从C代码出发写系统服务

来源：互联网发布：淘宝优质网店怎么搜编辑：程序博客网时间：2024/05/21 06:16

首先我们新建一个文件夹，内部放入下列文件：

Android.mkbctest.cbinder.cbinder.hservice_manager.c

然后我们复制bctest.c进行修改

需要写两个函数一个是test_server.c,一个是test_client.c

bctest.c

#include <stdio.h>#include <stdlib.h>#include <string.h>#include <errno.h>#include "binder.h"uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name){    uint32_t handle;    unsigned iodata[512/4];    struct binder_io msg, reply;    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);    bio_put_string16_x(&msg, SVC_MGR_NAME);    bio_put_string16_x(&msg, name);    if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE))        return 0;    handle = bio_get_ref(&reply);    if (handle)        binder_acquire(bs, handle);    binder_done(bs, &msg, &reply);    return handle;}int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr){    int status;    unsigned iodata[512/4];    struct binder_io msg, reply;    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);    bio_put_string16_x(&msg, SVC_MGR_NAME);    bio_put_string16_x(&msg, name);    bio_put_obj(&msg, ptr);    if (binder_call(bs, &msg, &reply, target, SVC_MGR_ADD_SERVICE))        return -1;    status = bio_get_uint32(&reply);    binder_done(bs, &msg, &reply);    return status;}unsigned token;int main(int argc, char **argv){    int fd;    struct binder_state *bs;    uint32_t svcmgr = BINDER_SERVICE_MANAGER;    uint32_t handle;    bs = binder_open(128*1024);    if (!bs) {        fprintf(stderr, "failed to open binder driver\n");        return -1;    }    argc--;    argv++;    while (argc > 0) {        if (!strcmp(argv[0],"alt")) {            handle = svcmgr_lookup(bs, svcmgr, "alt_svc_mgr");            if (!handle) {                fprintf(stderr,"cannot find alt_svc_mgr\n");                return -1;            }            svcmgr = handle;            fprintf(stderr,"svcmgr is via %x\n", handle);        } else if (!strcmp(argv[0],"lookup")) {            if (argc < 2) {                fprintf(stderr,"argument required\n");                return -1;            }            handle = svcmgr_lookup(bs, svcmgr, argv[1]);            fprintf(stderr,"lookup(%s) = %x\n", argv[1], handle);            argc--;            argv++;        } else if (!strcmp(argv[0],"publish")) {            if (argc < 2) {                fprintf(stderr,"argument required\n");                return -1;            }            svcmgr_publish(bs, svcmgr, argv[1], &token);            argc--;            argv++;        } else {            fprintf(stderr,"unknown command %s\n", argv[0]);            return -1;        }        argc--;        argv++;    }    return 0;}

