声明
- 其实对于Android系统Binder通信的机制早就有分析的想法,记得去年6、7月份Mr.Deng离职期间约定一起对其进行研究的,但因为我个人问题没能实施这个计划,留下些许遗憾…
- 最近,刚好在做公司某项目中一个难题就是关于Binder的,于是想借此机会对其进行尽量深入的分析,以算是弥补过去的遗憾吧。而且,一年后我对于Android系统的理解,比去年确实加深了很多;
- 文中参考了很多前辈们写的书籍及博客内容,可能涉及的比较多先不具体列出来了,等有时间再添加进来;
- 本文使用的代码是LineageOS的cm-14.1,对应Android 7.1.2,可以参考我的另一篇博客:如何下载Nexus5的LineageOS14.1(cm-14.1)系统源码并编译、刷机;
0 写在前面的
????其实,Android系统的基础是Linux,它本可以使用Linux体系下的IPC机制,为什么还要再实现一个Binder机制呢?答案肯定是Linux现有的IPC机制没有一个能够满足Android系统的需求的,相对于其他IPC机制Binder:
- Binder更加灵活并节省内存;
- Binder还解决和避免了传统的进程间通信可能会增加进程开销的问题,也避免了进程过载和安全漏洞等方面的风险;
????这个表达有点苍白,不过没关系,后面会越来越体会到Binder机制的intelligence,Binder主要实现下面的功能:
- 用驱动程序来推动进程间通信;
- 通过共享内存来提高性能;
- 为进程请求分配每个进程的线程池;
- 针对系统中的对象引入了引用计数和跨进程的对象引用映射;
- 进程间同步调用;
????这几条听起来有点太学术了。要明白的是Binder这个机制根本上还是为运行在ART基础上的系统服务提供支撑的。因为APP不同进程间需要通信、而且它们需要使用框架层的各种服务框架的Java接口(框架层的系统服务框架大多数运行在同一个进程system_server的上下文环境中,并且可以在servicemanager辅助下被查询到)。
????system_server是以–start-system-server参数从Zygote中fork()出来的,而servicemanager则是Android系统的core类守护进程之一。它们两个共同提供了对整个Android框架服务架构的支持和上下文环境。
servicemanager
????可以先看一下我的Nexus 5 cm-14.1系统中的servicemanager.rc文件,它所在的源码目录为:~/LineageOS/frameworks/native/cmds/servicemanager/servicemanager.rc
service servicemanager /system/bin/servicemanagerclass coreuser systemgroup system readproccriticalonrestart restart healthdonrestart restart zygoteonrestart restart audioserveronrestart restart mediaonrestart restart surfaceflingeronrestart restart inputflingeronrestart restart drmonrestart restart cameraserverwritepid /dev/cpuset/system-background/tasks
????从这个rc文件中就可以看出来,首先它处于core类服务中,很多关键服务都依赖于它的存在,比如healthd、zygote、audioserver、media、surfaceflinger、inputflinger、drm、cameraserver这些service在servicemanager重启时全部都要跟着进行重启,就可以看出servicemanager有多重要。而且,servicemanager服务用关键字critical修饰,意思是如果这个服务反复重启5次系统就会自动进入recovery模式。
????servicemanager是作为其他操作系统服务的定位器(locator)或称索引目录(directory)而存在的。任何一个应用或系统组件想要使用其他服务时,都必须先到servicemanager查询,获得一个句柄(handle),然后才能继续执行操作。服务也没法直接告诉客户端自己在什么位置,它也必须先到servicemanager注册,然后才能被需要使用它的客户端找到。所以如果servicemanager重启了的话,所有依赖于它的服务都必须重启,所有的服务都必须要重新再注册一遍。如果servicemanager挂了的话,进程间通信也将被中断。
????用户模式的服务是通过一个字符设备节点/dev/binder(这个设备节点可以被所有的进程读取和访问)来访问binder进行进程间通信的。同一时刻,只有一个用户态进程可以使用Binder中的context manager,context manager是系统中所有其他进程(无论它是客户端进程还是服务端进程)的汇接点。服务必须把自己的服务名以及接口注册在context manager中,客户端必须通过在context manager中进行检索,才能找到它们要使用的服务。
????servicemanager也只是一个很小的elf文件,所完成的操作也很简单:它首先调用binder_open获取/dev/binder的文件描述符,然后再调用binder_become_context_manager注册ServiceManager服务,该服务的handle索引值为0。再接下来,servicemanager就会进入一个名为binder_loop的无限循环中。在这个无限循环里,servicemanager会让自己进入阻塞状态,直到/dev/binder中产生一个transaction(即某个客户端发来了请求),随后进程就会被唤醒,并调用它的svcmgr_handler回调函数处理这个transaction。
????servicemanager必须是全局可访问的。这样,各种服务才能上它这儿来注册,客户端也才能来查询服务。在使用C/C++代码时,服务和客户端同样可以调用defaultServiceManager()获得一个访问servicemanager的句柄(从技术上说,这只是它的接口,是个sp< IServiceManager >类型的对象),这个定义在IServiceManager.h中的接口,导出了几个transaction请求码。下表列出了这些请求码及实现这些请求码的可供C/C++代码调用的API。值得注意的是,在这张表中并没有用来删除服务的API,这是因为在对应的进程死掉之后,服务会被自动删除。因为Binder能够检测到这种情况,并在检查到这种情况时,向servicemanager发送一个BR_DEAD_BINDERC进程死亡通知)。
????????
????addService被认为是个非常敏感的功能,只有UID为0或1000(AID_SYSTEM)的服务才能自由地注册服务,其他的系统服务则会受到限制。受限制的服务在Android 5之后被写在了SELinux的/service_contexts文件中,这使得系统能以极为灵活的方式对服务进行控制,system_server.c这个源码文件己经被简化成对check_mac_perms()函数的一次调用,这个函数然后又会去调用selinux_check_access()函数。用这一方式,可以对所有服务的注册和查找强制进行安全检查,同时,这也使得设备的制造商可以在不需要重新编译任何源码的前提下添加它们自己的服务。
????打开源码目录:~/LineageOS/system/sepolicy/service_contexts
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
audio u:object_r:audio_service:s0
backup u:object_r:backup_service:s0
batteryproperties u:object_r:batteryproperties_service:s0
batterystats u:object_r:batterystats_service:s0
battery u:object_r:battery_service:s0
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
contexthub_service u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_policy u:object_r:device_policy_service:s0
deviceidle u:object_r:deviceidle_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display.qservice u:object_r:surfaceflinger_service:s0
display u:object_r:display_service:s0
netd_listener u:object_r:netd_listener_service:s0
DockObserver u:object_r:DockObserver_service:s0
dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
media.camera u:object_r:cameraserver_service:s0
media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:audioserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.extractor u:object_r:mediaextractor_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.radio u:object_r:audioserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
otadexopt u:object_r:otadexopt_service:s0
package u:object_r:package_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
rttmanager u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
textservices u:object_r:textservices_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
uimode u:object_r:uimode_service:s0
updatelock u:object_r:updatelock_service:s0
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
vibrator u:object_r:vibrator_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
wifi u:object_r:wifi_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
????编程时使用的API己经打包在框架类android.os.ServiceManagerNative 中了,这个类又由android.os.ServiceManager 做了进一步的封装。Android也不鼓励App直接使用这个类,而是希望开发者调用Context.getSystemService()方法来查找系统服务,并通过intent 使用第三方服务。不过无论是使用哪种方式,与服务进行通信(不论它是个系统服务还是第三方服务)都是通过binder消息来完成的。
??????????