xref: /linux/include/uapi/linux/android/binder.h (revision a97673a1c43d005a3ae215f4ca8b4bbb5691aea1) 
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 /*
3  * Copyright (C) 2008 Google, Inc.
4  *
5  * Based on, but no longer compatible with, the original
6  * OpenBinder.org binder driver interface, which is:
7  *
8  * Copyright (c) 2005 Palmsource, Inc.
9  *
10  * This software is licensed under the terms of the GNU General Public
11  * License version 2, as published by the Free Software Foundation, and
12  * may be copied, distributed, and modified under those terms.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  */
20 
21 #ifndef _UAPI_LINUX_BINDER_H
22 #define _UAPI_LINUX_BINDER_H
23 
24 #include <linux/types.h>
25 #include <linux/ioctl.h>
26 
27 #define B_PACK_CHARS(c1, c2, c3, c4) \
28 	((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
29 #define B_TYPE_LARGE 0x85
30 
31 enum {
32 	BINDER_TYPE_BINDER	= B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),
33 	BINDER_TYPE_WEAK_BINDER	= B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),
34 	BINDER_TYPE_HANDLE	= B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
35 	BINDER_TYPE_WEAK_HANDLE	= B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
36 	BINDER_TYPE_FD		= B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
37 	BINDER_TYPE_FDA		= B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
38 	BINDER_TYPE_PTR		= B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
39 };
40 
41 enum {
42 	FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
43 	FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
44 };
45 
46 #ifdef BINDER_IPC_32BIT
47 typedef __u32 binder_size_t;
48 typedef __u32 binder_uintptr_t;
49 #else
50 typedef __u64 binder_size_t;
51 typedef __u64 binder_uintptr_t;
52 #endif
53 
54 /**
55  * struct binder_object_header - header shared by all binder metadata objects.
56  * @type:	type of the object
57  */
58 struct binder_object_header {
59 	__u32        type;
60 };
61 
62 /*
63  * This is the flattened representation of a Binder object for transfer
64  * between processes.  The 'offsets' supplied as part of a binder transaction
65  * contains offsets into the data where these structures occur.  The Binder
66  * driver takes care of re-writing the structure type and data as it moves
67  * between processes.
68  */
69 struct flat_binder_object {
70 	struct binder_object_header	hdr;
71 	__u32				flags;
72 
73 	/* 8 bytes of data. */
74 	union {
75 		binder_uintptr_t	binder;	/* local object */
76 		__u32			handle;	/* remote object */
77 	};
78 
79 	/* extra data associated with local object */
80 	binder_uintptr_t	cookie;
81 };
82 
83 /**
84  * struct binder_fd_object - describes a filedescriptor to be fixed up.
85  * @hdr:	common header structure
86  * @pad_flags:	padding to remain compatible with old userspace code
87  * @pad_binder:	padding to remain compatible with old userspace code
88  * @fd:		file descriptor
89  * @cookie:	opaque data, used by user-space
90  */
91 struct binder_fd_object {
92 	struct binder_object_header	hdr;
93 	__u32				pad_flags;
94 	union {
95 		binder_uintptr_t	pad_binder;
96 		__u32			fd;
97 	};
98 
99 	binder_uintptr_t		cookie;
100 };
101 
102 /* struct binder_buffer_object - object describing a userspace buffer
103  * @hdr:		common header structure
104  * @flags:		one or more BINDER_BUFFER_* flags
105  * @buffer:		address of the buffer
106  * @length:		length of the buffer
107  * @parent:		index in offset array pointing to parent buffer
108  * @parent_offset:	offset in @parent pointing to this buffer
109  *
110  * A binder_buffer object represents an object that the
111  * binder kernel driver can copy verbatim to the target
112  * address space. A buffer itself may be pointed to from
113  * within another buffer, meaning that the pointer inside
114  * that other buffer needs to be fixed up as well. This
115  * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
116  * flag in @flags, by setting @parent buffer to the index
117  * in the offset array pointing to the parent binder_buffer_object,
118  * and by setting @parent_offset to the offset in the parent buffer
119  * at which the pointer to this buffer is located.
120  */
121 struct binder_buffer_object {
122 	struct binder_object_header	hdr;
123 	__u32				flags;
124 	binder_uintptr_t		buffer;
125 	binder_size_t			length;
126 	binder_size_t			parent;
127 	binder_size_t			parent_offset;
128 };
129 
130 enum {
131 	BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
132 };
133 
134 /* struct binder_fd_array_object - object describing an array of fds in a buffer
135  * @hdr:		common header structure
136  * @pad:		padding to ensure correct alignment
137  * @num_fds:		number of file descriptors in the buffer
138  * @parent:		index in offset array to buffer holding the fd array
139  * @parent_offset:	start offset of fd array in the buffer
140  *
141  * A binder_fd_array object represents an array of file
142  * descriptors embedded in a binder_buffer_object. It is
143  * different from a regular binder_buffer_object because it
144  * describes a list of file descriptors to fix up, not an opaque
145  * blob of memory, and hence the kernel needs to treat it differently.
146  *
147  * An example of how this would be used is with Android's
148  * native_handle_t object, which is a struct with a list of integers
149  * and a list of file descriptors. The native_handle_t struct itself
150  * will be represented by a struct binder_buffer_objct, whereas the
151  * embedded list of file descriptors is represented by a
152  * struct binder_fd_array_object with that binder_buffer_object as
153  * a parent.
154  */
155 struct binder_fd_array_object {
156 	struct binder_object_header	hdr;
157 	__u32				pad;
158 	binder_size_t			num_fds;
159 	binder_size_t			parent;
160 	binder_size_t			parent_offset;
161 };
162 
163 /*
164  * On 64-bit platforms where user code may run in 32-bits the driver must
165  * translate the buffer (and local binder) addresses appropriately.
166  */
167 
168 struct binder_write_read {
169 	binder_size_t		write_size;	/* bytes to write */
170 	binder_size_t		write_consumed;	/* bytes consumed by driver */
171 	binder_uintptr_t	write_buffer;
172 	binder_size_t		read_size;	/* bytes to read */
173 	binder_size_t		read_consumed;	/* bytes consumed by driver */
174 	binder_uintptr_t	read_buffer;
175 };
176 
177 /* Use with BINDER_VERSION, driver fills in fields. */
178 struct binder_version {
179 	/* driver protocol version -- increment with incompatible change */
180 	__s32       protocol_version;
181 };
182 
183 /* This is the current protocol version. */
184 #ifdef BINDER_IPC_32BIT
185 #define BINDER_CURRENT_PROTOCOL_VERSION 7
186 #else
187 #define BINDER_CURRENT_PROTOCOL_VERSION 8
188 #endif
189 
190 /*
191  * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
192  * Set ptr to NULL for the first call to get the info for the first node, and
193  * then repeat the call passing the previously returned value to get the next
194  * nodes.  ptr will be 0 when there are no more nodes.
195  */
196 struct binder_node_debug_info {
197 	binder_uintptr_t ptr;
198 	binder_uintptr_t cookie;
199 	__u32            has_strong_ref;
200 	__u32            has_weak_ref;
201 };
202 
203 struct binder_node_info_for_ref {
204 	__u32            handle;
205 	__u32            strong_count;
206 	__u32            weak_count;
207 	__u32            reserved1;
208 	__u32            reserved2;
209 	__u32            reserved3;
210 };
211 
212 #define BINDER_WRITE_READ		_IOWR('b', 1, struct binder_write_read)
213 #define BINDER_SET_IDLE_TIMEOUT		_IOW('b', 3, __s64)
214 #define BINDER_SET_MAX_THREADS		_IOW('b', 5, __u32)
215 #define BINDER_SET_IDLE_PRIORITY	_IOW('b', 6, __s32)
216 #define BINDER_SET_CONTEXT_MGR		_IOW('b', 7, __s32)
217 #define BINDER_THREAD_EXIT		_IOW('b', 8, __s32)
218 #define BINDER_VERSION			_IOWR('b', 9, struct binder_version)
219 #define BINDER_GET_NODE_DEBUG_INFO	_IOWR('b', 11, struct binder_node_debug_info)
220 #define BINDER_GET_NODE_INFO_FOR_REF	_IOWR('b', 12, struct binder_node_info_for_ref)
221 
222 /*
223  * NOTE: Two special error codes you should check for when calling
224  * in to the driver are:
225  *
226  * EINTR -- The operation has been interupted.  This should be
227  * handled by retrying the ioctl() until a different error code
228  * is returned.
