本文是基于《Android系统源代码情景分析》第二章 硬件抽象层
代码是在MTK N版本上编译通过的,如果是原生代码,相关路径会有所变化。
老罗的代码是Android 2.3的,驱动代码在最新的N版本上已经编译不过了,所以重新修改了下,同时添加selinux权限,并实现了一个fregd守护进程。
原始的代码是FregService是通过JNI->HAL->驱动来读写/dev/freg的,新加了fregd守护进程,这样FregService就可以通过binder->HAL->驱动来读写/dev/freg了。
fregd是仿造system/core/fingerprintd写的。
源码下载
以下是新添加的selinux权限,具体语法可查看老罗相关的文章
device/mediatek/common/sepolicy/basic/device.te
type freg_device, dev_type;device/mediatek/common/sepolicy/basic/file_contexts
/dev/freg(/.*)? u:object_r:freg_device:s0
/system/bin/fregd u:object_r:fregd_exec:s0device/mediatek/common/sepolicy/basic/service.te
type freg_service, service_manager_type;
type fregd_service, service_manager_type;device/mediatek/common/sepolicy/basic/service_contexts
freg u:object_r:freg_service:s0
android.os.IFregDaemon u:object_r:fregd_service:s0device/mediatek/common/sepolicy/basic/freg.te
#java服务FregService需要添加的权限
#for FregService
allow system_server freg_device:chr_file {read write};
allow system_server freg_device:chr_file {open};
allow system_server freg_service:service_manager {add};
allow untrusted_app freg_service:service_manager {find};
allow system_app freg_service:service_manager {find};
#domain 切换
#init_daemon_domain(mediaserver)
#这个是一个TE操作宏, 简单来说就是当init fork子进程执行fregd_exec 这个类型的执行档时, 其domain从init切换到fregd.
#守护进程fregd需要添加的权限
#for fregd
type fregd, domain;
type fregd_exec, exec_type, file_type;
init_daemon_domain(fregd)
#system/bin/fregd u:object_r:fregd_exec:s0
allow fregd freg_device:chr_file {open read write};
allow fregd fregd_service:service_manager {add};
allow fregd servicemanager:binder {call transfer};
allow system_server fregd_service:service_manager {find};
allow system_server fregd:binder {call};
allow servicemanager fregd:dir {search};
allow servicemanager fregd:process {getattr};
allow servicemanager fregd:file {read open};创建一个fregd可执行文件,在init.rc里启动,会添加一个名为android.os.IFregDaemon的系统服务。
IFregDaemon.h
#ifndef IFREG_DAEMON_H_1
#define IFREG_DAEMON_H_1
#include <binder/IInterface.h>
#include <binder/Parcel.h>
namespace android {
/*
* Abstract base class for native implementation of FregService.
*
* Note: This must be kept manually in sync with IFregDaemon.aidl
*/
class IFregDaemon : public IInterface, public IBinder::DeathRecipient {
public:
enum {
SET_VAL = IBinder::FIRST_CALL_TRANSACTION + 0,
GET_VAL = IBinder::FIRST_CALL_TRANSACTION + 1,
OPEN_HAL = IBinder::FIRST_CALL_TRANSACTION + 2,
CLOSE_HAL = IBinder::FIRST_CALL_TRANSACTION + 3,
INIT = IBinder::FIRST_CALL_TRANSACTION + 4,
};
IFregDaemon() { }
virtual ~IFregDaemon() { }
virtual const android::String16& getInterfaceDescriptor() const;
// Binder interface methods
virtual void init() = 0;
virtual int32_t getVal() = 0;
virtual int32_t setVal(int32_t val) = 0;
virtual int64_t openHal() = 0;
virtual int32_t closeHal() = 0;
// DECLARE_META_INTERFACE - C++ client interface not needed
static const android::String16 descriptor;
};
class BnFregDaemon: public BnInterface<IFregDaemon> {
public:
virtual status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply,
uint32_t flags = 0);
};
} // namespace android
#endif // IFREG_DAEMON_H_IFregDaemon.cpp
#include <inttypes.h>
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
#include <binder/PermissionCache.h>
#include <utils/String16.h>
#include <utils/Looper.h>
#include <hardware/hardware.h>
#include <hardware/freg.h>
#include "IFregDaemon.h"
namespace android {
const android::String16
IFregDaemon::descriptor("android.os.IFregDaemon");
const android::String16&
IFregDaemon::getInterfaceDescriptor() const {
return IFregDaemon::descriptor;
}
status_t BnFregDaemon::onTransact(uint32_t code, const Parcel& data, Parcel* reply,
uint32_t flags) {
switch(code) {
case SET_VAL: {
CHECK_INTERFACE(IFregDaemon, data, reply);
const int32_t val = data.readInt32();
const int32_t ret = setVal(val);
reply->writeNoException();
reply->writeInt32(ret);
return NO_ERROR;
};
case GET_VAL: {
CHECK_INTERFACE(IFregDaemon, data, reply);
const int32_t ret = getVal();
reply->writeNoException();
reply->writeInt32(ret);
return NO_ERROR;
}
case OPEN_HAL: {
CHECK_INTERFACE(IFregDaemon, data, reply);
const int64_t ret = openHal();
reply->writeNoException();
reply->writeInt64(ret);
return NO_ERROR;
}
case CLOSE_HAL: {
CHECK_INTERFACE(IFregDaemon, data, reply);
const int32_t ret = closeHal();
reply->writeNoException();
reply->writeInt32(ret);
return NO_ERROR;
}
case INIT: {
CHECK_INTERFACE(IFregDaemon, data, reply);
init();
reply->writeNoException();
return NO_ERROR;
}
default:
return BBinder::onTransact(code, data, reply, flags);
}
};
}; // namespace androidFregDaemonProxy.h
#ifndef FREG_DAEMON_PROXY_H_
#define FREG_DAEMON_PROXY_H_
#include "IFregDaemon.h"
namespace android {
class FregDaemonProxy : public BnFregDaemon {
public:
static FregDaemonProxy* getInstance() {
if (sInstance == NULL) {
sInstance = new FregDaemonProxy();
}
return sInstance;
}
// These reflect binder methods.
virtual void init();
virtual int32_t getVal();
virtual int32_t setVal(int32_t val);
virtual int64_t openHal();
virtual int32_t closeHal();
private:
FregDaemonProxy();
virtual ~FregDaemonProxy();
static FregDaemonProxy* sInstance;
freg_module_t const* mModule;
freg_device_t* mDevice;
void binderDied(const wp<IBinder>& who);
};
} // namespace android
#endif // FREG_DAEMON_PROXY_H_FregDaemonProxy.cpp
#define LOG_TAG "fregd"
#include <binder/IServiceManager.h>
#include <hardware/hardware.h>
#include <hardware/freg.h>
#include <utils/Log.h>
#include "FregDaemonProxy.h"
namespace android {
FregDaemonProxy* FregDaemonProxy::sInstance = NULL;
FregDaemonProxy::FregDaemonProxy() : mModule(NULL), mDevice(NULL) {}
FregDaemonProxy::~FregDaemonProxy() {
closeHal();
}
void FregDaemonProxy::init() {}
int32_t FregDaemonProxy::getVal() {
if(!mDevice) {
ALOGE("Device freg is not open.");
return 0;
}
int val = 0;
mDevice->get_val(mDevice, &val);
ALOGI("Get value %d from device freg.", val);
return val;
}
int32_t FregDaemonProxy::setVal(int32_t value){
if(!mDevice) {
ALOGE("Device freg is not open.");
return -1;
}
int val = value;
ALOGI("Set value %d to device freg.", val);
mDevice->set_val(mDevice, val);
return 0;
}
int64_t FregDaemonProxy::openHal() {
const hw_module_t *hw_module = NULL;
ALOGI("Initializing HAL stub freg......");
/*加载硬件抽象层模块freg*/
if(hw_get_module(FREG_HARDWARE_MODULE_ID, &hw_module) == 0) {
ALOGI("Device freg found.");
mModule = reinterpret_cast<const freg_module_t*>(hw_module);
/*打开虚拟硬件设备freg*/
hw_device_t *device = NULL;
if (mModule->common.methods->open(hw_module, FREG_HARDWARE_DEVICE_ID, &device) == 0) {
ALOGI("Device freg is open.");
mDevice = reinterpret_cast<freg_device_t*>(device);
return reinterpret_cast<int64_t>(mDevice);
}
ALOGE("Failed to open device freg.");
return 0;
}
ALOGE("Failed to get HAL stub freg.");
return 0;
}
int32_t FregDaemonProxy::closeHal() {
ALOG(LOG_VERBOSE, LOG_TAG, "nativeCloseHal()\n");
mDevice = NULL;
return 0;
}
void FregDaemonProxy::binderDied(const wp<IBinder>& who) {
ALOGD("binder died");
int err;
if (0 != (err = closeHal())) {
ALOGE("Can't close fingerprint device, error: %d", err);
}
if (who != NULL) {}
}
}fregd.cpp
#define LOG_TAG "fregd"
#include <cutils/log.h>
#include <utils/Log.h>
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
#include <binder/PermissionCache.h>
#include <utils/String16.h>
#include <hardware/hardware.h>
#include <hardware/freg.h>
#include "FregDaemonProxy.h"
int main() {
ALOGI("Starting " LOG_TAG);
android::sp<android::IServiceManager> serviceManager = android::defaultServiceManager();
android::sp<android::FregDaemonProxy> proxy =
android::FregDaemonProxy::getInstance();
android::status_t ret = serviceManager->addService(
android::FregDaemonProxy::descriptor, proxy);
if (ret != android::OK) {
ALOGE("Couldn't register " LOG_TAG " binder service!");
return -1;
}
/*
* We're the only thread in existence, so we're just going to process
* Binder transaction as a single-threaded program.
*/
android::IPCThreadState::self()->joinThreadPool();
ALOGI("Done");
return 0;
}
Android.mk
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_CFLAGS := -Wall -Wextra -Werror -Wunused
LOCAL_SRC_FILES := \
FregDaemonProxy.cpp \
IFregDaemon.cpp \
fregd.cpp
LOCAL_MODULE := fregd
LOCAL_SHARED_LIBRARIES := \
libbinder \
liblog \
libhardware \
libutils
include $(BUILD_EXECUTABLE)添加到init.rc里,debug.fregd属性用于debug时手动开启和停止服务
device/mediatek/mt6735/init.mt6735.rc
service fregd /system/bin/fregd
class main
user system
group system
on property:debug.fregd=0
stop fregd
on property:debug.fregd=1
start fregd添加对应的framework接口,顺序必须与IFregDaemon.h里的枚举一致。
core/java/android/os/IFregDaemon.aidl
package android.os;
/**
* Communication channel from FregService to FregDaemon (fregd)
* @hide
*/
interface IFregDaemon {
int setVal(int val);
int getVal();
long openHal();
int closeHal();
void init();
}
在FregService添加对应的方法
frameworks/base/services/java/com/android/server/FregService
private IFregDaemon mDaemon;
private static final String FREGD = "android.os.IFregDaemon";
private IFregDaemon getFregDaemon() {
if (mDaemon == null) {
mDaemon = IFregDaemon.Stub.asInterface(ServiceManager.getService(FREGD));
if (mDaemon != null) {
try {
mHalDeviceId = mDaemon.openHal();
if (mHalDeviceId == 0) {
Slog.w(TAG, "Failed to open Freg HAL!");
mDaemon = null;
}
} catch (RemoteException e) {
Slog.e(TAG, "Failed to open fingeprintd HAL", e);
mDaemon = null; // try again later!
}
} else {
Slog.w(TAG, "Freg service not available");
}
}
return mDaemon;
}
public int getVal_fregd() {
IFregDaemon daemon = getFregDaemon();
if (daemon == null) {
Slog.w(TAG, "getVal_fregd: no fregd!");
return 0;
}
try {
return daemon.getVal();
} catch (RemoteException e) {
Slog.e(TAG, "getVal_fregd failed", e);
}
return 0;
}
public int setVal_fregd(int val){
IFregDaemon daemon = getFregDaemon();
if (daemon == null) {
Slog.w(TAG, "setVal_fregd: no fregd!");
return 0;
}
try {
return daemon.setVal(val);
} catch (RemoteException e) {
Slog.e(TAG, "setVal_fregd failed", e);
}
return 0;
}添加到编译系统里去
frameworks/base/Android.mk
LOCAL_SRC_FILES += \
core/java/android/os/IFregService.aidl \
core/java/android/os/IFregDaemon.aidl \这样FregSevice就可以通过fregd去读写驱动了。
推荐文章
Binder系列8—如何使用Binder
2768
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
