abe815dd69
We're not using IMemoryHeap as a transport anymore, instead we're providing a CpuConsumer and use the IGraphicBufferProducer version of the screenshot API. However, some GPU drivers don't support properly a GPU to CPU path, to work around this, we use a temporary BufferQueue on the server side for the GL rendering, and we use glReadPixels into the CpuConsumer (we're now using a CPU to CPU path which is always supported). Currently this "wrapping" is always performed, but it can be bypassed on devices that support the GPU to CPU path. This also addresses a DoS attack vector on SurfaceFlinger, where an application could consume all of SF's filedescriptors by creating a lot of screenshots in a row. Bug: 8390553 Change-Id: I9e81514c2a7711b9bb393f74305be7d2abe08f1c
339 lines
12 KiB
C++
339 lines
12 KiB
C++
/*
|
|
* Copyright (C) 2007 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
// tag as surfaceflinger
|
|
#define LOG_TAG "SurfaceFlinger"
|
|
|
|
#include <stdint.h>
|
|
#include <sys/types.h>
|
|
|
|
#include <binder/Parcel.h>
|
|
#include <binder/IMemory.h>
|
|
#include <binder/IPCThreadState.h>
|
|
#include <binder/IServiceManager.h>
|
|
|
|
#include <gui/BitTube.h>
|
|
#include <gui/IDisplayEventConnection.h>
|
|
#include <gui/ISurfaceComposer.h>
|
|
#include <gui/IGraphicBufferProducer.h>
|
|
|
|
#include <private/gui/LayerState.h>
|
|
|
|
#include <ui/DisplayInfo.h>
|
|
|
|
#include <utils/Log.h>
|
|
|
|
// ---------------------------------------------------------------------------
|
|
|
|
namespace android {
|
|
|
|
class IDisplayEventConnection;
|
|
|
|
class BpSurfaceComposer : public BpInterface<ISurfaceComposer>
|
|
{
|
|
public:
|
|
BpSurfaceComposer(const sp<IBinder>& impl)
|
|
: BpInterface<ISurfaceComposer>(impl)
|
|
{
|
|
}
|
|
|
|
virtual sp<ISurfaceComposerClient> createConnection()
|
|
{
|
|
uint32_t n;
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
remote()->transact(BnSurfaceComposer::CREATE_CONNECTION, data, &reply);
|
|
return interface_cast<ISurfaceComposerClient>(reply.readStrongBinder());
|
|
}
|
|
|
|
virtual sp<IGraphicBufferAlloc> createGraphicBufferAlloc()
|
|
{
|
|
uint32_t n;
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
remote()->transact(BnSurfaceComposer::CREATE_GRAPHIC_BUFFER_ALLOC, data, &reply);
|
|
return interface_cast<IGraphicBufferAlloc>(reply.readStrongBinder());
|
|
}
|
|
|
|
virtual void setTransactionState(
|
|
const Vector<ComposerState>& state,
|
|
const Vector<DisplayState>& displays,
|
|
uint32_t flags)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
{
|
|
Vector<ComposerState>::const_iterator b(state.begin());
|
|
Vector<ComposerState>::const_iterator e(state.end());
|
|
data.writeInt32(state.size());
|
|
for ( ; b != e ; ++b ) {
|
|
b->write(data);
|
|
}
|
|
}
|
|
{
|
|
Vector<DisplayState>::const_iterator b(displays.begin());
|
|
Vector<DisplayState>::const_iterator e(displays.end());
|
|
data.writeInt32(displays.size());
|
|
for ( ; b != e ; ++b ) {
|
|
b->write(data);
|
|
}
|
|
}
|
|
data.writeInt32(flags);
|
|
remote()->transact(BnSurfaceComposer::SET_TRANSACTION_STATE, data, &reply);
|
|
}
|
|
|
|
virtual void bootFinished()
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
remote()->transact(BnSurfaceComposer::BOOT_FINISHED, data, &reply);
|
|
}
|
|
|
|
virtual status_t captureScreen(const sp<IBinder>& display,
|
|
const sp<IGraphicBufferProducer>& producer,
|
|
uint32_t reqWidth, uint32_t reqHeight,
|
|
uint32_t minLayerZ, uint32_t maxLayerZ,
|
|
bool isCpuConsumer)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
data.writeStrongBinder(display);
|
|
data.writeStrongBinder(producer->asBinder());
|
|
data.writeInt32(reqWidth);
|
|
