Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit dea3cf91 authored by Steven Moreland's avatar Steven Moreland
Browse files

Binder: support storing interface stability 

An internal CL adds stability annotations to interfaces. In order to
make it easier to make changes against this on AOSP, the API only is
merged here. This means, until Android Q is released, AOSP will have
stability API annotations but not enforcement. Enforcement will only
happen on internal branches. This is being done because of a mismatch
between vndservicemanager (in the vendor.img blobs) and libbinder in the
VNDK.

(remaining comments are from the internal CL and aren't reflected in
AOSP yet)

This adds runtime information for what the stability class of a binder
is in preparation for allowing binders system<->vendor. However, this
shouldn't necessarily be restricted to this case. For instance, it may
also be used to separate APEX interface stability levels. The idea is
that for code serving an interface of a given stability, only intefaces
of greater stability can be sent to it. This is slightly less
restrictive than existing binder domains. For instance, this could
potentially support having a single interface 'vintf' interface which is
shared by both system and vendor (this removing the need for infra like
ITokenManager).

The API that is exposed only allows marking a binder as a specific
stability class (see Stability.h). For instance, 'markVintf' marks an
API as being exposed system<->vendor. Although, infrastructure in
servicemanager, aidl, sepolicy, and VTS still need to support this in
order to be useful.

The actual implementation of these stability classes (bitmasks) is not
exposed and may be changed arbitrarily. Currently these bitmasks are
32-bit integers. These are sent to other processes because the type
system in AIDL cannot encode the stability requirements here without
either dropping IBinder or differentating IBinder by stability level
(which we don't want). So, where possible, AIDL will differentiate
stability level at compile time, but when IBinder is used, for
handwritten interfaces, and as a backup in case any other piece of the
infrastructure fails, the stability is also checked at runtime.

Bug: 136027762
Test: atest binderStabilityTest
Change-Id: Ia637ee3652d55550e7fce78876458f391b1dd928
Merged-In: Ia637ee3652d55550e7fce78876458f391b1dd928
parent 4fabf335
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment