作者:秋城

 

一、前言

Servicemanager 程序(以下简称SM)是 Android 系统 binder 模块重要的组成部分,扮演着类似 C/S 架构中的 DNS 服务器的角色,提供服务增查和权限管理等功能支撑

在 Android 11 之前的版本里,SM 是面向 binder 驱动编程,直接使用 open、mmap、ioctl 等 api 与 binder 驱动交互。而从 Android 11 开始,SM 放弃使用这些较底层的接口,转向 libbinder 库和 AIDL。标志性的提交如下,该提交奠定了新的 SM 架构基础,此后多次提交对此进行完善填充

frameworks/native

servicemanager: use libbinder

Bug: 135768100
Test: boot
Test: servicemanager_test

Change-Id: I9d657b6c0d0be0f763b6d54e0e6c6bc1c1e3fc7a
(cherry picked from commit 3e092daa14c63831d76d3ad6e56b2919a0523536)

本文代码基于 Android 12,以 SM 为主视角,从架构和情景流程上带大家认识新的 Native Binder

二. 软件架构

2.1 架构概述

android mavan配置ssl_android mavan配置ssl

图1:切换到 aidl 和 libbinder 后的 ServiceManager 类关系图

图注:

为了画图方便,将 namespace 写成了下划线形式。

android_os_BpServiceManager 和 android_os_BnServiceManager、android_os_IServiceManager 类均在 android os 的 namespace 中,其他无下划线的类名,处于 android namespace 中。

一图胜千言,11 之前的 SM 是写在 c 文件里,没有类的概念,现在基于 aidl 和 libbinder,使用 cpp 语言,用 uml 就可以很形象地展示类关系了。就着这幅图我们大致描述新的软件架构

  • 红色线段大概地将服务端与客户端类相分隔,服务端在右下角

一些 libbinder 的用于继承的公共类请读者自行剥离,而不是将其归入某一端。例如 IBinder,我们知道他是 BBinder 和 BpBinder 的父类,是公共的接口约束

  • libbinder 中客户端的入口变为:IServiceManager.cpp#ServiceManagerShim

之前无该辅助类,而是直接操作 BpServiceManager,这个辅助类封装了 aidl 自动生成的 BpServiceManager,所以现在的客户端代码流就变成如下三步:

1.用户代码
2.libbinder代码 binder/IServiceManager.cpp#ServiceManagerShim
3.aidl代码      android/os/IServiceManager.cpp#BpServiceManager接口

所以 libbinder 中的 ServiceManagerShim 起到了一个中转的作用,把请求转给 out 下 aidl 自动生成的 BpServiceManager

  • BpServiceManager 的实现挪到 out

原来是在 libbinder#IServiceManager.cpp 中手写实现,现在是 aidl 帮你实现。

当然,该文件中同样自动实现了 BnServiceManager 类

代码路径

out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm64_armv8-a_shared/gen/aidl/android/os/IServiceManager.cpp

  • 服务端的核心实现在 ServiceManager.cpp

原来是没有 Bn 的,而是一个 binder_loop 方法沟通驱动,现在则是ServiceManager 继承了 BnServiceManager 来获得代码流。

  • waitForService 的改动:IServiceCallback.aidl

Waiter 类。新增了 binder 匿名服务用来向 sm 注册跨进程的回调,当 sm 检测到有服务注册时,会返回通知

  • 服务的客户端数量监听:IServiceCallback.aidl

IServiceCallback.aidl 这个匿名 binder 服务就是用于该目的,可以监听某个服务的客户端数量

2.2、文件路径

  • AIDL

AIDL 是一种方便的接口定义语言,用于 Binder-IPC 编程。详细介绍与使用可参考:AIDL Overview

我们关注三个 aidl,分别是 IServiceManager.aidl、IServiceCallback.aidl、IClientCallback.aidl,对应的编译后生成的文件路径为:

out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm_armv8-a_shared/gen/aidl/android/os/

IClientCallback.cpp

IServiceCallback.cpp

IServiceManager.cpp

  • libbinder 中的代码路径

frameworks/native/libs/binder/IServiceManager.cpp

  • SM 服务端代码路径

frameworks/native/cmds/servicemanager/

main.cpp

Access.cpp

ServiceManager.cpp

本小节仅展示涉及变迁的文件路径。简洁起见只写了 cpp 文件,对应的 h 头文件可以附近查找。

另外需要特别区分的是,有两个 IServiceManager。

一个在 libbinder 中,是 Android 的 name space,直接被用户#include<binder/IServiceManager>使用。

另一个是 aidl 自动生成的 Android os 的 name space,被上面的 libbinder 所使#include<android/os/IServiceManager>。

2.3、小结

第二章节从全局的角度展示了 SM 切换到 aidl 和 libbinder的软件架构,结合图来看还是非常清楚易于理解的

接下来跟踪几个情景流程,展示新架构中的细节

三 servicemanager 启动流程分析

android mavan配置ssl_Android_02


图2:servicemanager 启动时序图

如上图,启动流程的变动主要在进入循环的方式,Android 11 之前是通过binder_loop方法,而现在是通过 looper。下面展示细节

frameworks/native/cmds/servicemanager/main.cpp

int main(int argc, char** argv) {
   if (argc > 2) {
       LOG(FATAL) << "usage: " << argv[0] << " [binder driver]";
  }

   const char* driver = argc == 2 ? argv[1] : "/dev/binder";
//沟通binder驱动,open,mmap
   sp<ProcessState> ps = ProcessState::initWithDriver(driver);
   ps->setThreadPoolMaxThreadCount(0);
   //oneway限制,sm发起的binder调用必须是单向,否则打印堆栈日志提示
   ps->setCallRestriction(ProcessState::CallRestriction::FATAL_IF_NOT_ONEWAY);
   //实例化ServiceManager,传入Access类用于鉴权
   sp<ServiceManager> manager = sp<ServiceManager>::make(std::make_unique<Access>());
   if (!manager->addService("manager", manager, false /*allowIsolated*/, IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT).isOk()) {
       LOG(ERROR) << "Could not self register servicemanager";
  }
   //设置全局变量给IPCThreadState
   IPCThreadState::self()->setTheContextObject(manager);
   //注册到驱动,成为binder管理员,handle是0
   ps->becomeContextManager();
   //准备looper
   sp<Looper> looper = Looper::prepare(false /*allowNonCallbacks*/);
   //通知驱动BC_ENTER_LOOPER,监听驱动fd,有消息时回调到handleEvent处理binder调用
   BinderCallback::setupTo(looper);
   //服务的注册监听相关
   ClientCallbackCallback::setupTo(looper, manager);
   //无限循环等消息
   while(true) {
       looper->pollAll(-1);
  }

   // should not be reached
   return EXIT_FAILURE;
}

和原来的 servicemanager 服务相比较,使用了 libbinder 后,代码更规范化,和其他 native 的服务风格一致了。

  • 之前是直接 open、mmap 现在是借助 libbinder
  • 之前是 binder_loop死 循环接收驱动的消息,现在是通过 looper 监听 fd 来handleEvent
  • 之前的鉴权现在被独立到单独文件 Access.cpp

突然想起一个题目,servicemanager 映射的虚拟内存有多大?现在的答案是和普通应用一样大:1M-2 页。

frameworks/native/libs/binder/ProcessState.cpp

#define BINDER_VM_SIZE ((1 * 1024 * 1024) - sysconf(_SC_PAGE_SIZE) * 2)

启动流程比较清晰不多赘述,下一小节看 addService 的流程。

四、addService 流程分析

android mavan配置ssl_Android_03

图3:defaultServiceManager流程

android mavan配置ssl_android_04

图4:addService 客户端流程

android mavan配置ssl_apache_05

图5:addService 服务端流程

先上图,总览 native 的代码流程,客户端是 libbinder 里的 IServiceManager.cpp,服务端是我们的 ServiceManager.cpp

4.1 ServiceManagerShim::addService

frameworks/native/libs/binder/IServiceManager.cpp

status_t ServiceManagerShim::addService(const String16& name, const sp<IBinder>& service,
                                       bool allowIsolated, int dumpsysPriority)
{
   Status status = mTheRealServiceManager->addService(
       String8(name).c_str(), service, allowIsolated, dumpsysPriority);
   return status.exceptionCode();
}

直接使用的 mTheRealServiceManager,澄清疑问,mTheRealServiceManager 是谁?