看上面代码，我们需要抓住的核心是啥？

打开驱动设备
一个循环（至于循环中干什么事情，我们就要看是client还是server）

接下来我们看一看server的编写

具体步骤有哪些呢？

add service
read data
parse data
reply

#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <linux/types.h>#include<stdbool.h>#include <string.h>#include <private/android_filesystem_config.h>#include "binder.h"#include "test_server.h"int svcmgr_publish(struct binder_state *bs, uint32_t target, const char *name, void *ptr){    int status;    unsigned iodata[512/4];    struct binder_io msg, reply;    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);  // strict mode header    bio_put_string16_x(&msg, SVC_MGR_NAME);    bio_put_string16_x(&msg, name);    bio_put_obj(&msg, ptr);    if (binder_call(bs, &msg, &reply, target, SVC_MGR_ADD_SERVICE))        return -1;    status = bio_get_uint32(&reply);    binder_done(bs, &msg, &reply);    return status;}void sayhello(void){    static int cnt = 0;    fprintf(stderr, "say hello : %d\n", ++cnt);}int sayhello_to(char *name){    static int cnt = 0;    fprintf(stderr, "say hello to %s : %d\n", name, ++cnt);    return cnt;}void saygoodbye(void){    static int cnt = 0;    fprintf(stderr, "say goodbye : %d\n", ++cnt);}int saygoodbye_to(char *name){    static int cnt = 0;    fprintf(stderr, "say goodbye to %s : %d\n", name, ++cnt);    return cnt;}//根据txn->code知道要调用哪一个函数//如果需要参数, 可以从msg取出//如果要返回结果, 可以把结果放入replyint hello_service_handler(struct binder_state *bs,                   struct binder_transaction_data *txn,                   struct binder_io *msg,                   struct binder_io *reply){    uint16_t *s;    char name[512];    size_t len;    uint32_t handle;    uint32_t strict_policy;    int i;    strict_policy = bio_get_uint32(msg);    switch(txn->code) {    case HELLO_SVR_CMD_SAYHELLO:        sayhello();        bio_put_uint32(reply, 0);        return 0;    case HELLO_SVR_CMD_SAYHELLO_TO:        /* 从msg里取出字符串 */        s = bio_get_string16(msg, &len);  //"IHelloService"        s = bio_get_string16(msg, &len);  // name        if (s == NULL) {            return -1;        }        for (i = 0; i < len; i++)            name[i] = s[i];        name[i] = '\0';        //处理        i = sayhello_to(name);        /* 把结果放入reply */        bio_put_uint32(reply, 0);         bio_put_uint32(reply, i);        break;    default:        fprintf(stderr, "unknown code %d\n", txn->code);        return -1;    }    return 0;}//根据txn->code知道要调用哪一个函数//如果需要参数, 可以从msg取出//如果要返回结果, 可以把结果放入replyint goodbye_service_handler(struct binder_state *bs,                   struct binder_transaction_data *txn,                   struct binder_io *msg,                   struct binder_io *reply){    uint16_t *s;    char name[512];    size_t len;    uint32_t handle;    uint32_t strict_policy;    int i;    strict_policy = bio_get_uint32(msg);    switch(txn->code) {    case GOODBYE_SVR_CMD_SAYGOODBYE:        saygoodbye();        bio_put_uint32(reply, 0); /* no exception */        return 0;    case GOODBYE_SVR_CMD_SAYGOODBYE_TO:        //从msg里取出字符串        s = bio_get_string16(msg, &len);  //"IGoodbyeService"        s = bio_get_string16(msg, &len);  // name        if (s == NULL) {            return -1;        }        for (i = 0; i < len; i++)            name[i] = s[i];        name[i] = '\0';        //处理        i = saygoodbye_to(name);        //把结果放入reply        bio_put_uint32(reply, 0);        bio_put_uint32(reply, i);        break;    default:        fprintf(stderr, "unknown code %d\n", txn->code);        return -1;    }    return 0;}int test_server_handler(struct binder_state *bs,                   struct binder_transaction_data *txn,                   struct binder_io *msg,                   struct binder_io *reply){    int (*handler)(struct binder_state *bs,                   struct binder_transaction_data *txn,                   struct binder_io *msg,                   struct binder_io *reply);    handler = (int (*)(struct binder_state *bs,                   struct binder_transaction_data *txn,                   struct binder_io *msg,                   struct binder_io *reply))txn->target.ptr;    return handler(bs, txn, msg, reply);}int main(int argc, char **argv){    int fd;    struct binder_state *bs;    uint32_t svcmgr = BINDER_SERVICE_MANAGER;//这个为0，代表就是servicemanager    uint32_t handle;    int ret;    bs = binder_open(128*1024);    if (!bs) {        fprintf(stderr, "failed to open binder driver\n");        return -1;    }    //add service    //参数意思为让给svcmgr（servicemanager）发送信息，服务的名称为hello，处理的函数为hello_service_handler    //对于不同的服务，有不同的处理方式根据code区分，这里服务是个大概念，code区分的是一个小概念    ret = svcmgr_publish(bs, svcmgr, "hello", hello_service_handler);    if (ret) {        fprintf(stderr, "failed to publish hello service\n");        return -1;    }    ret = svcmgr_publish(bs, svcmgr, "goodbye", goodbye_service_handler);    if (ret) {        fprintf(stderr, "failed to publish goodbye service\n");    }    binder_set_maxthreads(bs, 10);    binder_loop(bs, test_server_handler);//这个是复制service_manager.c的    return 0;}

小结上面代码：

调用svcmgr_publish其中会调用

binder_call(bs, &msg, &reply, target, SVC_MGR_ADD_SERVICE))