data.writeInt32(reqHeight);
|
|
data.writeInt32(minLayerZ);
|
|
data.writeInt32(maxLayerZ);
|
|
data.writeInt32(isCpuConsumer);
|
|
remote()->transact(BnSurfaceComposer::CAPTURE_SCREEN, data, &reply);
|
|
return reply.readInt32();
|
|
}
|
|
|
|
virtual bool authenticateSurfaceTexture(
|
|
const sp<IGraphicBufferProducer>& bufferProducer) const
|
|
{
|
|
Parcel data, reply;
|
|
int err = NO_ERROR;
|
|
err = data.writeInterfaceToken(
|
|
ISurfaceComposer::getInterfaceDescriptor());
|
|
if (err != NO_ERROR) {
|
|
ALOGE("ISurfaceComposer::authenticateSurfaceTexture: error writing "
|
|
"interface descriptor: %s (%d)", strerror(-err), -err);
|
|
return false;
|
|
}
|
|
err = data.writeStrongBinder(bufferProducer->asBinder());
|
|
if (err != NO_ERROR) {
|
|
ALOGE("ISurfaceComposer::authenticateSurfaceTexture: error writing "
|
|
"strong binder to parcel: %s (%d)", strerror(-err), -err);
|
|
return false;
|
|
}
|
|
err = remote()->transact(BnSurfaceComposer::AUTHENTICATE_SURFACE, data,
|
|
&reply);
|
|
if (err != NO_ERROR) {
|
|
ALOGE("ISurfaceComposer::authenticateSurfaceTexture: error "
|
|
"performing transaction: %s (%d)", strerror(-err), -err);
|
|
return false;
|
|
}
|
|
int32_t result = 0;
|
|
err = reply.readInt32(&result);
|
|
if (err != NO_ERROR) {
|
|
ALOGE("ISurfaceComposer::authenticateSurfaceTexture: error "
|
|
"retrieving result: %s (%d)", strerror(-err), -err);
|
|
return false;
|
|
}
|
|
return result != 0;
|
|
}
|
|
|
|
virtual sp<IDisplayEventConnection> createDisplayEventConnection()
|
|
{
|
|
Parcel data, reply;
|
|
sp<IDisplayEventConnection> result;
|
|
int err = data.writeInterfaceToken(
|
|
ISurfaceComposer::getInterfaceDescriptor());
|
|
if (err != NO_ERROR) {
|
|
return result;
|
|
}
|
|
err = remote()->transact(
|
|
BnSurfaceComposer::CREATE_DISPLAY_EVENT_CONNECTION,
|
|
data, &reply);
|
|
if (err != NO_ERROR) {
|
|
ALOGE("ISurfaceComposer::createDisplayEventConnection: error performing "
|
|
"transaction: %s (%d)", strerror(-err), -err);
|
|
return result;
|
|
}
|
|
result = interface_cast<IDisplayEventConnection>(reply.readStrongBinder());
|
|
return result;
|
|
}
|
|
|
|
virtual sp<IBinder> createDisplay(const String8& displayName, bool secure)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
data.writeString8(displayName);
|
|
data.writeInt32(secure ? 1 : 0);
|
|
remote()->transact(BnSurfaceComposer::CREATE_DISPLAY, data, &reply);
|
|
return reply.readStrongBinder();
|
|
}
|
|
|
|
virtual sp<IBinder> getBuiltInDisplay(int32_t id)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
data.writeInt32(id);
|
|
remote()->transact(BnSurfaceComposer::GET_BUILT_IN_DISPLAY, data, &reply);
|
|
return reply.readStrongBinder();
|
|
}
|
|
|
|
virtual void blank(const sp<IBinder>& display)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
data.writeStrongBinder(display);
|
|
remote()->transact(BnSurfaceComposer::BLANK, data, &reply);
|
|
}
|
|
|
|
virtual void unblank(const sp<IBinder>& display)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
data.writeStrongBinder(display);
|
|
remote()->transact(BnSurfaceComposer::UNBLANK, data, &reply);
|
|
}
|
|
|
|
virtual status_t getDisplayInfo(const sp<IBinder>& display, DisplayInfo* info)
|
|
{
|
|
Parcel data, reply;
|
|
data.writeInterfaceToken(ISurfaceComposer::getInterfaceDescriptor());
|
|
data.writeStrongBinder(display);
|
|
remote()->transact(BnSurfaceComposer::GET_DISPLAY_INFO, data, &reply);
|
|
memcpy(info, reply.readInplace(sizeof(DisplayInfo)), sizeof(DisplayInfo));
|
|
return reply.readInt32();
|
|
}
|
|
};
|
|
|
|
IMPLEMENT_META_INTERFACE(SurfaceComposer, "android.ui.ISurfaceComposer");
|
|
|
|
// ----------------------------------------------------------------------
|
|
|
|
status_t BnSurfaceComposer::onTransact(
|
|
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
|
|
{
|
|
switch(code) {
|
|
case CREATE_CONNECTION: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IBinder> b = createConnection()->asBinder();
|
|
reply->writeStrongBinder(b);
|
|
} break;
|
|
case CREATE_GRAPHIC_BUFFER_ALLOC: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IBinder> b = createGraphicBufferAlloc()->asBinder();
|
|
reply->writeStrongBinder(b);
|
|
} break;
|
|
case SET_TRANSACTION_STATE: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
size_t count = data.readInt32();
|
|
ComposerState s;
|
|
Vector<ComposerState> state;
|
|
state.setCapacity(count);
|
|
for (size_t i=0 ; i<count ; i++) {
|
|
s.read(data);
|
|
state.add(s);
|
|
}
|
|
count = data.readInt32();
|
|
DisplayState d;
|
|
Vector<DisplayState> displays;
|
|
displays.setCapacity(count);
|
|
for (size_t i=0 ; i<count ; i++) {
|
|
d.read(data);
|
|
displays.add(d);
|
|
}
|
|
uint32_t flags = data.readInt32();
|
|
setTransactionState(state, displays, flags);
|
|
} break;
|
|
case BOOT_FINISHED: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
bootFinished();
|
|
} break;
|
|
case CAPTURE_SCREEN: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IBinder> display = data.readStrongBinder();
|
|
sp<IGraphicBufferProducer> producer =
|
|
interface_cast<IGraphicBufferProducer>(data.readStrongBinder());
|
|
uint32_t reqWidth = data.readInt32();
|
|
uint32_t reqHeight = data.readInt32();
|
|
uint32_t minLayerZ = data.readInt32();
|
|
uint32_t maxLayerZ = data.readInt32();
|
|
bool isCpuConsumer = data.readInt32();
|
|
status_t res = captureScreen(display, producer,
|
|
reqWidth, reqHeight, minLayerZ, maxLayerZ,
|
|
isCpuConsumer);
|
|
reply->writeInt32(res);
|
|
} break;
|
|
case AUTHENTICATE_SURFACE: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IGraphicBufferProducer> bufferProducer =
|
|
interface_cast<IGraphicBufferProducer>(data.readStrongBinder());
|
|
int32_t result = authenticateSurfaceTexture(bufferProducer) ? 1 : 0;
|
|
reply->writeInt32(result);
|
|
} break;
|
|
case CREATE_DISPLAY_EVENT_CONNECTION: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IDisplayEventConnection> connection(createDisplayEventConnection());
|
|
reply->writeStrongBinder(connection->asBinder());
|
|
return NO_ERROR;
|
|
} break;
|
|
case CREATE_DISPLAY: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
String8 displayName = data.readString8();
|
|
bool secure = bool(data.readInt32());
|
|
sp<IBinder> display(createDisplay(displayName, secure));
|
|
reply->writeStrongBinder(display);
|
|
return NO_ERROR;
|
|
} break;
|
|
case GET_BUILT_IN_DISPLAY: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
int32_t id = data.readInt32();
|
|
sp<IBinder> display(getBuiltInDisplay(id));
|
|
reply->writeStrongBinder(display);
|
|
return NO_ERROR;
|
|
} break;
|
|
case BLANK: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IBinder> display = data.readStrongBinder();
|
|
blank(display);
|
|
} break;
|
|
case UNBLANK: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
sp<IBinder> display = data.readStrongBinder();
|
|
unblank(display);
|
|
} break;
|
|
case GET_DISPLAY_INFO: {
|
|
CHECK_INTERFACE(ISurfaceComposer, data, reply);
|
|
DisplayInfo info;
|
|
sp<IBinder> display = data.readStrongBinder();
|
|
status_t result = getDisplayInfo(display, &info);
|
|
memcpy(reply->writeInplace(sizeof(DisplayInfo)), &info, sizeof(DisplayInfo));
|
|
reply->writeInt32(result);
|
|
} break;
|
|
default:
|
|
return BBinder::onTransact(code, data, reply, flags);
|
|
}
|
|
return NO_ERROR;
|
|
}
|
|
|
|
// ----------------------------------------------------------------------------
|
|
|
|
};
|