4.1.1 mTheRealServiceManager 是谁?

frameworks/native/libs/binder/IServiceManager.cpp

#include <android/os/IServiceManager.h>
using AidlServiceManager = android::os::IServiceManager;
class ServiceManagerShim : public IServiceManager
{
protected:
   sp<AidlServiceManager> mTheRealServiceManager;
......
ServiceManagerShim::ServiceManagerShim(const sp<AidlServiceManager>& impl)
: mTheRealServiceManager(impl)
{}

可以看到,mTheRealServiceManager 就是一个 android::os::IServiceManager 类型的实例,并且在 ServiceManagerShim 实例化时赋值。

那么 ServiceManagerShim 何时实例化呢?答案是 defaultServiceManager() 中

frameworks/native/libs/binder/IServiceManager.cpp

sp<IServiceManager> defaultServiceManager()
{
   std::call_once(gSmOnce, []() {
       sp<AidlServiceManager> sm = nullptr;
       while (sm == nullptr) {
           //1、拿到AidlServiceManager类型的BpServiceManager(new BpBinder(0))实例
           sm = interface_cast<AidlServiceManager>(ProcessState::self()->getContextObject(nullptr));
           if (sm == nullptr) {
               ALOGE("Waiting 1s on context object on %s.", ProcessState::self()->getDriverName().c_str());
               sleep(1);
          }
      }
       //2、new ServiceManagerShim
       gDefaultServiceManager = sp<ServiceManagerShim>::make(sm);
  });

   return gDefaultServiceManager;
}

如注释1、2,mTheRealServiceManager 就是在这样流程中赋值的。他的真是面目是BpServiceManager(new BpBinder(0))。

由图1可知,我们拿到了操作 binder 驱动的入口,BpServiceManager–>BpBinder–>IPCThreadState–>ioctl

关于一部分旧知识会贴拓展链接本文不做展开。interface_cast 的实现可参考:浅谈 Android 系统进程间通信(IPC)机制Binder 中的 Server 和 Client 获得 Service Manager 接口之路

好现在返回上节,直接走入 BpServiceManager#addService 方法

4.2 BpServiceManager::addService

out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm_armv8-a_shared/gen/aidl/android/os/IServiceManager.cpp

namespace android {
namespace os {

BpServiceManager::BpServiceManager(const ::android::sp<::android::IBinder>& _aidl_impl)
  : BpInterface<IServiceManager>(_aidl_impl){//_aidl_impl就是BpBinder(0)实例
}
--------------------------------------------------
  ::android::binder::Status BpServiceManager::addService(const ::std::string& name, const ::android::sp<::android::IBinder>& service, bool allowIsolated, int32_t dumpPriority) {
::android::Parcel _aidl_data;
 _aidl_data.markForBinder(remoteStrong());//0、和rpc binder有关
::android::Parcel _aidl_reply;
::android::status_t _aidl_ret_status = ::android::OK;
::android::binder::Status _aidl_status;
 //1、写interface
 _aidl_ret_status = _aidl_data.writeInterfaceToken(getInterfaceDescriptor());
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 //2、写name
 _aidl_ret_status = _aidl_data.writeUtf8AsUtf16(name);
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 //3、写binder对象
 _aidl_ret_status = _aidl_data.writeStrongBinder(service);
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 //4、写allowIsolated
 _aidl_ret_status = _aidl_data.writeBool(allowIsolated);
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 //5、写dumpPriority
 _aidl_ret_status = _aidl_data.writeInt32(dumpPriority);
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 //6、借助BpBinder(0)-transact来发起binder通信
 _aidl_ret_status = remote()->transact(BnServiceManager::TRANSACTION_addService, _aidl_data, &_aidl_reply, 0);
 if (UNLIKELY(_aidl_ret_status == ::android::UNKNOWN_TRANSACTION && IServiceManager::getDefaultImpl())) {
    return IServiceManager::getDefaultImpl()->addService(name, service, allowIsolated, dumpPriority);
}
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 //7、如果有返回值就从这个parcel包里读
 _aidl_ret_status = _aidl_status.readFromParcel(_aidl_reply);
 if (((_aidl_ret_status) != (::android::OK))) {
   goto _aidl_error;
}
 if (!_aidl_status.isOk()) {
   return _aidl_status;
}
 _aidl_error:
 _aidl_status.setFromStatusT(_aidl_ret_status);
 return _aidl_status;
}

把 Android 10 的贴上来,我们对比看看

frameworks/native/libs/binder/IServiceManager.cpp

virtual status_t addService(const String16& name, const sp<IBinder>& service,
                               bool allowIsolated, int dumpsysPriority) {
       Parcel data, reply;
       data.writeInterfaceToken(IServiceManager::getInterfaceDescriptor());
       data.writeString16(name);
       data.writeStrongBinder(service);
       data.writeInt32(allowIsolated ? 1 : 0);
       data.writeInt32(dumpsysPriority);
       status_t err = remote()->transact(ADD_SERVICE_TRANSACTION, data, &reply);
       return err == NO_ERROR ? reply.readExceptionCode() : err;
  }

和11之前手写的 BpServiceManager 相比,本质是没变的,就是多了些花里胡哨的规范性代码。

到这里,客户端的代码就大致展示完了,transact 再往后就是旧有的流程,可参考:浅谈 Android 系统进程间通信(IPC)机制 Binder 中的 Server 和 Client 获得Service Manager 接口之路

之后走到 binder 驱动,驱动又根据 handle == 0 找到对端,我们的 servicemanager 进程,唤醒他开始处理请求。

4.3 BinderCallback::handleEvent

如图4:addService 服务端流程,现在开始服务端的流程展示

frameworks/native/cmds/servicemanager/main.cpp

class BinderCallback : public LooperCallback {
public:
......
       int handleEvent(int /* fd */, int /* events */, void* /* data */) override {
       IPCThreadState::self()->handlePolledCommands();
       return 1;  // Continue receiving callbacks.
  }
};

之后走到 BR_TRANSACTION

frameworks/native/libs/binder/IPCThreadState.cpp

status_t IPCThreadState::executeCommand(int32_t cmd)
{
switch ((uint32_t)cmd) {
case BR_TRANSACTION:
      {
      if (tr.target.ptr) {
      //因为目的端sm所以是tr.target.ptr是0
      }else {//开始业务分发
          error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);
      }

the_context_object 是 SM 启动的时候设置好的

sp<BBinder> the_context_object;

void IPCThreadState::setTheContextObject(const sp<BBinder>& obj)
{
   the_context_object = obj;
}

是 ServiceManager 类实例,所以也是一个 BBinder 对象,所以就有了 transact()–>onTransact() 的处理能力。

所以现在the_context_object->transact()调用就走到 BBinder 的 transact 又走到BnServiceManager的onTransact()方法,回到了这个aidl自动生成的IServiceManager.cpp文件里

兜兜转转还是在这个文件

out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm_armv8-a_shared/gen/aidl/android/os/IServiceManager.cpp

::android::status_t BnServiceManager::onTransact(uint32_t _aidl_code, const ::android::Parcel& _aidl_data, ::android::Parcel* _aidl_reply, uint32_t _aidl_flags) {
::android::status_t _aidl_ret_status = ::android::OK;
 switch (_aidl_code) {
 case BnServiceManager::TRANSACTION_addService:
{
  ::std::string in_name;
  ::android::sp<::android::IBinder> in_service;
   bool in_allowIsolated;
   int32_t in_dumpPriority;
   //检查interface
   if (!(_aidl_data.checkInterface(this))) {
     _aidl_ret_status = ::android::BAD_TYPE;
     break;
  }
   //读name
   _aidl_ret_status = _aidl_data.readUtf8FromUtf16(&in_name);
   if (((_aidl_ret_status) != (::android::OK))) {
     break;
  }
   //读binder
   _aidl_ret_status = _aidl_data.readStrongBinder(&in_service);
   if (((_aidl_ret_status) != (::android::OK))) {
     break;
  }
   //读in_allowIsolated
   _aidl_ret_status = _aidl_data.readBool(&in_allowIsolated);
   if (((_aidl_ret_status) != (::android::OK))) {
     break;
  }
   //读in_dumpPriority
   _aidl_ret_status = _aidl_data.readInt32(&in_dumpPriority);
   if (((_aidl_ret_status) != (::android::OK))) {
     break;
  }
   //调用真正的ServiceManager.cpp中的实现
  ::android::binder::Status _aidl_status(addService(in_name, in_service, in_allowIsolated, in_dumpPriority));
   //如果有返回写返回到_aidl_reply
   _aidl_ret_status = _aidl_status.writeToParcel(_aidl_reply);
   if (((_aidl_ret_status) != (::android::OK))) {
     break;
  }
   if (!_aidl_status.isOk()) {
     break;
  }
}

和Bp端是对称的操作,下一步走到 ServiceManager.cpp::addService 方法

4.4 ServiceManager::addService

frameworks/native/cmds/servicemanager/ServiceManager.cpp

Status ServiceManager::addService(const std::string& name, const sp<IBinder>& binder, bool allowIsolated, int32_t dumpPriority) {
   auto ctx = mAccess->getCallingContext();

   // uid鉴权
   if (multiuser_get_app_id(ctx.uid) >= AID_APP) {
       return Status::fromExceptionCode(Status::EX_SECURITY);
  }
   //selinux鉴权
   if (!mAccess->canAdd(ctx, name)) {
       return Status::fromExceptionCode(Status::EX_SECURITY);
  }

   if (binder == nullptr) {
       return Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
  }
   //检查name命名
   if (!isValidServiceName(name)) {
       LOG(ERROR) << "Invalid service name: " << name;
       return Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
  }
   //如果vndservicemanager则检查VINTF manifest
#ifndef VENDORSERVICEMANAGER
   if (!meetsDeclarationRequirements(binder, name)) {
       // already logged
       return Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
  }
#endif  // !VENDORSERVICEMANAGER
   //和rpc有关,死亡监听
   // implicitly unlinked when the binder is removed
   if (binder->remoteBinder() != nullptr &&
       binder->linkToDeath(sp<ServiceManager>::fromExisting(this)) != OK) {
       LOG(ERROR) << "Could not linkToDeath when adding " << name;
       return Status::fromExceptionCode(Status::EX_ILLEGAL_STATE);
  }
   //新增一个结构体到map中
   // Overwrite the old service if it exists
   mNameToService[name] = Service {
      .binder = binder,
      .allowIsolated = allowIsolated,
      .dumpPriority = dumpPriority,
      .debugPid = ctx.debugPid,
  };
   //架构中提到的waiteForService的跨进程
   auto it = mNameToRegistrationCallback.find(name);
   if (it != mNameToRegistrationCallback.end()) {
       for (const sp<IServiceCallback>& cb : it->second) {
           mNameToService[name].guaranteeClient = true;
           // permission checked in registerForNotifications
           cb->onRegistration(name, binder);
      }
  }

   return Status::ok();
}

五、其他值得关注的细节

前两节是全局总览、经典情景的视角看代码,现在我们换一个视角,展示一些边边角角的内容为上面的主干填充细节。

5.1 Servicemanager 的能力变化

Android 11 之前仅有 4 种接口暴露给应用

frameworks/native/libs/binder/include/binder/IServiceManager.h

enum {
      GET_SERVICE_TRANSACTION = IBinder::FIRST_CALL_TRANSACTION,
      CHECK_SERVICE_TRANSACTION,
      ADD_SERVICE_TRANSACTION,
      LIST_SERVICES_TRANSACTION,
  };

而 Android 11 增加到9个,Android 12 又增加到 13 个

out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm_armv8-a_shared/gen/aidl/android/os/BnServiceManager.h