来添加系统服务，其中target是给那个目标服务(给那个服务发送指令)，msg为需要传送的数据，
reply是回复的数据用于读取和解析。

所以我们要在svcmgr_publish()方法调用的时候指定数据，需要通过msg传输的数据有：

1.服务的名称2.服务处理函数

然后我们要调用binder_loop进行消息的处理，我们来分析这个binder_loop函数

Binder.c

void binder_loop(struct binder_state *bs, binder_handler func){    int res;    struct binder_write_read bwr;    uint32_t readbuf[32];    bwr.write_size = 0;    bwr.write_consumed = 0;    bwr.write_buffer = 0;    readbuf[0] = BC_ENTER_LOOPER;    binder_write(bs, readbuf, sizeof(uint32_t));    for (;;) {        bwr.read_size = sizeof(readbuf);        bwr.read_consumed = 0;        bwr.read_buffer = (uintptr_t) readbuf;        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);        if (res < 0) {            ALOGE("binder_loop: ioctl failed (%s)\n", strerror(errno));            break;        }        res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);        if (res == 0) {            ALOGE("binder_loop: unexpected reply?!\n");            break;        }        if (res < 0) {            ALOGE("binder_loop: io error %d %s\n", res, strerror(errno));            break;        }    }}

通过

bwr.write_size = 0;bwr.write_consumed = 0;bwr.write_buffer = 0;

可以看出来，我们不会发出写操作，我们会有读操作，和解析读到的数据。不多说看代码：

 for (;;) {        bwr.read_size = sizeof(readbuf);        bwr.read_consumed = 0;        bwr.read_buffer = (uintptr_t) readbuf;        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);        res = binder_parse(bs, 0, (uintptr_t) readbuf, bwr.read_consumed, func);        ...}

代码中通过ioctl读到的数据，放入readbuf中，然后通过binder_parse()解析，这个函数中的func是传递进来的处理函数，然后我们大概看一看如何解析

//传递的参数是：bs,readbuf,0,size,funcint binder_parse(struct binder_state *bs, struct binder_io *bio,                 uintptr_t ptr, size_t size, binder_handler func){    int r = 1;    uintptr_t end = ptr + (uintptr_t) size;    while (ptr < end) {        uint32_t cmd = *(uint32_t *) ptr;        ptr += sizeof(uint32_t);        switch(cmd) {        ...        case BR_TRANSACTION: {            struct binder_transaction_data *txn = (struct binder_transaction_data *) ptr;            binder_dump_txn(txn);            if (func) {                unsigned rdata[256/4];                struct binder_io msg;                struct binder_io reply;                int res;                bio_init(&reply, rdata, sizeof(rdata), 4);                bio_init_from_txn(&msg, txn);                res = func(bs, txn, &msg, &reply);//调用处理函数                binder_send_reply(bs, &reply, txn->data.ptr.buffer, res);            }            ptr += sizeof(*txn);            break;        }        ...        default:            ALOGE("parse: OOPS %d\n", cmd);            return -1;        }    }    return r;}

上面接收到的cmd是BR_TRANSACTION，然后通过调用func函数将解析出来的数据构造出一个binder_io结构体返回给回调函数

然后我们继续看上面的处理函数：

//根据txn->code知道要调用哪一个函数//如果需要参数, 可以从msg取出//如果要返回结果, 可以把结果放入replyint hello_service_handler(struct binder_state *bs,                   struct binder_transaction_data *txn,                   struct binder_io *msg,                   struct binder_io *reply){    uint16_t *s;    char name[512];    size_t len;    uint32_t handle;    uint32_t strict_policy;    int i;    strict_policy = bio_get_uint32(msg);    switch(txn->code) {    case HELLO_SVR_CMD_SAYHELLO:        sayhello();        bio_put_uint32(reply, 0);        return 0;    case HELLO_SVR_CMD_SAYHELLO_TO:        /* 从msg里取出字符串 */        s = bio_get_string16(msg, &len);  //"IHelloService"        s = bio_get_string16(msg, &len);  // name        if (s == NULL) {            return -1;        }        for (i = 0; i < len; i++)            name[i] = s[i];        name[i] = '\0';        //处理        i = sayhello_to(name);        /* 把结果放入reply */        bio_put_uint32(reply, 0);         bio_put_uint32(reply, i);        break;    default:        fprintf(stderr, "unknown code %d\n", txn->code);        return -1;    }    return 0;}

