Merge pull request anbox#1309 from morphis/binderfs-support

many: add support for binderfs

Author: morphis

.gitignore

@@ -2,6 +2,7 @@ build*/
 parts/
 stage/
 prime/
+snap/.snapcraft
 android-images/
 *.snap
 CMakeLists.txt.user

CMakeLists.txt

@@ -92,6 +92,10 @@ if (ENABLE_MIR)
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DMIR_SUPPORT")
 endif()
 
+if (NOT BINDERFS_PATH)
+  set(BINDERFS_PATH "/dev/binderfs")
+endif()
+
 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DEGL_NO_X11")
 
 if((Protobuf_VERSION VERSION_GREATER "3.7") OR (Protobuf_VERSION VERSION_EQUAL "3.7"))

scripts/container-manager.sh

@@ -85,6 +85,20 @@ start() {
 		EXTRA_ARGS="$EXTRA_ARGS --container-network-dns-servers=$container_network_dns"
 	fi
 
+	# Load all relevant kernel modules
+	modprobe binder_linux
+	modprobe ashmem_linux
+
+	# Ensure we have binderfs mounted when our kernel supports it
+	if cat /proc/filesystems | grep -q binder ; then
+		mkdir -p "$SNAP_COMMON"/binderfs
+		# Remove old mounts so that we start fresh without any devices allocated
+		if cat /proc/mounts | grep -q "binder $SNAP_COMMON/binderfs" ; then
+			umount "$SNAP_COMMON"/binderfs
+		fi
+		mount -t binder none "$SNAP_COMMON"/binderfs
+	fi
+
 	exec "$SNAP"/bin/anbox-wrapper.sh container-manager \
 		--data-path="$DATA_PATH" \
 		--android-image="$ANDROID_IMG" \

scripts/snap-wrapper.sh

@@ -47,4 +47,10 @@ if [ "$(snapctl get touch-emulation.enable)" = false ]; then
 	export ANBOX_ENABLE_TOUCH_EMULATION=false
 fi
 
-exec "$SNAP"/usr/bin/anbox "$@"
+# Use custom Anbox binary for debugging purposes if available
+ANBOX="$SNAP"/usr/bin/anbox
+if [ -e "$SNAP_COMMON"/anbox.debug ]; then
+	ANBOX="$SNAP_COMMON"/anbox.debug
+fi
+
+exec "$ANBOX" "$@"

snap/snapcraft.yaml

@@ -257,6 +257,7 @@ parts:
       # that is fixed we can avoid using a prefix here.
       - -DCMAKE_INSTALL_PREFIX:PATH=/usr
       - -DANBOX_VERSION=$SNAPCRAFT_PROJECT_VERSION
+      - -DBINDERFS_PATH=/var/snap/anbox/common/binderfs
       # FIXME: Once we have everything in place for full snap confinement we
       # can securely enable this.
       # - -DSNAP_CONFINEMENT=ON

src/CMakeLists.txt

@@ -29,6 +29,8 @@ include_directories(
   ${CMAKE_SOURCE_DIR}/external/cpu_features/include
 )
 
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DBINDERFS_PATH=\"\\\"${BINDERFS_PATH}\\\"\"")
+
 protobuf_generate_cpp(
     GENERATED_PROTOBUF_RPC_SRCS GENERATED_PROTOBUF_RPC_HDRS
     anbox/protobuf/anbox_rpc.proto)
@@ -121,6 +123,11 @@ set(SOURCES
     anbox/common/variable_length_array.h
     anbox/common/wait_handle.cpp
     anbox/common/wait_handle.h
+    anbox/common/binderfs.h
+    anbox/common/binder_device.cpp
+    anbox/common/binder_device.h
+    anbox/common/binder_device_allocator.cpp
+    anbox/common/binder_device_allocator.h
 
     anbox/container/client.cpp
     anbox/container/client.h

src/anbox/cmds/session_manager.cpp

@@ -129,7 +129,7 @@ anbox::cmds::SessionManager::SessionManager()
       return EXIT_FAILURE;
     }
 