class BnServiceManager : public ::android::BnInterface<IServiceManager> {
public:
 static constexpr uint32_t TRANSACTION_getService = ::android::IBinder::FIRST_CALL_TRANSACTION + 0;
 static constexpr uint32_t TRANSACTION_checkService = ::android::IBinder::FIRST_CALL_TRANSACTION + 1;
 static constexpr uint32_t TRANSACTION_addService = ::android::IBinder::FIRST_CALL_TRANSACTION + 2;
 static constexpr uint32_t TRANSACTION_listServices = ::android::IBinder::FIRST_CALL_TRANSACTION + 3;
 static constexpr uint32_t TRANSACTION_registerForNotifications = ::android::IBinder::FIRST_CALL_TRANSACTION + 4;
 static constexpr uint32_t TRANSACTION_unregisterForNotifications = ::android::IBinder::FIRST_CALL_TRANSACTION + 5;
 static constexpr uint32_t TRANSACTION_isDeclared = ::android::IBinder::FIRST_CALL_TRANSACTION + 6;
 static constexpr uint32_t TRANSACTION_getDeclaredInstances = ::android::IBinder::FIRST_CALL_TRANSACTION + 7;
 static constexpr uint32_t TRANSACTION_updatableViaApex = ::android::IBinder::FIRST_CALL_TRANSACTION + 8;
 static constexpr uint32_t TRANSACTION_getConnectionInfo = ::android::IBinder::FIRST_CALL_TRANSACTION + 9;
 static constexpr uint32_t TRANSACTION_registerClientCallback = ::android::IBinder::FIRST_CALL_TRANSACTION + 10;
 static constexpr uint32_t TRANSACTION_tryUnregisterService = ::android::IBinder::FIRST_CALL_TRANSACTION + 11;
 static constexpr uint32_t TRANSACTION_getServiceDebugInfo = ::android::IBinder::FIRST_CALL_TRANSACTION + 12;

从这些接口的变动我们也可以很清晰地把握住 servicemanager 的前进方向

5.2 DO_NOT_DIRECTLY_USE_ME_IMPLEMENT_META_INTERFACE

frameworks/native/libs/binder/include/binder/IInterface.h

#define IMPLEMENT_META_INTERFACE(INTERFACE, NAME)                       \
   static_assert(internal::allowedManualInterface(NAME),               \
                 "b/64223827: Manually written binder interfaces are " \
                 "considered error prone and frequently have bugs. "   \
                 "The preferred way to add interfaces is to define "   \
                 "an .aidl file to auto-generate the interface. If "   \
                 "an interface must be manually written, add its "     \
                 "name to the whitelist.");                           \
   DO_NOT_DIRECTLY_USE_ME_IMPLEMENT_META_INTERFACE(INTERFACE, NAME)   \
-----------------------------
constexpr const char* const kManualInterfaces[] = {
 "android.app.IActivityManager",
 "android.app.IUidObserver",
 "android.drm.IDrm",
 "android.dvr.IVsyncCallback",
 "android.dvr.IVsyncService",
 "android.gfx.tests.ICallback",
 "android.gfx.tests.IIPCTest",
......

以后手写的 native 服务需要关注下这个宏,做了限制。谷歌建议是现在的 native服务都用 aidl,别手写

5.3 String16、String8 与 name

aidl 改造之前,都是一路 String16 从客户端传到服务端,而现在需要绕一些路了。还是以 addService 为例

status_t ServiceManagerShim::addService(const String16& name,){
   Status status = mTheRealServiceManager->addService(
       String8(name).c_str(), );
在这里转一次,16转成8
------------------------------------------
_aidl_ret_status = _aidl_data.writeUtf8AsUtf16(name);
在BpServiceManager里又转了一次,8转16
------------------------------------------
_aidl_ret_status = _aidl_data.readUtf8FromUtf16(&in_name);
现在来到BnServiceManager继续转,16转8

转来转去快晕了。总结就是,SM 服务端都是操作的 utf8,而 libbinder 客户端都是 utf16。有修改的话需要注意下编码问题

也可能是由于这个转换问题,在服务端加了个服务名检查

bool isValidServiceName(const std::string& name) {
   if (name.size() == 0) return false;
   if (name.size() > 127) return false;

   for (char c : name) {
       if (c == '_' || c == '-' || c == '.' || c == '/') continue;
       if (c >= 'a' && c <= 'z') continue;
       if (c >= 'A' && c <= 'Z') continue;
       if (c >= '0' && c <= '9') continue;
       return false;
  }

   return true;
}

5.4 服务保存的数据结构

SM 需要保存服务及其对应的信息,Android 11 前用的链表 svc_list,成员是 svc_info 结构体;Android 11 后用的 map,成员也是结构体

frameworks/native/cmds/servicemanager/ServiceManager.h

struct Service {
       sp<IBinder> binder; // not null
       bool allowIsolated;
       int32_t dumpPriority;
       bool hasClients = false; // notifications sent on true -> false.
       bool guaranteeClient = false; // forces the client check to true
       pid_t debugPid = 0; // the process in which this service runs