基本逻辑是：

通过传递回来的txn->code知道调用那个函数
通过msg来获取传递的数据
如果需要返回数据，那数据写入reply中。（由于binder_parse函数中binder_send_reply()可以返回数据）

然后我们继续写client的代码

/* Copyright 2008 The Android Open Source Project */#include <stdio.h>#include <stdlib.h>#include <errno.h>#include <linux/types.h>#include<stdbool.h>#include <string.h>#include <private/android_filesystem_config.h>#include "binder.h"#include "test_server.h"uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name){    uint32_t handle;    unsigned iodata[512/4];    struct binder_io msg, reply;    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);  // strict mode header    bio_put_string16_x(&msg, SVC_MGR_NAME);    bio_put_string16_x(&msg, name);    if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE))        return 0;    handle = bio_get_ref(&reply);    if (handle)        binder_acquire(bs, handle);    binder_done(bs, &msg, &reply);    return handle;}struct binder_state *g_bs;uint32_t g_hello_handle;uint32_t g_goodbye_handle;void sayhello(void){    unsigned iodata[512/4];    struct binder_io msg, reply;    /* 构造binder_io */    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);  // strict mode header    bio_put_string16_x(&msg, "IHelloService");    /* 放入参数 */    /* 调用binder_call */    if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO))        return ;    /* 从reply中解析出返回值 */    binder_done(g_bs, &msg, &reply);}int sayhello_to(char *name){    unsigned iodata[512/4];    struct binder_io msg, reply;    int ret;    int exception;    /* 构造binder_io */    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);  // strict mode header    bio_put_string16_x(&msg, "IHelloService");    /* 放入参数 */    bio_put_string16_x(&msg, name);    /* 调用binder_call */    if (binder_call(g_bs, &msg, &reply, g_hello_handle, HELLO_SVR_CMD_SAYHELLO_TO))        return 0;    /* 从reply中解析出返回值 */    exception = bio_get_uint32(&reply);    if (exception)        ret = -1;    else        ret = bio_get_uint32(&reply);    binder_done(g_bs, &msg, &reply);    return ret;}void saygoodbye(void){    unsigned iodata[512/4];    struct binder_io msg, reply;    /* 构造binder_io */    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);  // strict mode header    bio_put_string16_x(&msg, "IGoodbyeService");    /* 放入参数 */    /* 调用binder_call */    if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE))        return ;    /* 从reply中解析出返回值 */    binder_done(g_bs, &msg, &reply);}int saygoodbye_to(char *name){    unsigned iodata[512/4];    struct binder_io msg, reply;    int ret;    int exception;    /* 构造binder_io */    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);  // strict mode header    bio_put_string16_x(&msg, "IGoodbyeService");    /* 放入参数 */    bio_put_string16_x(&msg, name);    /* 调用binder_call */    if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE_TO))        return 0;    /* 从reply中解析出返回值 */    exception = bio_get_uint32(&reply);    if (exception)        ret = -1;    else        ret = bio_get_uint32(&reply);    binder_done(g_bs, &msg, &reply);    return ret;}/* ./test_client hello * ./test_client hello <name> */int main(int argc, char **argv){    int fd;    struct binder_state *bs;    uint32_t svcmgr = BINDER_SERVICE_MANAGER;    uint32_t handle;    int ret;    if (argc < 2){        fprintf(stderr, "Usage:\n");        fprintf(stderr, "%s <hello|goodbye>\n", argv[0]);        fprintf(stderr, "%s <hello|goodbye> <name>\n", argv[0]);        return -1;    }    bs = binder_open(128*1024);    if (!bs) {        fprintf(stderr, "failed to open binder driver\n");        return -1;    }    g_bs = bs;    /* get service */    handle = svcmgr_lookup(bs, svcmgr, "goodbye");    if (!handle) {        fprintf(stderr, "failed to get goodbye service\n");        return -1;    }    g_goodbye_handle = handle;    fprintf(stderr, "Handle for goodbye service = %d\n", g_goodbye_handle);    handle = svcmgr_lookup(bs, svcmgr, "hello");    if (!handle) {        fprintf(stderr, "failed to get hello service\n");        return -1;    }    g_hello_handle = handle;    fprintf(stderr, "Handle for hello service = %d\n", g_hello_handle);    /* send data to server */    if (!strcmp(argv[1], "hello"))    {        if (argc == 2) {            sayhello();        } else if (argc == 3) {            ret = sayhello_to(argv[2]);            fprintf(stderr, "get ret of sayhello_to = %d\n", ret);              }    } else if (!strcmp(argv[1], "goodbye"))    {        if (argc == 2) {            saygoodbye();        } else if (argc == 3) {            ret = saygoodbye_to(argv[2]);            fprintf(stderr, "get ret of sayhello_to = %d\n", ret);              }    }    binder_release(bs, handle);    return 0;}

然后我们分解上面代码

handle = svcmgr_lookup(bs, svcmgr, "goodbye");查找注册的服务，给servicemanager发送

然后我们继续查看svcmgr_lookup

//给svcmgr发送调用名称为goodbye的服务uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name){    uint32_t handle;    unsigned iodata[512/4];    struct binder_io msg, reply;    bio_init(&msg, iodata, sizeof(iodata), 4);    bio_put_uint32(&msg, 0);    bio_put_string16_x(&msg, SVC_MGR_NAME);    bio_put_string16_x(&msg, name);    if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE))        return 0;    handle = bio_get_ref(&reply);    if (handle)        binder_acquire(bs, handle);    binder_done(bs, &msg, &reply);    return handle;}

通过上面的数据封装，binder_io中存储的是name
然后继续调用binder_call()函数

只不过binder_call这次指令是SVC_MGR_CHECK_SERVICE

Binder.c

int binder_call(struct binder_state *bs,                struct binder_io *msg, struct binder_io *reply,                uint32_t target, uint32_t code){    int res;    struct binder_write_read bwr;    struct {        uint32_t cmd;        struct binder_transaction_data txn;    } __attribute__((packed)) writebuf;    unsigned readbuf[32];    if (msg->flags & BIO_F_OVERFLOW) {        fprintf(stderr,"binder: txn buffer overflow\n");        goto fail;    }    writebuf.cmd = BC_TRANSACTION;    writebuf.txn.target.handle = target;//service_manager    writebuf.txn.code = code;// SVC_MGR_CHECK_SERVICE    writebuf.txn.flags = 0;    writebuf.txn.data_size = msg->data - msg->data0;    writebuf.txn.offsets_size = ((char*) msg->offs) - ((char*) msg->offs0);    writebuf.txn.data.ptr.buffer = (uintptr_t)msg->data0;    writebuf.txn.data.ptr.offsets = (uintptr_t)msg->offs0;    bwr.write_size = sizeof(writebuf);    bwr.write_consumed = 0;    bwr.write_buffer = (uintptr_t) &writebuf;    hexdump(msg->data0, msg->data - msg->data0);    for (;;) {        bwr.read_size = sizeof(readbuf);        bwr.read_consumed = 0;        bwr.read_buffer = (uintptr_t) readbuf;        res = ioctl(bs->fd, BINDER_WRITE_READ, &bwr);        if (res < 0) {            fprintf(stderr,"binder: ioctl failed (%s)\n", strerror(errno));            goto fail;        }        res = binder_parse(bs, reply, (uintptr_t) readbuf, bwr.read_consumed, 0);        if (res == 0) return 0;        if (res < 0) goto fail;    }fail:    memset(reply, 0, sizeof(*reply));    reply->flags |= BIO_F_IOERROR;    return -1;}

再往下调用就是我们之前分析过的，给servicemanager发送数据，然后又调用binder_parse函数然后调用对应的SVC_MGR_CHECK_SERVICE进行查询服务，然后调用do_find_service(bs, s, len, txn->sender_euid, txn->sender_pid);

通过上面代码我们总结出，就是通过binder_call指定服务指定方法。

加入系统中：

include $(CLEAR_VARS)LOCAL_CFLAGS += -DBINDER_IPC_32BIT=1LOCAL_SRC_FILES:= test_client.c binder.cLOCAL_C_INCLUDES += system/core/include/cutilsLOCAL_MODULE:= test_clientinclude $(BUILD_EXECUTABLE)

1 0