-    if (!fs::exists("/dev/binder") || !fs::exists("/dev/ashmem")) {
+    if ((!fs::exists("/dev/binder") && !fs::exists(BINDERFS_PATH)) || !fs::exists("/dev/ashmem")) {
       ERROR("Failed to start as either binder or ashmem kernel drivers are not loaded");
       return EXIT_FAILURE;
     }
@@ -269,8 +269,6 @@ anbox::cmds::SessionManager::SessionManager()
       };
 
       container_configuration.devices = {
-        {"/dev/binder", {0666}},
-        {"/dev/ashmem", {0666}},
         {"/dev/fuse", {0666}},
       };
 

src/anbox/common/binder_device.cpp

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd.
+ *
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 3, as published
+ * by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranties of
+ * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "anbox/common/binder_device.h"
+#include "anbox/common/binderfs.h"
+#include "anbox/defer_action.h"
+#include "anbox/logger.h"
+#include "anbox/utils.h"
+
+#include <system_error>
+
+#include <cerrno>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+
+namespace anbox {
+namespace common {
+std::unique_ptr<BinderDevice> BinderDevice::create(const std::string& path) {
+  return std::unique_ptr<BinderDevice>(new BinderDevice(path));
+}
+
+BinderDevice::BinderDevice(const std::string& path) :
+    path_{path} {
+  if (::chmod(path.c_str(), 0666) < 0)
+    ERROR("Failed to change permissions of binder node %s: %s", path, std::strerror(errno));
+}
+
+BinderDevice::~BinderDevice() {
+  if (::unlink(path_.c_str()) < 0)
+    ERROR("Failed to remove binder node %s: %s", path_, std::strerror(errno));
+}
+} // namespace common
+} // namespace anbox

src/anbox/common/binder_device.h

@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd.
+ *
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 3, as published
+ * by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranties of
+ * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef ANBOX_COMMON_BINDER_DEVICE_H_
+#define ANBOX_COMMON_BINDER_DEVICE_H_
+
+#include "anbox/common/fd.h"
+
+#include <boost/filesystem/path.hpp>
+
+namespace anbox {
+namespace common {
+class BinderDevice {
+ public:
+  static std::unique_ptr<BinderDevice> create(const std::string& path);
+
+  ~BinderDevice();
+
+  boost::filesystem::path path() const { return path_; }
+
+ private:
+  BinderDevice(const std::string& path);
+
+  const std::string path_;
+};
+} // namespace common
+} // namespace anbox
+
+#endif

src/anbox/common/binder_device_allocator.cpp

@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2018 Canonical Ltd.
+ *
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 3, as published
+ * by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranties of
+ * MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR
+ * PURPOSE.  See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "anbox/common/binder_device_allocator.h"
+#include "anbox/common/binder_device.h"
+#include "anbox/common/binderfs.h"
+#include "anbox/defer_action.h"
+#include "anbox/logger.h"
+#include "anbox/utils.h"
+
+#include <boost/filesystem.hpp>
+
+#include <cerrno>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <sys/ioctl.h>
+
+#include <system_error>
+
+namespace fs = boost::filesystem;
+
+namespace {
+const constexpr char* binderfs_base_path{BINDERFS_PATH};
+const constexpr char* binderfs_control_path{BINDERFS_PATH "/binder-control"};
+const constexpr char* default_binder_device_name{"binder"};
+} // namespace
+
+namespace anbox {
+namespace common {
+bool BinderDeviceAllocator::is_supported() {
+  return fs::exists(binderfs_control_path);
+}
+
+std::unique_ptr<BinderDevice> BinderDeviceAllocator::new_device() {
+  static uint32_t next_id = 0;
+
+  const auto ctl_fd = ::open(binderfs_control_path, O_RDWR);
+  if (ctl_fd < 0) {
+    ERROR("Failed to access binder control: %s", std::strerror(errno));
+    return nullptr;
+  }
+
+  DeferAction close_ctl_fd{[&]() { ::close(ctl_fd); }};
+
+  binderfs_device dev;
+  std::memset(&dev, 0, sizeof(binderfs_device));
+
+  const auto device_name = utils::string_format("%s%d", default_binder_device_name, next_id++);
+  if (device_name.length() > BINDERFS_MAX_NAME) {
+    ERROR("Invalid binder device name: %s", device_name);
+    return nullptr;
+  }
+
+  std::memcpy(dev.name, device_name.c_str(),  device_name.length());
+
+  if (::ioctl(ctl_fd, BINDER_CTL_ADD, &dev) < 0) {
+    ERROR("Failed to allocate new binder node: %s", std::strerror(errno));
+    return nullptr;
+  }
+
+  const auto path = utils::string_format("%s/%s", binderfs_base_path,  device_name);
+  if (!fs::exists(path)) {
+    ERROR("Allocated binder device %s is missing", path);
+    return nullptr;
+  }
+
+  return BinderDevice::create(path);
+}
+} // namespace common
+} // namespace anbox