       // the number of clients of the service, including servicemanager itself
       ssize_t getNodeStrongRefCount();
  };
   using ServiceMap = std::map<std::string, Service>;
   ServiceMap mNameToService;

这个 Service 结构体有了更多的信息和能力,getNodeStrongRefCount() 方法可以获取该服务有多少个客户端

5.5 listServices 返回值

Android 11 之前的实现是客户端循环 checkService,Android 11 之后是直接返回的是 std::vector

  • 客户端

frameworks/native/libs/binder/IServiceManager.cpp

Vector<String16> ServiceManagerShim::listServices(int dumpsysPriority)
{
   std::vector<std::string> ret;
   if (!mTheRealServiceManager->listServices(dumpsysPriority, &ret).isOk()) {
       return {};
  }

   Vector<String16> res;
   res.setCapacity(ret.size());
   for (const std::string& name : ret) {
       res.push(String16(name.c_str()));
  }
   return res;
}
  • 服务端

frameworks/native/cmds/servicemanager/ServiceManager.cpp

Status ServiceManager::listServices(int32_t dumpPriority, std::vector<std::string>* outList) {
   size_t toReserve = 0;
   for (auto const& [name, service] : mNameToService) {
      (void) name;

       if (service.dumpPriority & dumpPriority) ++toReserve;
  }

   outList->reserve(toReserve);
   for (auto const& [name, service] : mNameToService) {
      (void) service;

       if (service.dumpPriority & dumpPriority) {
           outList->push_back(name);
      }
  }

这里也可以看到字符编码的问题,客户端用的是 utf16,而服务端用的是 utf8

  • 顺便提一嘴 dumpsys 的画蛇添足的修改

frameworks/native/cmds/dumpsys/dumpsys.cpp

if (services.empty() || showListOnly) {
        services = listServices(priorityFlags, asProto);                                                                        
......
    if (N > 1) {
        for (size_t i=0; i<N; i++) {
            sp<IBinder> service = sm_->checkService(services[i]);

获取到服务列表后为什么再循环 check 一遍呢?我感觉是没有必要的。

5.6 waitForService 与 IServiceCallback.aidl

利用了匿名 binder 来传递回调,有兴趣可以自己看看

  • 回调注册

frameworks/native/libs/binder/IServiceManager.cpp

sp<IBinder> ServiceManagerShim::waitForService(const String16& name16)
{
 class Waiter : public android::os::BnServiceCallback {
       Status onRegistration(const std::string& /*name*/,
                             const sp<IBinder>& binder) override {
......
    sp<Waiter> waiter = sp<Waiter>::make();
    if (Status status = mTheRealServiceManager->registerForNotifications(name, waiter);
  • 回调响应

frameworks/native/cmds/servicemanager/ServiceManager.cpp

Status ServiceManager::addService(const std::string& name, const sp<IBinder>& binder, bool allowIsolated, int32_t dumpPriority) {
auto it = mNameToRegistrationCallback.find(name);
   if (it != mNameToRegistrationCallback.end()) {
       for (const sp<IServiceCallback>& cb : it->second) {
           mNameToService[name].guaranteeClient = true;
           // permission checked in registerForNotifications
           cb->onRegistration(name, binder);
      }
  }
  • aidl 及其生成的代码位置

frameworks/native/libs/binder/aidl/android/os/IServiceCallback.aidl

out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm_armv8-a_shared/gen/aidl/android/os/IServiceCallback.cpp

5.7 IClientCallback.aidl

IServiceManager.aidl 中定义的接口,都是在#include <binder/IServiceManager.h>吗?答案为否。IClientCallback 就是这样一个例子

想用 registerClientCallback 方法注册回调,需要直接使用#include <android/os/IServiceManager.h>拿到 BpServiceManager 实例,来通信

这个接口没有暴露在 libbinder 的 IServiceManager 中

这个回调用于监听某个服务有 client,和 IServiceCallback.aidl 一样是匿名 binder服务,一个例子 LazyServiceRegistrar.cpp,可自行了解。