在分析ServiceManager实例化注册流程前,先放张ServiceManager在Binder体系中的UML图。
一、ServiceManager启动流程
查看system/core/rootdir/init.rc脚本可知,init进程在 on init阶段启动 servicemanager进程。
# system/core/rootdir/init.rc
on init
# Start essential services.
start servicemanager
start hwservicemanager
start vndservicemanager
servicemanager服务在framework/native/cmds/servicemanager/模块中定义:
# framework/native/cmds/servicemanager/servicemanager.rc
service servicemanager /system/bin/servicemanager
class core animation
user system
group system readproc
critical
onrestart restart apexd
onrestart restart audioserver
onrestart restart gatekeeperd
onrestart class_restart --only-enabled main
onrestart class_restart --only-enabled hal
onrestart class_restart --only-enabled early_hal
task_profiles ServiceCapacityLow
shutdown critical
模块中main.cpp的main方法执行主要启动逻辑。
//framework/native/cmds/servicemanager/main.cpp
int main(int argc, char** argv) {
#ifdef __ANDROID_RECOVERY__
android::base::InitLogging(argv, android::base::KernelLogger);
#endif
if (argc > 2) {
LOG(FATAL) << "usage: " << argv[0] << " [binder driver]";
}
const char* driver = argc == 2 ? argv[1] : "/dev/binder";
//1. 初始化 ProcessState对象,打开/dev/binder节点,mmap()共享内存
sp<ProcessState> ps = ProcessState::initWithDriver(driver);
ps->setThreadPoolMaxThreadCount(0);
ps->setCallRestriction(ProcessState::CallRestriction::FATAL_IF_NOT_ONEWAY);
//2. 实例化 ServiceManager对象,new ServiceManager(std::make_unique<Access>())
sp<ServiceManager> manager = sp<ServiceManager>::make(std::make_unique<Access>());
//3. 注册serviceManager
if (!manager->addService("manager", manager, false /*allowIsolated*/, IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT).isOk()) {
LOG(ERROR) << "Could not self register servicemanager";
}
//4. 初始化 IPCThreadState对象,mIn,mOut。
IPCThreadState::self()->setTheContextObject(manager);
//5. becomeContextManager,BpBinder->handler=0
ps->becomeContextManager();
//6. 启动循环,监听消息
sp<Looper> looper = Looper::prepare(false /*allowNonCallbacks*/);
BinderCallback::setupTo(looper);
ClientCallbackCallback::setupTo(looper, manager);
while(true) {
looper->pollAll(-1);
}
// should not be reached
return EXIT_FAILURE;
}
1.1、初始化 ProcessState对象
ProcessState使用了单例设计模式,一个进程中只会有一个ProcessState实例。
initWithDriver参数中传入了binder节点路径"/dev/binder",最终调用到ProcessState的构造方法:
//ProcessState.cpp
ProcessState::ProcessState(const char* driver)
: mDriverName(String8(driver)),
mDriverFD(-1),
mVMStart(MAP_FAILED),
mThreadCountLock(PTHREAD_MUTEX_INITIALIZER),
mThreadCountDecrement(PTHREAD_COND_INITIALIZER),
mExecutingThreadsCount(0),
mWaitingForThreads(0),
mMaxThreads(DEFAULT_MAX_BINDER_THREADS),
mCurrentThreads(0),
mKernelStartedThreads(0),
mStarvationStartTimeMs(0),
mForked(false),
mThreadPoolStarted(false),
mThreadPoolSeq(1),
mCallRestriction(CallRestriction::NONE) {
base::Result<int> opened = open_driver(driver);
if (opened.ok()) {
// mmap the binder, providing a chunk of virtual address space to receive transactions.
