1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 /* 3 * Copyright (C) 2008 Google, Inc. 4 * 5 * Based on, but no longer compatible with, the original 6 * OpenBinder.org binder driver interface, which is: 7 * 8 * Copyright (c) 2005 Palmsource, Inc. 9 * 10 * This software is licensed under the terms of the GNU General Public 11 * License version 2, as published by the Free Software Foundation, and 12 * may be copied, distributed, and modified under those terms. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 */ 20 21 #ifndef _UAPI_LINUX_BINDER_H 22 #define _UAPI_LINUX_BINDER_H 23 24 #include <linux/types.h> 25 #include <linux/ioctl.h> 26 27 #define B_PACK_CHARS(c1, c2, c3, c4) \ 28 ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4)) 29 #define B_TYPE_LARGE 0x85 30 31 enum { 32 BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE), 33 BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE), 34 BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE), 35 BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE), 36 BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE), 37 BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE), 38 BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE), 39 }; 40 41 enum { 42 FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, 43 FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, 44 45 /** 46 * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts 47 * 48 * Only when set, causes senders to include their security 49 * context 50 */ 51 FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000, 52 }; 53 54 #ifdef BINDER_IPC_32BIT 55 typedef __u32 binder_size_t; 56 typedef __u32 binder_uintptr_t; 57 #else 58 typedef __u64 binder_size_t; 59 typedef __u64 binder_uintptr_t; 60 #endif 61 62 /** 63 * struct binder_object_header - header shared by all binder metadata objects. 64 * @type: type of the object 65 */ 66 struct binder_object_header { 67 __u32 type; 68 }; 69 70 /* 71 * This is the flattened representation of a Binder object for transfer 72 * between processes. The 'offsets' supplied as part of a binder transaction 73 * contains offsets into the data where these structures occur. The Binder 74 * driver takes care of re-writing the structure type and data as it moves 75 * between processes. 76 */ 77 struct flat_binder_object { 78 struct binder_object_header hdr; 79 __u32 flags; 80 81 /* 8 bytes of data. */ 82 union { 83 binder_uintptr_t binder; /* local object */ 84 __u32 handle; /* remote object */ 85 }; 86 87 /* extra data associated with local object */ 88 binder_uintptr_t cookie; 89 }; 90 91 /** 92 * struct binder_fd_object - describes a filedescriptor to be fixed up. 93 * @hdr: common header structure 94 * @pad_flags: padding to remain compatible with old userspace code 95 * @pad_binder: padding to remain compatible with old userspace code 96 * @fd: file descriptor 97 * @cookie: opaque data, used by user-space 98 */ 99 struct binder_fd_object { 100 struct binder_object_header hdr; 101 __u32 pad_flags; 102 union { 103 binder_uintptr_t pad_binder; 104 __u32 fd; 105 }; 106 107 binder_uintptr_t cookie; 108 }; 109 110 /* struct binder_buffer_object - object describing a userspace buffer 111 * @hdr: common header structure 112 * @flags: one or more BINDER_BUFFER_* flags 113 * @buffer: address of the buffer 114 * @length: length of the buffer 115 * @parent: index in offset array pointing to parent buffer 116 * @parent_offset: offset in @parent pointing to this buffer 117 * 118 * A binder_buffer object represents an object that the 119 * binder kernel driver can copy verbatim to the target 120 * address space. A buffer itself may be pointed to from 121 * within another buffer, meaning that the pointer inside 122 * that other buffer needs to be fixed up as well. This 123 * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT 124 * flag in @flags, by setting @parent buffer to the index 125 * in the offset array pointing to the parent binder_buffer_object, 126 * and by setting @parent_offset to the offset in the parent buffer 127 * at which the pointer to this buffer is located. 