1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <android/binder_ibinder.h>
20 #include <android/binder_shell.h>
21 #include "ibinder_internal.h"
22 
23 #include <atomic>
24 #include <mutex>
25 #include <vector>
26 
27 #include <binder/Binder.h>
28 #include <binder/IBinder.h>
29 #include <utils/Vector.h>
30 
isUserCommand(transaction_code_t code)31 inline bool isUserCommand(transaction_code_t code) {
32     return code >= FIRST_CALL_TRANSACTION && code <= LAST_CALL_TRANSACTION;
33 }
34 
35 struct ABBinder;
36 struct ABpBinder;
37 
38 struct AIBinder : public virtual ::android::RefBase {
39     explicit AIBinder(const AIBinder_Class* clazz);
40     virtual ~AIBinder();
41 
42     bool associateClass(const AIBinder_Class* clazz);
getClassAIBinder43     const AIBinder_Class* getClass() const { return mClazz; }
44 
45     virtual ::android::sp<::android::IBinder> getBinder() = 0;
asABBinderAIBinder46     virtual ABBinder* asABBinder() { return nullptr; }
asABpBinderAIBinder47     virtual ABpBinder* asABpBinder() { return nullptr; }
48 
isRemoteAIBinder49     bool isRemote() const {
50         ::android::sp<::android::IBinder> binder = const_cast<AIBinder*>(this)->getBinder();
51         return binder->remoteBinder() != nullptr;
52     }
53 
54    private:
55     // AIBinder instance is instance of this class for a local object. In order to transact on a
56     // remote object, this also must be set for simplicity (although right now, only the
57     // interfaceDescriptor from it is used).
58     const AIBinder_Class* mClazz;
59 };
60 
61 // This is a local AIBinder object with a known class.
62 struct ABBinder : public AIBinder, public ::android::BBinder {
63     virtual ~ABBinder();
64 
getUserDataABBinder65     void* getUserData() { return mUserData; }
66 
getBinderABBinder67     ::android::sp<::android::IBinder> getBinder() override { return this; }
asABBinderABBinder68     ABBinder* asABBinder() override { return this; }
69 
70     const ::android::String16& getInterfaceDescriptor() const override;
71     ::android::status_t dump(int fd, const ::android::Vector<::android::String16>& args) override;
72     ::android::status_t onTransact(uint32_t code, const ::android::Parcel& data,
73                                    ::android::Parcel* reply, binder_flags_t flags) override;
74 
75    private:
76     ABBinder(const AIBinder_Class* clazz, void* userData);
77 
78     // only thing that should create an ABBinder
79     friend AIBinder* AIBinder_new(const AIBinder_Class*, void*);
80 
81     // Can contain implementation if this is a local binder. This can still be nullptr for a local
82     // binder. If it is nullptr, the implication is the implementation state is entirely external to
83     // this object and the functionality provided in the AIBinder_Class is sufficient.
84     void* mUserData;
85 };
86 
87 // This binder object may be remote or local (even though it is 'Bp'). The implication if it is
88 // local is that it is an IBinder object created outside of the domain of libbinder_ndk.
89 struct ABpBinder : public AIBinder, public ::android::BpRefBase {
90     // Looks up to see if this object has or is an existing ABBinder or ABpBinder object, otherwise
91     // it creates an ABpBinder object.
92     static ::android::sp<AIBinder> lookupOrCreateFromBinder(
93             const ::android::sp<::android::IBinder>& binder);
94 
95     virtual ~ABpBinder();
96 
97     void onLastStrongRef(const void* id) override;
98 
getBinderABpBinder99     ::android::sp<::android::IBinder> getBinder() override { return remote(); }
asABpBinderABpBinder100     ABpBinder* asABpBinder() override { return this; }
101 
102    private:
103     explicit ABpBinder(const ::android::sp<::android::IBinder>& binder);
104 };
105 
106 struct AIBinder_Class {
107     AIBinder_Class(const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate,
108                    AIBinder_Class_onDestroy onDestroy, AIBinder_Class_onTransact onTransact);
109 
getInterfaceDescriptorAIBinder_Class110     const ::android::String16& getInterfaceDescriptor() const { return mInterfaceDescriptor; }
111 
112     // required to be non-null, implemented for every class
113     const AIBinder_Class_onCreate onCreate;
114     const AIBinder_Class_onDestroy onDestroy;
115     const AIBinder_Class_onTransact onTransact;
116 
117     // optional methods for a class
118     AIBinder_onDump onDump;
119     AIBinder_handleShellCommand handleShellCommand;
120 
121    private:
122     // This must be a String16 since BBinder virtual getInterfaceDescriptor returns a reference to
123     // one.
124     const ::android::String16 mInterfaceDescriptor;
125 };
126 
127 // Ownership is like this (when linked to death):
128 //
129 //   AIBinder_DeathRecipient -sp-> TransferDeathRecipient <-wp-> IBinder
130 //
131 // When the AIBinder_DeathRecipient is dropped, so are the actual underlying death recipients. When
132 // the IBinder dies, only a wp to it is kept.
133 struct AIBinder_DeathRecipient : ::android::RefBase {
134     // One of these is created for every linkToDeath. This is to be able to recover data when a
135     // binderDied receipt only gives us information about the IBinder.
136     struct TransferDeathRecipient : ::android::IBinder::DeathRecipient {
TransferDeathRecipientAIBinder_DeathRecipient::TransferDeathRecipient137         TransferDeathRecipient(const ::android::wp<::android::IBinder>& who, void* cookie,
138                                const ::android::wp<AIBinder_DeathRecipient>& parentRecipient,
139                                const AIBinder_DeathRecipient_onBinderDied onDied)
140             : mWho(who), mCookie(cookie), mParentRecipient(parentRecipient), mOnDied(onDied) {}
141 
142         void binderDied(const ::android::wp<::android::IBinder>& who) override;
143 
getWhoAIBinder_DeathRecipient::TransferDeathRecipient144         const ::android::wp<::android::IBinder>& getWho() { return mWho; }
getCookieAIBinder_DeathRecipient::TransferDeathRecipient145         void* getCookie() { return mCookie; }
146 
147        private:
148         ::android::wp<::android::IBinder> mWho;
149         void* mCookie;
150 
151         ::android::wp<AIBinder_DeathRecipient> mParentRecipient;
152 
153         // This is kept separately from AIBinder_DeathRecipient in case the death recipient is
154         // deleted while the death notification is fired
155         const AIBinder_DeathRecipient_onBinderDied mOnDied;
156     };
157 
158     explicit AIBinder_DeathRecipient(AIBinder_DeathRecipient_onBinderDied onDied);
159     binder_status_t linkToDeath(::android::sp<::android::IBinder>, void* cookie);
160     binder_status_t unlinkToDeath(::android::sp<::android::IBinder> binder, void* cookie);
161 
162    private:
163     // When the user of this API deletes a Bp object but not the death recipient, the
164     // TransferDeathRecipient object can't be cleaned up. This is called whenever a new
165     // TransferDeathRecipient is linked, and it ensures that mDeathRecipients can't grow unbounded.
166     void pruneDeadTransferEntriesLocked();
167 
168     std::mutex mDeathRecipientsMutex;
169     std::vector<::android::sp<TransferDeathRecipient>> mDeathRecipients;
170     AIBinder_DeathRecipient_onBinderDied mOnDied;
171 };
172