mVMStart = mmap(nullptr, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE,
opened.value(), 0);
if (mVMStart == MAP_FAILED) {
close(opened.value());
// *sigh*
opened = base::Error()
<< "Using " << driver << " failed: unable to mmap transaction memory.";
mDriverName.clear();
}
}
#ifdef __ANDROID__
LOG_ALWAYS_FATAL_IF(!opened.ok(), "Binder driver '%s' could not be opened. Terminating: %s",
driver, opened.error().message().c_str());
#endif
if (opened.ok()) {
mDriverFD = opened.value();
}
}
Open_driver(driver)方法“int fd = open(driver, O_RDWR | O_CLOEXEC)”打开 /dev/binder 节点,binder节点在kernel仓库的binder.c文件中创建,其中定义了一系列文件操作,open,mmap等:
// binder.c
static const struct file_operations binder_fops = {
.owner = THIS_MODULE,
.poll = binder_poll,
.unlocked_ioctl = binder_ioctl,
.compat_ioctl = binder_ioctl,
.mmap = binder_mmap,
.open = binder_open,
.flush = binder_flush,
.release = binder_release,
};
binder节点打开成功后,open()方法返回int类型的文件描述符作为参数,mmap将其内存映射到进程的地址空间,mmap实现了跨进程的内存访问,对比传统IO其只有一次数据拷贝,读写效率更高。
最后将打开的binder节点文件描述符赋值给变量 mDriverFD。
1.2、实例化 ServiceManager对象
ServiceManager处于binder通信的服务端,继承BnServiceManager,BnServiceManager又继承自BnInterface,BnInterface继承BBinder。
class ServiceManager : public os::BnServiceManager, public IBinder::DeathRecipient {
}
值得一提的是,源码中并没有定义BnServiceManager类的文件,如BnServiceManager.cpp,BnServiceManager.h,而是由libbinder模块中的IServiceManager.aidl生成。
// frameworks/native/libs/binder/aidl/android/os/IServiceManager.aidl
package android.os;
import android.os.IClientCallback;
import android.os.IServiceCallback;
/**
* Basic interface for finding and publishing system services.
*
* You likely want to use android.os.ServiceManager in Java or
* android::IServiceManager in C++ in order to use this interface.
*
* @hide
*/
interface IServiceManager {
//...
}
可以使用SDK中的aidl工具生成对应的cpp文件:
Android/Sdk/build-tools/30.0.3/aidl --lang=cpp -IF:./ /home/lin/tmp/aidl/android/os/IServiceManager.aidl -o ./out/cpp/ --header_out ./header_out/
生成cpp代码类IServiceManager,BnSeeyaManager,BpSeeyaManager。
// IServiceManager.h
namespace android {
namespace os {
class IServiceManager : public ::android::IInterface {
//...
};
}
}
// BnServiceManager.h
namespace android {
namespace os {
class BnServiceManager : public ::android::BnInterface<IServiceManager> {
public:
explicit BnServiceManager();
::android::status_t onTransact(uint32_t _aidl_code, const ::android::Parcel& _aidl_data, ::android::Parcel* _aidl_reply, uint32_t _aidl_flags) override;
}; // class BnServiceManager
}
}
// BpServiceManager.h
namespace android {
namespace os {
class BpServiceManager : public ::android::BpInterface<IServiceManager> {
//...
};
}
}
也可以使用SDK中的aidl工具生成对应的java文件:
Android/Sdk/build-tools/30.0.3/aidl --lang=java -IF:./ /home/lin/tmp/aidl/android/os/IServiceManager.aidl -o ./out/java/
1.3、注册ServiceManager
将服务名称与服务的对应关系添加到变量mNameToService管理。
//framework/native/cmds/servicemanager/ServiceManager.cpp
mNameToService[name] = Service {
.binder = binder,
.allowIsolated = allowIsolated,
.dumpPriority = dumpPriority,
.debugPid = ctx.debugPid,
};
1.4、初始化IPCThreadState对象
ProcessState是进程单例对象,IPCThreadState是线程单例对象。
IPCThreadState::selft()是一个静态方法,
//IPCThreadState.cpp
IPCThreadState* IPCThreadState::self()
{
if (gHaveTLS.load(std::memory_order_acquire)) {
restart:
const pthread_key_t k = gTLS;
IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);
if (st) return st;
return new IPCThreadState;
}
// Racey, heuristic test for simultaneous shutdown.
if (gShutdown.load(std::memory_order_relaxed)) {
ALOGW("Calling IPCThreadState::self() during shutdown is dangerous, expect a crash.\n");
return nullptr;
}
pthread_mutex_lock(&gTLSMutex);
if (!gHaveTLS.load(std::memory_order_relaxed)) {
int key_create_value = pthread_key_create(&gTLS, threadDestructor);
if (key_create_value != 0) {
pthread_mutex_unlock(&gTLSMutex);
ALOGW("IPCThreadState::self() unable to create TLS key, expect a crash: %s\n",
strerror(key_create_value));
return nullptr;
}
gHaveTLS.store(true, std::memory_order_release);
}
pthread_mutex_unlock(&gTLSMutex);
goto restart;
}
pthread_getspecific(),pthread_setspecific()是存储线程私有数据的方法,相当于Java中的ThreadLocal,IPCThreadState类的线程单例就是这么实现的,key值为gTLS,如果当前线程存在IPCThreadState对象则直接返回,否则重新实例化一个:
IPCThreadState::IPCThreadState()
: mProcess(ProcessState::self()),
mServingStackPointer(nullptr),
mServingStackPointerGuard(nullptr),
mWorkSource(kUnsetWorkSource),
mPropagateWorkSource(false),
mIsLooper(false),
mIsFlushing(false),
mStrictModePolicy(0),
mLastTransactionBinderFlags(0),
mCallRestriction(mProcess->mCallRestriction) {
pthread_setspecific(gTLS, this);
clearCaller();
mHasExplicitIdentity = false;
mIn.setDataCapacity(256);
mOut.setDataCapacity(256);
}
构造方法中将对象通过pthread_setspecific(gTLS, this)保存到当前线程中,初始化mProcess,mIn、mOut是Parcel对象。
1.5、becomeContextManager
servicemanager进程需要通知内核binder我才是servicemanager进程,
所有的client和servicemanager通信,都是通过创建一个BpBinder(0)对象找到servicemanager,其中0就是BpBinder类的Handle属性,
binder驱动通过判断handle是否为0区分servicemanager进程。
回到ps->becomeContextManager()方法:
bool ProcessState::becomeContextManager()
{
AutoMutex _l(mLock);
flat_binder_object obj {
.flags = FLAT_BINDER_FLAG_TXN_SECURITY_CTX,
};
int result = ioctl(mDriverFD, BINDER_SET_CONTEXT_MGR_EXT, &obj);
// fallback to original method
if (result != 0) {
android_errorWriteLog(0x534e4554, "121035042");
int unused = 0;
result = ioctl(mDriverFD, BINDER_SET_CONTEXT_MGR, &unused);
}
if (result == -1) {
ALOGE("Binder ioctl to become context manager failed: %s\n", strerror(errno));
}
return result == 0;
}
通过ioctl,使binder驱动程序调用binder_ioctl()方法处理BINDER_SET_CONTEXT_MGR_EXT信息,将binder_context_mgr_uid赋值为当前uid,binder_context_mgr_node关联到当前进程。
-
binder_context_mgr_node
-
binder_context_mgr_uid
查看binder驱动的binder_transaction()方法,此后只需要判断tr->target.handle是否为0,如果为0,target_node就被赋值为binder_context_mgr_node,将消息交给servicemanager处理。
//binder.c
static void binder_transaction(struct binder_proc *proc,
struct binder_thread *thread,
struct binder_transaction_data *tr, int reply)
{
if (reply) {
} else {
if (tr->target.handle) {
struct binder_ref *ref;
ref = binder_get_ref(proc, tr->target.handle);
if (ref == NULL) {
binder_user_error("%d:%d got transaction to invalid handle\n",
proc->pid, thread->pid);
return_error = BR_FAILED_REPLY;
goto err_invalid_target_handle;
}
target_node = ref->node;
} else {
target_node = binder_context_mgr_node; //servicemanager
if (target_node == NULL) {
return_error = BR_DEAD_REPLY;
goto err_no_context_mgr_node;
}
}
}
}
1.6、启动循环,监听消息
//framework/native/cmds/servicemanager/main.cpp
class BinderCallback : public LooperCallback {
public:
static sp<BinderCallback> setupTo(const sp<Looper>& looper) {
sp<BinderCallback> cb = sp<BinderCallback>::make();
int binder_fd = -1;
//1. 通知binder驱动进入looper
IPCThreadState::self()->setupPolling(&binder_fd);
LOG_ALWAYS_FATAL_IF(binder_fd < 0, "Failed to setupPolling: %d", binder_fd);
//2. Looper添加/dev/binder文件描述符
int ret = looper->addFd(binder_fd,
Looper::POLL_CALLBACK,
Looper::EVENT_INPUT,
cb,
nullptr /*data*/);
LOG_ALWAYS_FATAL_IF(ret != 1, "Failed to add binder FD to Looper");
return cb;
}
int handleEvent(int /* fd */, int /* events */, void* /* data */) override {
//3. 回调handlePolledCommands()
IPCThreadState::self()->handlePolledCommands();
return 1; // Continue receiving callbacks.
}
};
int main(int argc, char** argv)
sp<Looper> looper = Looper::prepare(false /*allowNonCallbacks*/);
BinderCallback::setupTo(looper);
ClientCallbackCallback::setupTo(looper, manager);
while(true) {
looper->pollAll(-1);
}
return EXIT_FAILURE;
}
获取Looper对象绑定BinderCallback,通过ioctl通知binder驱动进入looper状态,将mProcess->mDriverFD文件描述符“/dev/binder”传给looper对象,pollAll()方法通过epoll监听消息,收到消息后,回调IPCThreadState的handlePolledCommands()处理parcel对象mIn,mOut中的消息。
二、defaultServiceManager()
经常看到通过defaultServiceManager()方法获取servicemanager对象,看看defaultServiceManager方法是如何实现的。
// IServiceManager.cpp
using AidlServiceManager = android::os::IServiceManager;
sp<IServiceManager> defaultServiceManager()
{
std::call_once(gSmOnce, []() {
#if defined(__BIONIC__) && !defined(__ANDROID_VNDK__)
/* wait for service manager */ {
using std::literals::chrono_literals::operator""s;
using android::base::WaitForProperty;
while (!WaitForProperty("servicemanager.ready", "true", 1s)) {
ALOGE("Waited for servicemanager.ready for a second, waiting another...");
}
}
#endif
sp<AidlServiceManager> sm = nullptr;
while (sm == nullptr) {
sm = interface_cast<AidlServiceManager>(ProcessState::self()->getContextObject(nullptr));
if (sm == nullptr) {
ALOGE("Waiting 1s on context object on %s.", ProcessState::self()->getDriverName().c_str());
sleep(1);
}
}
gDefaultServiceManager = sp<ServiceManagerShim>::make(sm);
});
return gDefaultServiceManager;
}
std::call_once是C++11引入的新特性,如需使用,只需要#include <mutex>即可,简单来说std:call_once的作用,确保函数或代码片段在多线程环境下,只需要执行一次。AidlServiceManager是android::os::IServiceManager的别名,这里的using关键字相当于typedef。关键的代码就是将ProcessState::self()->getContextObject(nullptr)的返回对象强转为AidlServiceManager类型,接下来详细看看它返回的是什么。
2.1 ProcessState::self()
从类的方法名可以猜到应该是获取ProcessState对象。
// ProcessState.cpp
const char* kDefaultDriver = "/dev/binder";
sp<ProcessState> ProcessState::self()
{
return init(kDefaultDriver, false /*requireDefault*/);
}
kDefaultDriver值为"/dev/binder"。
sp<ProcessState> ProcessState::init(const char* driver, bool requireDefault) {
std::call_once(gProcessOnce, [&](){
int ret = pthread_atfork(ProcessState::onFork, ProcessState::parentPostFork,
ProcessState::childPostFork);
gProcess = sp<ProcessState>::make(driver);
}
verifyNotForked(gProcess->mForked);
return gProcess;
}
pthread_atfork()为pthread库中提供的函数,在fork()创建子进程时被调用。"/dev/binder"作为构造参数实例化ProcessState对象。verifyNotForked在检测到当前进程gProcess->mForked为true时抛出异常crash,因为 Binder 的架构设计并不支持 Fork,原因之一在 Binder 核心的内存映射实现无法避免子进程与原进程的写入冲突,相关虚拟地址的内存映射不会被子进程所继承。最后返回实例化的gProcess对象。
查看ProcessState构造函数:
ProcessState::ProcessState(const char* driver)
: mDriverName(String8(driver)),
mDriverFD(-1),
mVMStart(MAP_FAILED),
mThreadCountLock(PTHREAD_MUTEX_INITIALIZER),
mThreadCountDecrement(PTHREAD_COND_INITIALIZER),
mExecutingThreadsCount(0),
mWaitingForThreads(0),
mMaxThreads(DEFAULT_MAX_BINDER_THREADS),
mCurrentThreads(0),
mKernelStartedThreads(0),
mStarvationStartTimeMs(0),
mForked(false),
mThreadPoolStarted(false),
mThreadPoolSeq(1),
mCallRestriction(CallRestriction::NONE) {
base::Result<int> opened = open_driver(driver);