128 */ 129 struct binder_buffer_object { 130 struct binder_object_header hdr; 131 __u32 flags; 132 binder_uintptr_t buffer; 133 binder_size_t length; 134 binder_size_t parent; 135 binder_size_t parent_offset; 136 }; 137 138 enum { 139 BINDER_BUFFER_FLAG_HAS_PARENT = 0x01, 140 }; 141 142 /* struct binder_fd_array_object - object describing an array of fds in a buffer 143 * @hdr: common header structure 144 * @pad: padding to ensure correct alignment 145 * @num_fds: number of file descriptors in the buffer 146 * @parent: index in offset array to buffer holding the fd array 147 * @parent_offset: start offset of fd array in the buffer 148 * 149 * A binder_fd_array object represents an array of file 150 * descriptors embedded in a binder_buffer_object. It is 151 * different from a regular binder_buffer_object because it 152 * describes a list of file descriptors to fix up, not an opaque 153 * blob of memory, and hence the kernel needs to treat it differently. 154 * 155 * An example of how this would be used is with Android's 156 * native_handle_t object, which is a struct with a list of integers 157 * and a list of file descriptors. The native_handle_t struct itself 158 * will be represented by a struct binder_buffer_objct, whereas the 159 * embedded list of file descriptors is represented by a 160 * struct binder_fd_array_object with that binder_buffer_object as 161 * a parent. 162 */ 163 struct binder_fd_array_object { 164 struct binder_object_header hdr; 165 __u32 pad; 166 binder_size_t num_fds; 167 binder_size_t parent; 168 binder_size_t parent_offset; 169 }; 170 171 /* 172 * On 64-bit platforms where user code may run in 32-bits the driver must 173 * translate the buffer (and local binder) addresses appropriately. 174 */ 175 176 struct binder_write_read { 177 binder_size_t write_size; /* bytes to write */ 178 binder_size_t write_consumed; /* bytes consumed by driver */ 179 binder_uintptr_t write_buffer; 180 binder_size_t read_size; /* bytes to read */ 181 binder_size_t read_consumed; /* bytes consumed by driver */ 182 binder_uintptr_t read_buffer; 183 }; 184 185 /* Use with BINDER_VERSION, driver fills in fields. */ 186 struct binder_version { 187 /* driver protocol version -- increment with incompatible change */ 188 __s32 protocol_version; 189 }; 190 191 /* This is the current protocol version. */ 192 #ifdef BINDER_IPC_32BIT 193 #define BINDER_CURRENT_PROTOCOL_VERSION 7 194 #else 195 #define BINDER_CURRENT_PROTOCOL_VERSION 8 196 #endif 197 198 /* 199 * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields. 200 * Set ptr to NULL for the first call to get the info for the first node, and 201 * then repeat the call passing the previously returned value to get the next 202 * nodes. ptr will be 0 when there are no more nodes. 203 */ 204 struct binder_node_debug_info { 205 binder_uintptr_t ptr; 206 binder_uintptr_t cookie; 207 __u32 has_strong_ref; 208 __u32 has_weak_ref; 209 }; 210 211 struct binder_node_info_for_ref { 212 __u32 handle; 213 __u32 strong_count; 214 __u32 weak_count; 215 __u32 reserved1; 216 __u32 reserved2; 217 __u32 reserved3; 218 }; 219 220 struct binder_freeze_info { 221 __u32 pid; 222 __u32 enable; 223 __u32 timeout_ms; 224 }; 225 226 struct binder_frozen_status_info { 227 __u32 pid; 228 229 /* process received sync transactions since last frozen 230 * bit 0: received sync transaction after being frozen 231 * bit 1: new pending sync transaction during freezing 232 */ 233 __u32 sync_recv; 234 235 /* process received async transactions since last frozen */ 236 __u32 async_recv; 237 }; 238 239 /* struct binder_extened_error - extended error information 240 * @id: identifier for the failed operation 241 * @command: command as defined by binder_driver_return_protocol 242 * @param: parameter holding a negative errno value 243 * 244 * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information 245 * returned by the driver upon a failed operation. Userspace can pull this 246 * data to properly handle specific error scenarios. 