569 return recipient->unlinkToDeath(binder->getBinder(), cookie);
570 }
571
AIBinder_getCallingUid()572 uid_t AIBinder_getCallingUid() {
573 return ::android::IPCThreadState::self()->getCallingUid();
574 }
575
AIBinder_getCallingPid()576 pid_t AIBinder_getCallingPid() {
577 return ::android::IPCThreadState::self()->getCallingPid();
578 }
579
AIBinder_isHandlingTransaction()580 bool AIBinder_isHandlingTransaction() {
581 return ::android::IPCThreadState::self()->getServingStackPointer() != nullptr;
582 }
583
AIBinder_incStrong(AIBinder * binder)584 void AIBinder_incStrong(AIBinder* binder) {
585 if (binder == nullptr) {
586 return;
587 }
588
589 binder->incStrong(nullptr);
590 }
AIBinder_decStrong(AIBinder * binder)591 void AIBinder_decStrong(AIBinder* binder) {
592 if (binder == nullptr) {
593 LOG(ERROR) << __func__ << ": on null binder";
594 return;
595 }
596
597 binder->decStrong(nullptr);
598 }
AIBinder_debugGetRefCount(AIBinder * binder)599 int32_t AIBinder_debugGetRefCount(AIBinder* binder) {
600 if (binder == nullptr) {
601 LOG(ERROR) << __func__ << ": on null binder";
602 return -1;
603 }
604
605 return binder->getStrongCount();
606 }
607
AIBinder_associateClass(AIBinder * binder,const AIBinder_Class * clazz)608 bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) {
609 if (binder == nullptr) {
610 return false;
611 }
612
613 return binder->associateClass(clazz);
614 }
615
AIBinder_getClass(AIBinder * binder)616 const AIBinder_Class* AIBinder_getClass(AIBinder* binder) {
617 if (binder == nullptr) {
618 return nullptr;
619 }
620
621 return binder->getClass();
622 }
623
AIBinder_getUserData(AIBinder * binder)624 void* AIBinder_getUserData(AIBinder* binder) {
625 if (binder == nullptr) {
626 return nullptr;
627 }
628
629 ABBinder* bBinder = binder->asABBinder();
630 if (bBinder == nullptr) {
631 return nullptr;
632 }
633
634 return bBinder->getUserData();
635 }
636
AIBinder_prepareTransaction(AIBinder * binder,AParcel ** in)637 binder_status_t AIBinder_prepareTransaction(AIBinder* binder, AParcel** in) {
638 if (binder == nullptr || in == nullptr) {
639 LOG(ERROR) << __func__ << ": requires non-null parameters binder (" << binder
640 << ") and in (" << in << ").";
641 return STATUS_UNEXPECTED_NULL;
642 }
643 const AIBinder_Class* clazz = binder->getClass();
644 if (clazz == nullptr) {
645 LOG(ERROR) << __func__
646 << ": Class must be defined for a remote binder transaction. See "
647 "AIBinder_associateClass.";
648 return STATUS_INVALID_OPERATION;
649 }
650
651 *in = new AParcel(binder);
652 (*in)->get()->markForBinder(binder->getBinder());
653
654 status_t status = android::OK;
655
656 // note - this is the only read of a value in clazz, and it comes with a warning
657 // on the API itself. Do not copy this design. Instead, attach data in a new
658 // version of the prepareTransaction function.
659 if (clazz->writeHeader) {
660 status = (*in)->get()->writeInterfaceToken(clazz->getInterfaceDescriptor());
661 }
662 binder_status_t ret = PruneStatusT(status);
663
664 if (ret != STATUS_OK) {
665 delete *in;
666 *in = nullptr;
667 }
668
669 return ret;
670 }
671
DestroyParcel(AParcel ** parcel)672 static void DestroyParcel(AParcel** parcel) {
673 delete *parcel;
674 *parcel = nullptr;
675 }
676
AIBinder_transact(AIBinder * binder,transaction_code_t code,AParcel ** in,AParcel ** out,binder_flags_t flags)677 binder_status_t AIBinder_transact(AIBinder* binder, transaction_code_t code, AParcel** in,
678 AParcel** out, binder_flags_t flags) {
679 if (in == nullptr) {
680 LOG(ERROR) << __func__ << ": requires non-null in parameter";
681 return STATUS_UNEXPECTED_NULL;
682 }
683
684 using AutoParcelDestroyer = std::unique_ptr<AParcel*, void (*)(AParcel**)>;
685 // This object is the input to the transaction. This function takes ownership of it and deletes
686 // it.