if (opened.ok()) {
mVMStart = mmap(nullptr, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE,
opened.value(), 0);
}
if (opened.ok()) {
mDriverFD = opened.value();
}
}
driver参数为传递过来的"/dev/binder"。open_driver(driver)通过open方法获取文件描述符fd,接着通过ioctl设置BINDER_VERSION,BINDER_SET_MAX_THREADS,BINDER_ENABLE_ONEWAY_SPAM_DETECTION等参数,最后将fd返回赋值给opened变量。mmap()使用户空间和内核空间共享内存。
ProcessState::self()方法初始化ProcessState对象,打开了"/dev/binder"节点,构建了进程间通信环境,接下来看看getContextObject(nullptr)做了什么。
2.2 ProcessState::getContextObject(nullptr)
// ProcessState.cpp
sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/)
{
sp<IBinder> context = getStrongProxyForHandle(0);
return context;
}
返回一个IBinder对象。
sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
{
handle_entry* e = lookupHandleLocked(handle);
if (handle == 0) {
IPCThreadState* ipc = IPCThreadState::self();
CallRestriction originalCallRestriction = ipc->getCallRestriction();
ipc->setCallRestriction(CallRestriction::NONE);
Parcel data;
status_t status = ipc->transact(
0, IBinder::PING_TRANSACTION, data, nullptr, 0);
ipc->setCallRestriction(originalCallRestriction);
if (status == DEAD_OBJECT)
return nullptr;
}
sp<BpBinder> b = BpBinder::PrivateAccessor::create(handle);
e->binder = b.get();
if (b) e->refs = b->getWeakRefs();
result = b;
return result;
}
lookupHandleLocked方法在数组中查找对象是否已经存在,这里handle参数为0,返回一个handle_entry对象。
当handler==0时,还需要做些特殊化处理,先进行一次跨进程通信保证servicemanager被注册。
实例化BpBinder对象,handle参数为0,返回BpBinder(0)。
回到defaultServiceManager()方法:AidlServiceManager sm = interface_cast<AidlServiceManager>(ProcessState::self()->getContextObject(nullptr));,ProcessState::self()为进程间通信做好了准备,getContextObject(nullptr)返回一个BpBinder(0)对象,代码转换一下相当于:
AidlServiceManager sm = interface_cast<AidlServiceManager>(new BpBinder(0));,BpBinder对象是如何转换成AidlServiceManager对象呢?接着看interface_cast方法。
2.3 interface_cast
// IInterface.h
template<typename INTERFACE>
inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj)
{
return INTERFACE::asInterface(obj);
}
DO_NOT_DIRECTLY_USE_ME_IMPLEMENT_META_INTERFACE0(I##INTERFACE, I##INTERFACE, Bp##INTERFACE)
#define DO_NOT_DIRECTLY_USE_ME_IMPLEMENT_META_INTERFACE0(ITYPE, INAME, BPTYPE)
::android::sp<ITYPE> ITYPE::asInterface(const ::android::sp<::android::IBinder>& obj) {
::android::sp<ITYPE> intr;
if (obj != nullptr) {
intr = ::android::sp<ITYPE>::cast(obj->queryLocalInterface(ITYPE::descriptor));
if (intr == nullptr) {
intr = ::android::sp<BPTYPE>::make(obj);
}
}
return intr;
}
interface_cast方法定义在IInterface.h文件,参数obj为传递过来的BpBinder(0),调用INTERFACE::asInterface(obj)方法,asInterface在宏函数DO_NOT_DIRECTLY_USE_ME_IMPLEMENT_META_INTERFACE0中实现,转换过来参数ITYPE:IServiceManager,INAME:IServiceManager,BPTYPE:BpServiceManager。
queryLocalInterface查询是否存在本地BBinder对象,否则实例化BpServiceManager(BpBinder(0))对象返回,BpServiceManager类由IServiceManager.aidl编译期间自动生成文件定义,路径:out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm64_armv8-a_cortex-a55_shared/gen/aidl/android/os/BpServiceManager.h。
好了,总结一下,interface_cast方法执行后,defaultServiceManager()方法相当于:
AidlServiceManager sm = new BpServiceManager(new BpBinder(0));
AidlServiceManager为android::os::IServiceManager的别名,BpServiceManager继承自IServiceManager。
得到BpServiceManager对象后,就可以和BnServiceManager通信了,BnServiceManager在上文1.2小节实例化 ServiceManager对象中被创建。
三、进程间通信
有了BpServiceManager和BnServiceManager对象,接下来看看它们是如何通信的,具体分析IServiceManager::isDeclared(const String16& name)方法实现。
因为BpServiceManager和BnServiceManager类都是通过aidl文件自动生成的,BpServiceManager::isDeclared方法实现在文件:
out/soong/.intermediates/frameworks/native/libs/binder/libbinder/android_arm64_armv8-a_cortex-a55_shared_asan/gen/aidl/frameworks/native/libs/binder/aidl/android/os/IServiceManager.cpp
// IServiceManager.cpp
::android::binder::Status BpServiceManager::isDeclared(const ::std::string& name, bool* _aidl_return) {
::android::Parcel _aidl_data;
::android::Parcel _aidl_reply;
::android::status_t _aidl_ret_status = ::android::OK;
::android::binder::Status _aidl_status;
_aidl_ret_status = _aidl_data.writeInterfaceToken(getInterfaceDescriptor());
if (((_aidl_ret_status) != (::android::OK))) {
goto _aidl_error;
}
_aidl_ret_status = _aidl_data.writeUtf8AsUtf16(name);
if (((_aidl_ret_status) != (::android::OK))) {
goto _aidl_error;
}
_aidl_ret_status = remote()->transact(::android::IBinder::FIRST_CALL_TRANSACTION + 6 /* isDeclared */, _aidl_data, &_aidl_reply);
if (UNLIKELY(_aidl_ret_status == ::android::UNKNOWN_TRANSACTION && IServiceManager::getDefaultImpl())) {
return IServiceManager::getDefaultImpl()->isDeclared(name, _aidl_return);
}
if (((_aidl_ret_status) != (::android::OK))) {
goto _aidl_error;
}
_aidl_ret_status = _aidl_status.readFromParcel(_aidl_reply);
if (((_aidl_ret_status) != (::android::OK))) {
goto _aidl_error;
}
if (!_aidl_status.isOk()) {
return _aidl_status;
}
_aidl_ret_status = _aidl_reply.readBool(_aidl_return);
if (((_aidl_ret_status) != (::android::OK))) {
goto _aidl_error;
}
_aidl_error:
_aidl_status.setFromStatusT(_aidl_ret_status);
return _aidl_status;
}
isDeclared方法检查service是否在servicemanager中被声明。参数name为service注册名,_aidl_return为返回值,true表示已被声明。
remote()方法返回BpBinder(0)对象,调用其transact方法。
// BpBinder.cpp
status_t BpBinder::transact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
status_t status = IPCThreadState::self()->transact(binderHandle(), code, data, reply, flags);
return status;
}
调用IPCThreadState的transact方法,binderHandle()返回int32_t handle=0的BinderHandle对象。
IPCThreadState的transact方法将数据内容写入到mOut, mIn对象中,通过ioctl和binder节点交互,实现和BnServiceManager进程间通信。
ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr);
bwr是struce binder_write_read解构体类型,保存了mOut和mIn数据。
进程间通信的另一端BnServiceManger,1.6小节中启动循环,监听binder节点事件,消息到来时调用IPCThreadState::handlePolledCommands()方法。
最终会调用到BnServiceManger端的isDeclared方法:
// ServiceManager.cpp
Status ServiceManager::isDeclared(const std::string& name, bool* outReturn) {
auto ctx = mAccess->getCallingContext();
if (!mAccess->canFind(ctx, name)) {
return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");
}
*outReturn = false;
#ifndef VENDORSERVICEMANAGER
*outReturn = isVintfDeclared(name);
#endif
return Status::ok();
}