247 */ 248 struct binder_extended_error { 249 __u32 id; 250 __u32 command; 251 __s32 param; 252 }; 253 254 #define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read) 255 #define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64) 256 #define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32) 257 #define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32) 258 #define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32) 259 #define BINDER_THREAD_EXIT _IOW('b', 8, __s32) 260 #define BINDER_VERSION _IOWR('b', 9, struct binder_version) 261 #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info) 262 #define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref) 263 #define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object) 264 #define BINDER_FREEZE _IOW('b', 14, struct binder_freeze_info) 265 #define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info) 266 #define BINDER_ENABLE_ONEWAY_SPAM_DETECTION _IOW('b', 16, __u32) 267 #define BINDER_GET_EXTENDED_ERROR _IOWR('b', 17, struct binder_extended_error) 268 269 /* 270 * NOTE: Two special error codes you should check for when calling 271 * in to the driver are: 272 * 273 * EINTR -- The operation has been interupted. This should be 274 * handled by retrying the ioctl() until a different error code 275 * is returned. 276 * 277 * ECONNREFUSED -- The driver is no longer accepting operations 278 * from your process. That is, the process is being destroyed. 279 * You should handle this by exiting from your process. Note 280 * that once this error code is returned, all further calls to 281 * the driver from any thread will return this same code. 282 */ 283 284 enum transaction_flags { 285 TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */ 286 TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ 287 TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ 288 TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ 289 TF_CLEAR_BUF = 0x20, /* clear buffer on txn complete */ 290 TF_UPDATE_TXN = 0x40, /* update the outdated pending async txn */ 291 }; 292 293 struct binder_transaction_data { 294 /* The first two are only used for bcTRANSACTION and brTRANSACTION, 295 * identifying the target and contents of the transaction. 296 */ 297 union { 298 /* target descriptor of command transaction */ 299 __u32 handle; 300 /* target descriptor of return transaction */ 301 binder_uintptr_t ptr; 302 } target; 303 binder_uintptr_t cookie; /* target object cookie */ 304 __u32 code; /* transaction command */ 305 306 /* General information about the transaction. */ 307 __u32 flags; 308 __kernel_pid_t sender_pid; 309 __kernel_uid32_t sender_euid; 310 binder_size_t data_size; /* number of bytes of data */ 311 binder_size_t offsets_size; /* number of bytes of offsets */ 312 313 /* If this transaction is inline, the data immediately 314 * follows here; otherwise, it ends with a pointer to 315 * the data buffer. 316 */ 317 union { 318 struct { 319 /* transaction data */ 320 binder_uintptr_t buffer; 321 /* offsets from buffer to flat_binder_object structs */ 322 binder_uintptr_t offsets; 323 } ptr; 324 __u8 buf[8]; 325 } data; 326 }; 327 328 struct binder_transaction_data_secctx { 329 struct binder_transaction_data transaction_data; 330 binder_uintptr_t secctx; 331 }; 332 333 struct binder_transaction_data_sg { 334 struct binder_transaction_data transaction_data; 335 binder_size_t buffers_size; 336 }; 337 338 struct binder_ptr_cookie { 339 binder_uintptr_t ptr; 340 binder_uintptr_t cookie; 341 }; 342 343 struct binder_handle_cookie { 344 __u32 handle; 345 binder_uintptr_t cookie; 346 } __packed; 347 348 struct binder_pri_desc { 349 __s32 priority; 350 __u32 desc; 351 }; 352 353 struct binder_pri_ptr_cookie { 354 __s32 priority; 355 binder_uintptr_t ptr; 356 binder_uintptr_t cookie; 357 }; 358 359 enum binder_driver_return_protocol { 360 BR_ERROR = _IOR('r', 0, __s32), 361 /* 362 * int: error code 363 */ 364 365 BR_OK = _IO('r', 1), 366 /* No parameters! */ 367 368 BR_TRANSACTION_SEC_CTX = _IOR('r', 2, 369 struct binder_transaction_data_secctx), 370 /* 371 * binder_transaction_data_secctx: the received command. 372 */ 373 BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), 374 BR_REPLY = _IOR('r', 3, struct binder_transaction_data), 375 /* 376 * binder_transaction_data: the received command. 377 */ 378 379 BR_ACQUIRE_RESULT = _IOR('r', 4, __s32), 380 /* 381 * not currently supported 382 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful. 383 * Else the remote object has acquired a primary reference. 384 */ 385 386 BR_DEAD_REPLY = _IO('r', 5), 387 /* 388 * The target of the last transaction (either a bcTRANSACTION or 389 * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters. 390 */ 391 392 BR_TRANSACTION_COMPLETE = _IO('r', 6), 393 /* 394 * No parameters... always refers to the last transaction requested 395 * (including replies). Note that this will be sent even for 396 * asynchronous transactions. 