xref: /linux/include/uapi/linux/android/binder.h (revision 2a6b6c9a226279b4f6668450ddb21ae655558087)
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /*
3  * Copyright (C) 2008 Google, Inc.
4  *
5  * Based on, but no longer compatible with, the original
6  * OpenBinder.org binder driver interface, which is:
7  *
8  * Copyright (c) 2005 Palmsource, Inc.
9  *
10  * This software is licensed under the terms of the GNU General Public
11  * License version 2, as published by the Free Software Foundation, and
12  * may be copied, distributed, and modified under those terms.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  */
20 
21 #ifndef _UAPI_LINUX_BINDER_H
22 #define _UAPI_LINUX_BINDER_H
23 
24 #include <linux/types.h>
25 #include <linux/ioctl.h>
26 
27 #define B_PACK_CHARS(c1, c2, c3, c4) \
28 	((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
29 #define B_TYPE_LARGE 0x85
30 
31 enum {
32 	BINDER_TYPE_BINDER	= B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),
33 	BINDER_TYPE_WEAK_BINDER	= B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),
34 	BINDER_TYPE_HANDLE	= B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
35 	BINDER_TYPE_WEAK_HANDLE	= B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
36 	BINDER_TYPE_FD		= B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
37 	BINDER_TYPE_FDA		= B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
38 	BINDER_TYPE_PTR		= B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
39 };
40 
41 enum {
42 	FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
43 	FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
44 
45 	/**
46 	 * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47 	 *
48 	 * Only when set, causes senders to include their security
49 	 * context
50 	 */
51 	FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
52 };
53 
54 #ifdef BINDER_IPC_32BIT
55 typedef __u32 binder_size_t;
56 typedef __u32 binder_uintptr_t;
57 #else
58 typedef __u64 binder_size_t;
59 typedef __u64 binder_uintptr_t;
60 #endif
61 
62 /**
63  * struct binder_object_header - header shared by all binder metadata objects.
64  * @type:	type of the object
65  */
66 struct binder_object_header {
67 	__u32        type;
68 };
69 
70 /*
71  * This is the flattened representation of a Binder object for transfer
72  * between processes.  The 'offsets' supplied as part of a binder transaction
73  * contains offsets into the data where these structures occur.  The Binder
74  * driver takes care of re-writing the structure type and data as it moves
75  * between processes.
76  */
77 struct flat_binder_object {
78 	struct binder_object_header	hdr;
79 	__u32				flags;
80 
81 	/* 8 bytes of data. */
82 	union {
83 		binder_uintptr_t	binder;	/* local object */
84 		__u32			handle;	/* remote object */
85 	};
86 
87 	/* extra data associated with local object */
88 	binder_uintptr_t	cookie;
89 };
90 
91 /**
92  * struct binder_fd_object - describes a filedescriptor to be fixed up.
93  * @hdr:	common header structure
94  * @pad_flags:	padding to remain compatible with old userspace code
95  * @pad_binder:	padding to remain compatible with old userspace code
96  * @fd:		file descriptor
97  * @cookie:	opaque data, used by user-space
98  */
99 struct binder_fd_object {
100 	struct binder_object_header	hdr;
101 	__u32				pad_flags;
102 	union {
103 		binder_uintptr_t	pad_binder;
104 		__u32			fd;
105 	};
106 
107 	binder_uintptr_t		cookie;
108 };
109 
110 /* struct binder_buffer_object - object describing a userspace buffer
111  * @hdr:		common header structure
112  * @flags:		one or more BINDER_BUFFER_* flags
113  * @buffer:		address of the buffer
114  * @length:		length of the buffer
115  * @parent:		index in offset array pointing to parent buffer
116  * @parent_offset:	offset in @parent pointing to this buffer
117  *
118  * A binder_buffer object represents an object that the
119  * binder kernel driver can copy verbatim to the target
120  * address space. A buffer itself may be pointed to from
121  * within another buffer, meaning that the pointer inside
122  * that other buffer needs to be fixed up as well. This
123  * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124  * flag in @flags, by setting @parent buffer to the index
125  * in the offset array pointing to the parent binder_buffer_object,
126  * and by setting @parent_offset to the offset in the parent buffer
127  * at which the pointer to this buffer is located.
128  */
129 struct binder_buffer_object {
130 	struct binder_object_header	hdr;
131 	__u32				flags;
132 	binder_uintptr_t		buffer;
133 	binder_size_t			length;
134 	binder_size_t			parent;
135 	binder_size_t			parent_offset;
136 };
137 
138 enum {
139 	BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
140 };
141 
142 /* struct binder_fd_array_object - object describing an array of fds in a buffer
143  * @hdr:		common header structure
144  * @pad:		padding to ensure correct alignment
145  * @num_fds:		number of file descriptors in the buffer
146  * @parent:		index in offset array to buffer holding the fd array
147  * @parent_offset:	start offset of fd array in the buffer
148  *
149  * A binder_fd_array object represents an array of file
150  * descriptors embedded in a binder_buffer_object. It is
151  * different from a regular binder_buffer_object because it
152  * describes a list of file descriptors to fix up, not an opaque
153  * blob of memory, and hence the kernel needs to treat it differently.
154  *
155  * An example of how this would be used is with Android's
156  * native_handle_t object, which is a struct with a list of integers
157  * and a list of file descriptors. The native_handle_t struct itself
158  * will be represented by a struct binder_buffer_objct, whereas the
159  * embedded list of file descriptors is represented by a
160  * struct binder_fd_array_object with that binder_buffer_object as
161  * a parent.
162  */
163 struct binder_fd_array_object {
164 	struct binder_object_header	hdr;
165 	__u32				pad;
166 	binder_size_t			num_fds;
167 	binder_size_t			parent;
168 	binder_size_t			parent_offset;
169 };
170 
171 /*
172  * On 64-bit platforms where user code may run in 32-bits the driver must
173  * translate the buffer (and local binder) addresses appropriately.
174  */
175 
176 struct binder_write_read {
177 	binder_size_t		write_size;	/* bytes to write */
178 	binder_size_t		write_consumed;	/* bytes consumed by driver */
179 	binder_uintptr_t	write_buffer;
180 	binder_size_t		read_size;	/* bytes to read */
181 	binder_size_t		read_consumed;	/* bytes consumed by driver */
182 	binder_uintptr_t	read_buffer;
183 };
184 
185 /* Use with BINDER_VERSION, driver fills in fields. */
186 struct binder_version {
187 	/* driver protocol version -- increment with incompatible change */
188 	__s32       protocol_version;
189 };
190 
191 /* This is the current protocol version. */
192 #ifdef BINDER_IPC_32BIT
193 #define BINDER_CURRENT_PROTOCOL_VERSION 7
194 #else
195 #define BINDER_CURRENT_PROTOCOL_VERSION 8
196 #endif
197 
198 /*
199  * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200  * Set ptr to NULL for the first call to get the info for the first node, and
201  * then repeat the call passing the previously returned value to get the next
202  * nodes.  ptr will be 0 when there are no more nodes.
203  */
204 struct binder_node_debug_info {
205 	binder_uintptr_t ptr;
206 	binder_uintptr_t cookie;
207 	__u32            has_strong_ref;
208 	__u32            has_weak_ref;
209 };
210 
211 struct binder_node_info_for_ref {
212 	__u32            handle;
213 	__u32            strong_count;
214 	__u32            weak_count;
215 	__u32            reserved1;
216 	__u32            reserved2;
217 	__u32            reserved3;
218 };
219 
220 struct binder_freeze_info {
221 	__u32            pid;
222 	__u32            enable;
223 	__u32            timeout_ms;
224 };
225 
226 struct binder_frozen_status_info {
227 	__u32            pid;
228 
229 	/* process received sync transactions since last frozen
230 	 * bit 0: received sync transaction after being frozen
231 	 * bit 1: new pending sync transaction during freezing
232 	 */
233 	__u32            sync_recv;
234 
235 	/* process received async transactions since last frozen */
236 	__u32            async_recv;
237 };
238 
239 /* struct binder_extened_error - extended error information
240  * @id:		identifier for the failed operation
241  * @command:	command as defined by binder_driver_return_protocol
242  * @param:	parameter holding a negative errno value
243  *
244  * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information
245  * returned by the driver upon a failed operation. Userspace can pull this
246  * data to properly handle specific error scenarios.
247  */
248 struct binder_extended_error {
249 	__u32	id;
250 	__u32	command;
251 	__s32	param;
252 };
253 
254 enum {
255 	BINDER_WRITE_READ		= _IOWR('b', 1, struct binder_write_read),
256 	BINDER_SET_IDLE_TIMEOUT		= _IOW('b', 3, __s64),
257 	BINDER_SET_MAX_THREADS		= _IOW('b', 5, __u32),
258 	BINDER_SET_IDLE_PRIORITY	= _IOW('b', 6, __s32),
259 	BINDER_SET_CONTEXT_MGR		= _IOW('b', 7, __s32),
260 	BINDER_THREAD_EXIT		= _IOW('b', 8, __s32),
261 	BINDER_VERSION			= _IOWR('b', 9, struct binder_version),
262 	BINDER_GET_NODE_DEBUG_INFO	= _IOWR('b', 11, struct binder_node_debug_info),
263 	BINDER_GET_NODE_INFO_FOR_REF	= _IOWR('b', 12, struct binder_node_info_for_ref),
264 	BINDER_SET_CONTEXT_MGR_EXT	= _IOW('b', 13, struct flat_binder_object),
265 	BINDER_FREEZE			= _IOW('b', 14, struct binder_freeze_info),
266 	BINDER_GET_FROZEN_INFO		= _IOWR('b', 15, struct binder_frozen_status_info),
267 	BINDER_ENABLE_ONEWAY_SPAM_DETECTION	= _IOW('b', 16, __u32),
268 	BINDER_GET_EXTENDED_ERROR	= _IOWR('b', 17, struct binder_extended_error),
269 };
270 
271 /*
272  * NOTE: Two special error codes you should check for when calling
273  * in to the driver are:
274  *
275  * EINTR -- The operation has been interupted.  This should be
276  * handled by retrying the ioctl() until a different error code
277  * is returned.
278  *
279  * ECONNREFUSED -- The driver is no longer accepting operations
280  * from your process.  That is, the process is being destroyed.
281  * You should handle this by exiting from your process.  Note
282  * that once this error code is returned, all further calls to
283  * the driver from any thread will return this same code.
284  */
285 
286 enum transaction_flags {
287 	TF_ONE_WAY	= 0x01,	/* this is a one-way call: async, no return */
288 	TF_ROOT_OBJECT	= 0x04,	/* contents are the component's root object */
289 	TF_STATUS_CODE	= 0x08,	/* contents are a 32-bit status code */
290 	TF_ACCEPT_FDS	= 0x10,	/* allow replies with file descriptors */
291 	TF_CLEAR_BUF	= 0x20,	/* clear buffer on txn complete */
292 	TF_UPDATE_TXN	= 0x40,	/* update the outdated pending async txn */
293 };
294 
295 struct binder_transaction_data {
296 	/* The first two are only used for bcTRANSACTION and brTRANSACTION,
297 	 * identifying the target and contents of the transaction.
298 	 */
299 	union {
300 		/* target descriptor of command transaction */
301 		__u32	handle;
302 		/* target descriptor of return transaction */
303 		binder_uintptr_t ptr;
304 	} target;
305 	binder_uintptr_t	cookie;	/* target object cookie */
306 	__u32		code;		/* transaction command */
307 
308 	/* General information about the transaction. */
309 	__u32	        flags;
310 	__kernel_pid_t	sender_pid;
311 	__kernel_uid32_t	sender_euid;
312 	binder_size_t	data_size;	/* number of bytes of data */
313 	binder_size_t	offsets_size;	/* number of bytes of offsets */
314 
315 	/* If this transaction is inline, the data immediately
316 	 * follows here; otherwise, it ends with a pointer to
317 	 * the data buffer.
318 	 */
319 	union {
320 		struct {
321 			/* transaction data */
322 			binder_uintptr_t	buffer;
323 			/* offsets from buffer to flat_binder_object structs */
324 			binder_uintptr_t	offsets;
325 		} ptr;
326 		__u8	buf[8];
327 	} data;
328 };
329 
330 struct binder_transaction_data_secctx {
331 	struct binder_transaction_data transaction_data;
332 	binder_uintptr_t secctx;
333 };
334 
335 struct binder_transaction_data_sg {
336 	struct binder_transaction_data transaction_data;
337 	binder_size_t buffers_size;
338 };
339 
340 struct binder_ptr_cookie {
341 	binder_uintptr_t ptr;
342 	binder_uintptr_t cookie;
343 };
344 
345 struct binder_handle_cookie {
346 	__u32 handle;
347 	binder_uintptr_t cookie;
348 } __packed;
349 
350 struct binder_pri_desc {
351 	__s32 priority;
352 	__u32 desc;
353 };
354 
355 struct binder_pri_ptr_cookie {
356 	__s32 priority;
357 	binder_uintptr_t ptr;
358 	binder_uintptr_t cookie;
359 };
360 
361 enum binder_driver_return_protocol {
362 	BR_ERROR = _IOR('r', 0, __s32),
363 	/*
364 	 * int: error code
365 	 */
366 
367 	BR_OK = _IO('r', 1),
368 	/* No parameters! */
369 
370 	BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
371 				      struct binder_transaction_data_secctx),
372 	/*
373 	 * binder_transaction_data_secctx: the received command.
374 	 */
375 	BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
376 	BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
377 	/*
378 	 * binder_transaction_data: the received command.
379 	 */
380 
381 	BR_ACQUIRE_RESULT = _IOR('r', 4, __s32),
382 	/*
383 	 * not currently supported
384 	 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
385 	 * Else the remote object has acquired a primary reference.
386 	 */
387 
388 	BR_DEAD_REPLY = _IO('r', 5),
389 	/*
390 	 * The target of the last transaction (either a bcTRANSACTION or
391 	 * a bcATTEMPT_ACQUIRE) is no longer with us.  No parameters.
392 	 */
393 
394 	BR_TRANSACTION_COMPLETE = _IO('r', 6),
395 	/*
396 	 * No parameters... always refers to the last transaction requested
397 	 * (including replies).  Note that this will be sent even for
398 	 * asynchronous transactions.
399 	 */
400 
401 	BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie),
402 	BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie),
403 	BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie),
404 	BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie),
405 	/*
406 	 * void *:	ptr to binder
407 	 * void *: cookie for binder
408 	 */
409 
410 	BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie),
411 	/*
412 	 * not currently supported
413 	 * int:	priority
414 	 * void *: ptr to binder
415 	 * void *: cookie for binder
416 	 */
417 
418 	BR_NOOP = _IO('r', 12),
419 	/*
420 	 * No parameters.  Do nothing and examine the next command.  It exists
421 	 * primarily so that we can replace it with a BR_SPAWN_LOOPER command.
422 	 */
423 
424 	BR_SPAWN_LOOPER = _IO('r', 13),
425 	/*
426 	 * No parameters.  The driver has determined that a process has no
427 	 * threads waiting to service incoming transactions.  When a process
428 	 * receives this command, it must spawn a new service thread and
429 	 * register it via bcENTER_LOOPER.
430 	 */
431 
432 	BR_FINISHED = _IO('r', 14),
433 	/*
434 	 * not currently supported
435 	 * stop threadpool thread
436 	 */
437 
438 	BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t),
439 	/*
440 	 * void *: cookie
441 	 */
442 	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t),
443 	/*
444 	 * void *: cookie
445 	 */
446 
447 	BR_FAILED_REPLY = _IO('r', 17),
448 	/*
449 	 * The last transaction (either a bcTRANSACTION or
450 	 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory).  No parameters.
451 	 */
452 
453 	BR_FROZEN_REPLY = _IO('r', 18),
454 	/*
455 	 * The target of the last sync transaction (either a bcTRANSACTION or
456 	 * a bcATTEMPT_ACQUIRE) is frozen.  No parameters.
457 	 */
458 
459 	BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19),
460 	/*
461 	 * Current process sent too many oneway calls to target, and the last
462 	 * asynchronous transaction makes the allocated async buffer size exceed
463 	 * detection threshold.  No parameters.
464 	 */
465 
466 	BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20),
467 	/*
468 	 * The target of the last async transaction is frozen.  No parameters.
469 	 */
470 };
471 
472 enum binder_driver_command_protocol {
473 	BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data),
474 	BC_REPLY = _IOW('c', 1, struct binder_transaction_data),
475 	/*
476 	 * binder_transaction_data: the sent command.
477 	 */
478 
479 	BC_ACQUIRE_RESULT = _IOW('c', 2, __s32),
480 	/*
481 	 * not currently supported
482 	 * int:  0 if the last BR_ATTEMPT_ACQUIRE was not successful.
483 	 * Else you have acquired a primary reference on the object.
484 	 */
485 
486 	BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t),
487 	/*
488 	 * void *: ptr to transaction data received on a read
489 	 */
490 
491 	BC_INCREFS = _IOW('c', 4, __u32),
492 	BC_ACQUIRE = _IOW('c', 5, __u32),
493 	BC_RELEASE = _IOW('c', 6, __u32),
494 	BC_DECREFS = _IOW('c', 7, __u32),
495 	/*
496 	 * int:	descriptor
497 	 */
498 
499 	BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie),
500 	BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie),
501 	/*
502 	 * void *: ptr to binder
503 	 * void *: cookie for binder
504 	 */
505 
506 	BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc),
507 	/*
508 	 * not currently supported
509 	 * int: priority
510 	 * int: descriptor
511 	 */
512 
513 	BC_REGISTER_LOOPER = _IO('c', 11),
514 	/*
515 	 * No parameters.
516 	 * Register a spawned looper thread with the device.
517 	 */
518 
519 	BC_ENTER_LOOPER = _IO('c', 12),
520 	BC_EXIT_LOOPER = _IO('c', 13),
521 	/*
522 	 * No parameters.
523 	 * These two commands are sent as an application-level thread
524 	 * enters and exits the binder loop, respectively.  They are
525 	 * used so the binder can have an accurate count of the number
526 	 * of looping threads it has available.
527 	 */
528 
529 	BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14,
530 						struct binder_handle_cookie),
531 	/*
532 	 * int: handle
533 	 * void *: cookie
534 	 */
535 
536 	BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15,
537 						struct binder_handle_cookie),
538 	/*
539 	 * int: handle
540 	 * void *: cookie
541 	 */
542 
543 	BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t),
544 	/*
545 	 * void *: cookie
546 	 */
547 
548 	BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg),
549 	BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg),
550 	/*
551 	 * binder_transaction_data_sg: the sent command.
552 	 */
553 };
554 
555 #endif /* _UAPI_LINUX_BINDER_H */
556 
557