229  *
230  * ECONNREFUSED -- The driver is no longer accepting operations
231  * from your process.  That is, the process is being destroyed.
232  * You should handle this by exiting from your process.  Note
233  * that once this error code is returned, all further calls to
234  * the driver from any thread will return this same code.
235  */
236 
237 enum transaction_flags {
238 	TF_ONE_WAY	= 0x01,	/* this is a one-way call: async, no return */
239 	TF_ROOT_OBJECT	= 0x04,	/* contents are the component's root object */
240 	TF_STATUS_CODE	= 0x08,	/* contents are a 32-bit status code */
241 	TF_ACCEPT_FDS	= 0x10,	/* allow replies with file descriptors */
242 };
243 
244 struct binder_transaction_data {
245 	/* The first two are only used for bcTRANSACTION and brTRANSACTION,
246 	 * identifying the target and contents of the transaction.
247 	 */
248 	union {
249 		/* target descriptor of command transaction */
250 		__u32	handle;
251 		/* target descriptor of return transaction */
252 		binder_uintptr_t ptr;
253 	} target;
254 	binder_uintptr_t	cookie;	/* target object cookie */
255 	__u32		code;		/* transaction command */
256 
257 	/* General information about the transaction. */
258 	__u32	        flags;
259 	pid_t		sender_pid;
260 	uid_t		sender_euid;
261 	binder_size_t	data_size;	/* number of bytes of data */
262 	binder_size_t	offsets_size;	/* number of bytes of offsets */
263 
264 	/* If this transaction is inline, the data immediately
265 	 * follows here; otherwise, it ends with a pointer to
266 	 * the data buffer.
267 	 */
268 	union {
269 		struct {
270 			/* transaction data */
271 			binder_uintptr_t	buffer;
272 			/* offsets from buffer to flat_binder_object structs */
273 			binder_uintptr_t	offsets;
274 		} ptr;
275 		__u8	buf[8];
276 	} data;
277 };
278 
279 struct binder_transaction_data_sg {
280 	struct binder_transaction_data transaction_data;
281 	binder_size_t buffers_size;
282 };
283 
284 struct binder_ptr_cookie {
285 	binder_uintptr_t ptr;
286 	binder_uintptr_t cookie;
287 };
288 
289 struct binder_handle_cookie {
290 	__u32 handle;
291 	binder_uintptr_t cookie;
292 } __packed;
293 
294 struct binder_pri_desc {
295 	__s32 priority;
296 	__u32 desc;
297 };
298 
299 struct binder_pri_ptr_cookie {
300 	__s32 priority;
301 	binder_uintptr_t ptr;
302 	binder_uintptr_t cookie;
303 };
304 
305 enum binder_driver_return_protocol {
306 	BR_ERROR = _IOR('r', 0, __s32),
307 	/*
308 	 * int: error code
309 	 */
310 
311 	BR_OK = _IO('r', 1),
312 	/* No parameters! */
313 
314 	BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
315 	BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
316 	/*
317 	 * binder_transaction_data: the received command.
318 	 */
319 
320 	BR_ACQUIRE_RESULT = _IOR('r', 4, __s32),
321 	/*
322 	 * not currently supported
323 	 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
324 	 * Else the remote object has acquired a primary reference.
325 	 */
326 
327 	BR_DEAD_REPLY = _IO('r', 5),
328 	/*
329 	 * The target of the last transaction (either a bcTRANSACTION or
330 	 * a bcATTEMPT_ACQUIRE) is no longer with us.  No parameters.
331 	 */
332 
333 	BR_TRANSACTION_COMPLETE = _IO('r', 6),
334 	/*
335 	 * No parameters... always refers to the last transaction requested
336 	 * (including replies).  Note that this will be sent even for
337 	 * asynchronous transactions.