397 */ 398 399 BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie), 400 BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie), 401 BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie), 402 BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie), 403 /* 404 * void *: ptr to binder 405 * void *: cookie for binder 406 */ 407 408 BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie), 409 /* 410 * not currently supported 411 * int: priority 412 * void *: ptr to binder 413 * void *: cookie for binder 414 */ 415 416 BR_NOOP = _IO('r', 12), 417 /* 418 * No parameters. Do nothing and examine the next command. It exists 419 * primarily so that we can replace it with a BR_SPAWN_LOOPER command. 420 */ 421 422 BR_SPAWN_LOOPER = _IO('r', 13), 423 /* 424 * No parameters. The driver has determined that a process has no 425 * threads waiting to service incoming transactions. When a process 426 * receives this command, it must spawn a new service thread and 427 * register it via bcENTER_LOOPER. 428 */ 429 430 BR_FINISHED = _IO('r', 14), 431 /* 432 * not currently supported 433 * stop threadpool thread 434 */ 435 436 BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t), 437 /* 438 * void *: cookie 439 */ 440 BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t), 441 /* 442 * void *: cookie 443 */ 444 445 BR_FAILED_REPLY = _IO('r', 17), 446 /* 447 * The last transaction (either a bcTRANSACTION or 448 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters. 449 */ 450 451 BR_FROZEN_REPLY = _IO('r', 18), 452 /* 453 * The target of the last sync transaction (either a bcTRANSACTION or 454 * a bcATTEMPT_ACQUIRE) is frozen. No parameters. 455 */ 456 457 BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19), 458 /* 459 * Current process sent too many oneway calls to target, and the last 460 * asynchronous transaction makes the allocated async buffer size exceed 461 * detection threshold. No parameters. 462 */ 463 464 BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20), 465 /* 466 * The target of the last async transaction is frozen. No parameters. 467 */ 468 }; 469 470 enum binder_driver_command_protocol { 471 BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data), 472 BC_REPLY = _IOW('c', 1, struct binder_transaction_data), 473 /* 474 * binder_transaction_data: the sent command. 475 */ 476 477 BC_ACQUIRE_RESULT = _IOW('c', 2, __s32), 478 /* 479 * not currently supported 480 * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful. 481 * Else you have acquired a primary reference on the object. 482 */ 483 484 BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t), 485 /* 486 * void *: ptr to transaction data received on a read 487 */ 488 489 BC_INCREFS = _IOW('c', 4, __u32), 490 BC_ACQUIRE = _IOW('c', 5, __u32), 491 BC_RELEASE = _IOW('c', 6, __u32), 492 BC_DECREFS = _IOW('c', 7, __u32), 493 /* 494 * int: descriptor 495 */ 496 497 BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie), 498 BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie), 499 /* 500 * void *: ptr to binder 501 * void *: cookie for binder 502 */ 503 504 BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc), 505 /* 506 * not currently supported 507 * int: priority 508 * int: descriptor 509 */ 510 511 BC_REGISTER_LOOPER = _IO('c', 11), 512 /* 513 * No parameters. 514 * Register a spawned looper thread with the device. 515 */ 516 517 BC_ENTER_LOOPER = _IO('c', 12), 518 BC_EXIT_LOOPER = _IO('c', 13), 519 /* 520 * No parameters. 521 * These two commands are sent as an application-level thread 522 * enters and exits the binder loop, respectively. They are 523 * used so the binder can have an accurate count of the number 524 * of looping threads it has available. 525 */ 526 527 BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14, 528 struct binder_handle_cookie), 529 /* 530 * int: handle 531 * void *: cookie 532 */ 533 534 BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15, 535 struct binder_handle_cookie), 536 /* 537 * int: handle 538 * void *: cookie 539 */ 540 541 BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t), 542 /* 543 * void *: cookie 544 */ 545 546 BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg), 547 BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg), 548 /* 549 * binder_transaction_data_sg: the sent command. 550 */ 551 }; 552 553 #endif /* _UAPI_LINUX_BINDER_H */ 554 555