|
|
Subscribe / Log in / New account

In a bind with binder

By Jonathan Corbet
October 29, 2014
Linux Plumbers Conference
The Android microconference at the 2014 Linux Plumbers Conference started off with an assessment of how the Android project was doing with regard to integration of its kernel changes with the mainline. The general feeling was that things are getting better; with 3.14, Android carries "only" 346 patches on top of the mainline kernel. But subsequent events have shown that the long-lasting tension between Android and mainline kernel developers has not entirely dissipated yet; the much-maligned Android "binder" mechanism is now one of the central points of that tension.

Many of the Android-specific components that are in the mainline kernel still live in the staging tree. Early in the session, Greg Kroah-Hartman got up to discuss whether any of those components should be moved out of staging — either out of the kernel tree entirely, or into the mainline proper. As an example of the first type, the Android "logger" module, which is no longer used as of the Lollipop release, may simply go away entirely. The story with binder is different, though.

Android's binder has a long history, having first shown up as part of the BeOS system. It is a mechanism for remote procedure calls and remote object management that is used heavily within the Android system. For an overview of how binder relates to other interprocess communication mechanisms, see this 2011 article by Neil Brown. Almost nobody seems to like binder; it is seen as abusing various low-level kernel interfaces, has known security problems when used outside of the tightly controlled Android setting, and more. But Android needs it, so it persists.

In the Plumbers session, Greg noted that binder had been in the staging tree for years. Since it is in active use, binder is not going away anytime soon. It is "horrible" and "broken by design," but it is an ABI [Greg Kroah-Hartman] that we need to support, Greg said, so we might as well move it out of the staging tree. No objections to the idea were raised in the session; everybody seemed happy with the idea of getting binder out of staging.

Greg wasted no time before posting a patch to move binder out of staging; it was on the lists before the Android microconference had concluded its business. Whether Greg expected the wider discussion to go as smoothly as the microconference is not clear; what is clear is that's not what he got.

John Stultz, who has done a lot of work toward the mainlining of Android-specific features, expressed a few concerns. The first of those had to do with maintenance: who was going to be the maintainer of this code, and had the Android developers agreed with that decision? Greg's response to this question was to note that the binder code had not changed in any significant way for a long time; there is not, he feels, a lot of maintenance that is needed. To the extent that binder needs a maintainer, Greg has volunteered to do it.

Another concern of John's had to do with efforts to replace binder with something better tied into the kernel; work is progressing on writing a binder-compatible library over the (still out-of-tree) kdbus interface. Moving binder into the mainline, he thought, might reduce the incentive to get that work done. Greg's answer here was that any such work is entirely new code; it doesn't mitigate the need to maintain the existing code "forever." "So as there really is nothing left to do on it, it deserves to be in the main part of the kernel source tree."

Finally, John worried that moving binder to the mainline might encourage others to make use of it; this was a concern that Alan Cox shared. Greg's response here is that there is never a way to control how others will use the software we ship. But, if anybody outside of Android were to use binder, he said, "you deserve all of the pain and suffering and rooted machines you will get."

Arnd Bergmann raised a number of issues mostly relating to security. Evidently Android does not use the full API exported by binder; he would like to see an audit of how the API is used so that the unneeded parts can be removed, reducing the attack surface of the whole thing. Binder also leaks kernel-space pointers into user space and has no awareness of namespaces, so it can also leak information between containers in undesirable ways. These points have not been addressed in the discussion so far.

Finally, Christoph Hellwig attempted to block the move outright, saying:

NAK. It's complete rubbish and does things to the FD code that it really shouldn't. Android needs to completely redo the interface, and there's been absolutely no work towards that.

Greg disagreed about the claim that no work was being done toward a new interface; he also repeated that, no matter how that work goes, the existing interface needs to be supported indefinitely. Christoph was not satisfied by the answer, though; here he represents a group of kernel developers who feel that the Android developers are still not really trying to work with the mainline kernel. From this point of view, merging substandard Android code just allows Google to offload the pain of maintaining it and encourages more of the same behavior in the future. About the only tool that the kernel developers have to address this problem, as they see it, is their ability to refuse to accept inadequate code.

At that point, the discussion wound down. Greg has not said whether he still plans to move binder regardless of the points that have been raised. In the end, it could be said to make little difference; binder will be shipped with the kernel tree whether it is moved or not. But the decision to move binder or not could send a message on how the kernel development community feels about its relationship with the Android team.