338 	 */
339 
340 	BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie),
341 	BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie),
342 	BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie),
343 	BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie),
344 	/*
345 	 * void *:	ptr to binder
346 	 * void *: cookie for binder
347 	 */
348 
349 	BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie),
350 	/*
351 	 * not currently supported
352 	 * int:	priority
353 	 * void *: ptr to binder
354 	 * void *: cookie for binder
355 	 */
356 
357 	BR_NOOP = _IO('r', 12),
358 	/*
359 	 * No parameters.  Do nothing and examine the next command.  It exists
360 	 * primarily so that we can replace it with a BR_SPAWN_LOOPER command.
361 	 */
362 
363 	BR_SPAWN_LOOPER = _IO('r', 13),
364 	/*
365 	 * No parameters.  The driver has determined that a process has no
366 	 * threads waiting to service incoming transactions.  When a process
367 	 * receives this command, it must spawn a new service thread and
368 	 * register it via bcENTER_LOOPER.
369 	 */
370 
371 	BR_FINISHED = _IO('r', 14),
372 	/*
373 	 * not currently supported
374 	 * stop threadpool thread
375 	 */
376 
377 	BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t),
378 	/*
379 	 * void *: cookie
380 	 */
381 	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t),
382 	/*
383 	 * void *: cookie
384 	 */
385 
386 	BR_FAILED_REPLY = _IO('r', 17),
387 	/*
388 	 * The the last transaction (either a bcTRANSACTION or
389 	 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory).  No parameters.
390 	 */
391 };
392 
393 enum binder_driver_command_protocol {
394 	BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data),
395 	BC_REPLY = _IOW('c', 1, struct binder_transaction_data),
396 	/*
397 	 * binder_transaction_data: the sent command.
398 	 */
399 
400 	BC_ACQUIRE_RESULT = _IOW('c', 2, __s32),
401 	/*
402 	 * not currently supported
403 	 * int:  0 if the last BR_ATTEMPT_ACQUIRE was not successful.
404 	 * Else you have acquired a primary reference on the object.
405 	 */
406 
407 	BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t),
408 	/*
409 	 * void *: ptr to transaction data received on a read
410 	 */
411 
412 	BC_INCREFS = _IOW('c', 4, __u32),
413 	BC_ACQUIRE = _IOW('c', 5, __u32),
414 	BC_RELEASE = _IOW('c', 6, __u32),
415 	BC_DECREFS = _IOW('c', 7, __u32),
416 	/*
417 	 * int:	descriptor
418 	 */
419 
420 	BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie),
421 	BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie),
422 	/*
423 	 * void *: ptr to binder
424 	 * void *: cookie for binder
425 	 */
426 
427 	BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc),
428 	/*
429 	 * not currently supported
430 	 * int: priority
431 	 * int: descriptor
432 	 */
433 
434 	BC_REGISTER_LOOPER = _IO('c', 11),
435 	/*
436 	 * No parameters.
437 	 * Register a spawned looper thread with the device.
438 	 */
439 
440 	BC_ENTER_LOOPER = _IO('c', 12),
441 	BC_EXIT_LOOPER = _IO('c', 13),
442 	/*
443 	 * No parameters.
444 	 * These two commands are sent as an application-level thread
445 	 * enters and exits the binder loop, respectively.  They are
446 	 * used so the binder can have an accurate count of the number
447 	 * of looping threads it has available.
448 	 */
449 
450 	BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14,
451 						struct binder_handle_cookie),
452 	/*
453 	 * int: handle
454 	 * void *: cookie
455 	 */
456 
457 	BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15,
458 						struct binder_handle_cookie),
459 	/*
460 	 * int: handle
461 	 * void *: cookie
462 	 */
463 
464 	BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t),
465 	/*
466 	 * void *: cookie
467 	 */
468 
469 	BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg),
470 	BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg),
471 	/*
472 	 * binder_transaction_data_sg: the sent command.
473 	 */
474 };
475 
476 #endif /* _UAPI_LINUX_BINDER_H */
477 
478