687 AutoParcelDestroyer forIn(in, DestroyParcel);
688
689 if (!isUserCommand(code)) {
690 LOG(ERROR) << __func__
691 << ": Only user-defined transactions can be made from the NDK, but requested: "
692 << code;
693 return STATUS_UNKNOWN_TRANSACTION;
694 }
695
696 constexpr binder_flags_t kAllFlags = FLAG_PRIVATE_VENDOR | FLAG_ONEWAY | FLAG_CLEAR_BUF;
697 if ((flags & ~kAllFlags) != 0) {
698 LOG(ERROR) << __func__ << ": Unrecognized flags sent: " << flags;
699 return STATUS_BAD_VALUE;
700 }
701
702 if (binder == nullptr || *in == nullptr || out == nullptr) {
703 LOG(ERROR) << __func__ << ": requires non-null parameters binder (" << binder << "), in ("
704 << in << "), and out (" << out << ").";
705 return STATUS_UNEXPECTED_NULL;
706 }
707
708 if ((*in)->getBinder() != binder) {
709 LOG(ERROR) << __func__ << ": parcel is associated with binder object " << binder
710 << " but called with " << (*in)->getBinder();
711 return STATUS_BAD_VALUE;
712 }
713
714 *out = new AParcel(binder);
715
716 status_t status = binder->getBinder()->transact(code, *(*in)->get(), (*out)->get(), flags);
717 binder_status_t ret = PruneStatusT(status);
718
719 if (ret != STATUS_OK) {
720 delete *out;
721 *out = nullptr;
722 }
723
724 return ret;
725 }
726
AIBinder_DeathRecipient_new(AIBinder_DeathRecipient_onBinderDied onBinderDied)727 AIBinder_DeathRecipient* AIBinder_DeathRecipient_new(
728 AIBinder_DeathRecipient_onBinderDied onBinderDied) {
729 if (onBinderDied == nullptr) {
730 LOG(ERROR) << __func__ << ": requires non-null onBinderDied parameter.";
731 return nullptr;
732 }
733 auto ret = new AIBinder_DeathRecipient(onBinderDied);
734 ret->incStrong(nullptr);
735 return ret;
736 }
737
AIBinder_DeathRecipient_setOnUnlinked(AIBinder_DeathRecipient * recipient,AIBinder_DeathRecipient_onBinderUnlinked onUnlinked)738 void AIBinder_DeathRecipient_setOnUnlinked(AIBinder_DeathRecipient* recipient,
739 AIBinder_DeathRecipient_onBinderUnlinked onUnlinked) {
740 if (recipient == nullptr) {
741 return;
742 }
743
744 recipient->setOnUnlinked(onUnlinked);
745 }
746
AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient * recipient)747 void AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient* recipient) {
748 if (recipient == nullptr) {
749 return;
750 }
751
752 recipient->decStrong(nullptr);
753 }
754
AIBinder_getExtension(AIBinder * binder,AIBinder ** outExt)755 binder_status_t AIBinder_getExtension(AIBinder* binder, AIBinder** outExt) {
756 if (binder == nullptr || outExt == nullptr) {
757 if (outExt != nullptr) {
758 *outExt = nullptr;
759 }
760 return STATUS_UNEXPECTED_NULL;
761 }
762
763 sp<IBinder> ext;
764 status_t res = binder->getBinder()->getExtension(&ext);
765
766 if (res != android::OK) {
767 *outExt = nullptr;
768 return PruneStatusT(res);
769 }
770
771 sp<AIBinder> ret = ABpBinder::lookupOrCreateFromBinder(ext);
772 if (ret != nullptr) ret->incStrong(binder);
773
774 *outExt = ret.get();
775 return STATUS_OK;
776 }
777
AIBinder_setExtension(AIBinder * binder,AIBinder * ext)778 binder_status_t AIBinder_setExtension(AIBinder* binder, AIBinder* ext) {
779 if (binder == nullptr || ext == nullptr) {
780 return STATUS_UNEXPECTED_NULL;
781 }
782
783 ABBinder* rawBinder = binder->asABBinder();
784 if (rawBinder == nullptr) {
785 return STATUS_INVALID_OPERATION;
786 }
787
788 rawBinder->setExtension(ext->getBinder());
789 return STATUS_OK;
790 }
791
792 // platform methods follow
793
AIBinder_setRequestingSid(AIBinder * binder,bool requestingSid)794 void AIBinder_setRequestingSid(AIBinder* binder, bool requestingSid) {
795 ABBinder* localBinder = binder->asABBinder();
796 if (localBinder == nullptr) {
797 LOG(FATAL) << "AIBinder_setRequestingSid must be called on a local binder";
798 }
799
800 localBinder->setRequestingSid(requestingSid);
801 }
802
AIBinder_getCallingSid()803 const char* AIBinder_getCallingSid() {
804 return ::android::IPCThreadState::self()->getCallingSid();
805 }
806
AIBinder_setMinSchedulerPolicy(AIBinder * binder,int policy,int priority)807 void AIBinder_setMinSchedulerPolicy(AIBinder* binder, int policy, int priority) {
808 binder->asABBinder()->setMinSchedulerPolicy(policy, priority);
809 }
810
AIBinder_setInheritRt(AIBinder * binder,bool inheritRt)811 void AIBinder_setInheritRt(AIBinder* binder, bool inheritRt) {
812 ABBinder* localBinder = binder->asABBinder();
813 if (localBinder == nullptr) {
814 LOG(FATAL) << "AIBinder_setInheritRt must be called on a local binder";
815 }
816
817 localBinder->setInheritRt(inheritRt);
818 }
819