[Your editor would like to thank the Linux Foundation for supporting his travel to the Linux Plumbers Conference].

Index entries for this article
KernelAndroid
ConferenceLinux Plumbers Conference/2014

to post comments

BeOS?

Posted Oct 30, 2014 9:12 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

"Android's binder [...] first shown up as part of the BeOS system"

I can't find any evidence that this is true in a meaningful sense. It's correct that people behind Binder (and thus OpenBinder) worked at Be Inc. but if Binder was part of that work it seems to have never shipped to end users.

It is of course hard to prove a negative. Little pieces of binder might be present, undocumented and largely unused, in BeOS R5 without anybody knowing. But certainly if it's there its presence was so unfelt that BeOS clone project Haiku (once OpenBeOS) has nothing resembling binder nor any indication that it thinks such a thing is needed or desired.

Some documents assert that Binder was the IPC mechanism in BeOS. In fact BeOS IPC is an asynchronous message passing system built around the BMessage type-length-value flattened data structure - it has little surface resemblance to Binder's synchronous local procedure calls.

The next item in Binder's history is PalmOS. That's huge, a well-loved product on handheld devices. Except, it's referring to PalmOS Cobalt (6.0). That's the version developed by Palm spin-out Palm Source, and not only was it not successful as an independent venture - Cobalt was never even used on Palm's own hardware, maybe Binder made it awesome, maybe it was a disaster, end users will never be able to try it for themselves.

It seems to me as though somebody successfully painted Binder as a project with a real world pedigree when in fact, for all the enthusiasm of its developers, Android was actually the first time it was used in anger in a consumer product. That certainly makes it easier to understand how it shipped while still "horrible" and "broken by design".

In a bind with binder

Posted Oct 30, 2014 12:04 UTC (Thu) by moltonel (subscriber, #45207) [Link] (1 responses)

In don't understand why what is done with logger (stop using it in android, and then remove it from vanilla entirely) can't be done with binder ? If kdbus can eventually replace binder, then leave binder in staging for now as Google's problem, and then remove it. Promoting binder from stagging to mainline today would probably make it harder to get rid of tomorrow, even if android stops using it ?

In a bind with binder

Posted Oct 30, 2014 12:57 UTC (Thu) by arnd (subscriber, #8866) [Link]

I guess from the Android side that would be mostly a matter of timing. The 5.0 release presumably changed a lot of things, and removing the logger was one of them. Replacing binder with something else won't realistically happen before Android 6.0, whenever that may be.

In a bind with binder

Posted Oct 31, 2014 11:50 UTC (Fri) by HIGHGuY (subscriber, #62277) [Link]

Given that the staging tree comes with "warranty void if seal broken" marks, should ABI be maintained for staging code?

In my view, moving something out of staging comes down to: this code works properly, has sane design, sane ABI and semantics and doesn't give readers spontaneous thirst for the strongest liquors around... Or perhaps in k-dev speak: we're now committed to the ABI.

I'd say the simplest example would be the removal of logger - this is an ABI break. So, putting things together: if there are known issues with the thing, should the kernel really start committing to not breaking or fixing the code?

In a bind with binder

Posted Nov 5, 2014 10:59 UTC (Wed) by error27 (subscriber, #8346) [Link]

The binder devs are fairly unresponsive. It's not hard to create documentation. You could write half arsed documentation in one afternoon.

I have seen other maintainers where you say "Your code is ugly. Look at this function everything about it is horrible. The rest of your code is the same." They fix the one function and leave everything else the same. If you keep sending half arsed patches to fix review comments then we eventually just merge your code even when we aren't 100% happy.

The binder devs could have fixed up the binder ioctl to use proper return codes. That would take 10 minutes of work and it fixes a specific problem that I complained about.

Instead of that they are all "No, you need to merge it as-is because we aren't going to lift a finger to fix anything." What about when it has real bugs?

In a bind with binder

Posted Mar 27, 2015 1:47 UTC (Fri) by aahlawat (guest, #101677) [Link]

This article mentions that Binder "has known security problems when used outside of the tightly controlled Android setting, and more.".

Can anyone elaborate what these problems are and what tight control Android puts in place to mitigate these problems ?


Copyright © 2014, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds