1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* |
3 | * Copyright (C) 2008 Google, Inc. |
4 | * |
5 | * Based on, but no longer compatible with, the original |
6 | * OpenBinder.org binder driver interface, which is: |
7 | * |
8 | * Copyright (c) 2005 Palmsource, Inc. |
9 | * |
10 | * This software is licensed under the terms of the GNU General Public |
11 | * License version 2, as published by the Free Software Foundation, and |
12 | * may be copied, distributed, and modified under those terms. |
13 | * |
14 | * This program is distributed in the hope that it will be useful, |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | * GNU General Public License for more details. |
18 | * |
19 | */ |
20 | |
21 | #ifndef _LINUX_BINDER_H |
22 | #define _LINUX_BINDER_H |
23 | |
24 | #include <linux/types.h> |
25 | #include <linux/ioctl.h> |
26 | |
27 | #define B_PACK_CHARS(c1, c2, c3, c4) \ |
28 | ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4)) |
29 | #define B_TYPE_LARGE 0x85 |
30 | |
31 | enum { |
32 | BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE), |
33 | BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE), |
34 | BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE), |
35 | BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE), |
36 | BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE), |
37 | BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE), |
38 | BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE), |
39 | }; |
40 | |
41 | enum { |
42 | FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, |
43 | FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, |
44 | |
45 | /** |
46 | * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts |
47 | * |
48 | * Only when set, causes senders to include their security |
49 | * context |
50 | */ |
51 | FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000, |
52 | }; |
53 | |
54 | #ifdef BINDER_IPC_32BIT |
55 | typedef __u32 binder_size_t; |
56 | typedef __u32 binder_uintptr_t; |
57 | #else |
58 | typedef __u64 binder_size_t; |
59 | typedef __u64 binder_uintptr_t; |
60 | #endif |
61 | |
62 | /** |
63 | * struct binder_object_header - header shared by all binder metadata objects. |
64 | * @type: type of the object |
65 | */ |
66 | struct { |
67 | __u32 ; |
68 | }; |
69 | |
70 | /* |
71 | * This is the flattened representation of a Binder object for transfer |
72 | * between processes. The 'offsets' supplied as part of a binder transaction |
73 | * contains offsets into the data where these structures occur. The Binder |
74 | * driver takes care of re-writing the structure type and data as it moves |
75 | * between processes. |
76 | */ |
77 | struct flat_binder_object { |
78 | struct binder_object_header hdr; |
79 | __u32 flags; |
80 | |
81 | /* 8 bytes of data. */ |
82 | union { |
83 | binder_uintptr_t binder; /* local object */ |
84 | __u32 handle; /* remote object */ |
85 | }; |
86 | |
87 | /* extra data associated with local object */ |
88 | binder_uintptr_t cookie; |
89 | }; |
90 | |
91 | /** |
92 | * struct binder_fd_object - describes a filedescriptor to be fixed up. |
93 | * @hdr: common header structure |
94 | * @pad_flags: padding to remain compatible with old userspace code |
95 | * @pad_binder: padding to remain compatible with old userspace code |
96 | * @fd: file descriptor |
97 | * @cookie: opaque data, used by user-space |
98 | */ |
99 | struct binder_fd_object { |
100 | struct binder_object_header hdr; |
101 | __u32 pad_flags; |
102 | union { |
103 | binder_uintptr_t pad_binder; |
104 | __u32 fd; |
105 | }; |
106 | |
107 | binder_uintptr_t cookie; |
108 | }; |
109 | |
110 | /* struct binder_buffer_object - object describing a userspace buffer |
111 | * @hdr: common header structure |
112 | * @flags: one or more BINDER_BUFFER_* flags |
113 | * @buffer: address of the buffer |
114 | * @length: length of the buffer |
115 | * @parent: index in offset array pointing to parent buffer |
116 | * @parent_offset: offset in @parent pointing to this buffer |
117 | * |
118 | * A binder_buffer object represents an object that the |
119 | * binder kernel driver can copy verbatim to the target |
120 | * address space. A buffer itself may be pointed to from |
121 | * within another buffer, meaning that the pointer inside |
122 | * that other buffer needs to be fixed up as well. This |
123 | * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT |
124 | * flag in @flags, by setting @parent buffer to the index |
125 | * in the offset array pointing to the parent binder_buffer_object, |
126 | * and by setting @parent_offset to the offset in the parent buffer |
127 | * at which the pointer to this buffer is located. |
128 | */ |
129 | struct binder_buffer_object { |
130 | struct binder_object_header hdr; |
131 | __u32 flags; |
132 | binder_uintptr_t buffer; |
133 | binder_size_t length; |
134 | binder_size_t parent; |
135 | binder_size_t parent_offset; |
136 | }; |
137 | |
138 | enum { |
139 | BINDER_BUFFER_FLAG_HAS_PARENT = 0x01, |
140 | }; |
141 | |
142 | /* struct binder_fd_array_object - object describing an array of fds in a buffer |
143 | * @hdr: common header structure |
144 | * @pad: padding to ensure correct alignment |
145 | * @num_fds: number of file descriptors in the buffer |
146 | * @parent: index in offset array to buffer holding the fd array |
147 | * @parent_offset: start offset of fd array in the buffer |
148 | * |
149 | * A binder_fd_array object represents an array of file |
150 | * descriptors embedded in a binder_buffer_object. It is |
151 | * different from a regular binder_buffer_object because it |
152 | * describes a list of file descriptors to fix up, not an opaque |
153 | * blob of memory, and hence the kernel needs to treat it differently. |
154 | * |
155 | * An example of how this would be used is with Android's |
156 | * native_handle_t object, which is a struct with a list of integers |
157 | * and a list of file descriptors. The native_handle_t struct itself |
158 | * will be represented by a struct binder_buffer_objct, whereas the |
159 | * embedded list of file descriptors is represented by a |
160 | * struct binder_fd_array_object with that binder_buffer_object as |
161 | * a parent. |
162 | */ |
163 | struct binder_fd_array_object { |
164 | struct binder_object_header hdr; |
165 | __u32 pad; |
166 | binder_size_t num_fds; |
167 | binder_size_t parent; |
168 | binder_size_t parent_offset; |
169 | }; |
170 | |
171 | /* |
172 | * On 64-bit platforms where user code may run in 32-bits the driver must |
173 | * translate the buffer (and local binder) addresses appropriately. |
174 | */ |
175 | |
176 | struct binder_write_read { |
177 | binder_size_t write_size; /* bytes to write */ |
178 | binder_size_t write_consumed; /* bytes consumed by driver */ |
179 | binder_uintptr_t write_buffer; |
180 | binder_size_t read_size; /* bytes to read */ |
181 | binder_size_t read_consumed; /* bytes consumed by driver */ |
182 | binder_uintptr_t read_buffer; |
183 | }; |
184 | |
185 | /* Use with BINDER_VERSION, driver fills in fields. */ |
186 | struct binder_version { |
187 | /* driver protocol version -- increment with incompatible change */ |
188 | __s32 protocol_version; |
189 | }; |
190 | |
191 | /* This is the current protocol version. */ |
192 | #ifdef BINDER_IPC_32BIT |
193 | #define BINDER_CURRENT_PROTOCOL_VERSION 7 |
194 | #else |
195 | #define BINDER_CURRENT_PROTOCOL_VERSION 8 |
196 | #endif |
197 | |
198 | /* |
199 | * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields. |
200 | * Set ptr to NULL for the first call to get the info for the first node, and |
201 | * then repeat the call passing the previously returned value to get the next |
202 | * nodes. ptr will be 0 when there are no more nodes. |
203 | */ |
204 | struct binder_node_debug_info { |
205 | binder_uintptr_t ptr; |
206 | binder_uintptr_t cookie; |
207 | __u32 has_strong_ref; |
208 | __u32 has_weak_ref; |
209 | }; |
210 | |
211 | struct binder_node_info_for_ref { |
212 | __u32 handle; |
213 | __u32 strong_count; |
214 | __u32 weak_count; |
215 | __u32 reserved1; |
216 | __u32 reserved2; |
217 | __u32 reserved3; |
218 | }; |
219 | |
220 | struct binder_freeze_info { |
221 | __u32 pid; |
222 | __u32 enable; |
223 | __u32 timeout_ms; |
224 | }; |
225 | |
226 | struct binder_frozen_status_info { |
227 | __u32 pid; |
228 | |
229 | /* process received sync transactions since last frozen |
230 | * bit 0: received sync transaction after being frozen |
231 | * bit 1: new pending sync transaction during freezing |
232 | */ |
233 | __u32 sync_recv; |
234 | |
235 | /* process received async transactions since last frozen */ |
236 | __u32 async_recv; |
237 | }; |
238 | |
239 | #define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read) |
240 | #define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64) |
241 | #define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32) |
242 | #define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32) |
243 | #define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32) |
244 | #define BINDER_THREAD_EXIT _IOW('b', 8, __s32) |
245 | #define BINDER_VERSION _IOWR('b', 9, struct binder_version) |
246 | #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info) |
247 | #define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref) |
248 | #define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object) |
249 | #define BINDER_FREEZE _IOW('b', 14, struct binder_freeze_info) |
250 | #define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info) |
251 | #define BINDER_ENABLE_ONEWAY_SPAM_DETECTION _IOW('b', 16, __u32) |
252 | |
253 | /* |
254 | * NOTE: Two special error codes you should check for when calling |
255 | * in to the driver are: |
256 | * |
257 | * EINTR -- The operation has been interupted. This should be |
258 | * handled by retrying the ioctl() until a different error code |
259 | * is returned. |
260 | * |
261 | * ECONNREFUSED -- The driver is no longer accepting operations |
262 | * from your process. That is, the process is being destroyed. |
263 | * You should handle this by exiting from your process. Note |
264 | * that once this error code is returned, all further calls to |
265 | * the driver from any thread will return this same code. |
266 | */ |
267 | |
268 | enum transaction_flags { |
269 | TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */ |
270 | TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ |
271 | TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ |
272 | TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ |
273 | TF_CLEAR_BUF = 0x20, /* clear buffer on txn complete */ |
274 | }; |
275 | |
276 | struct binder_transaction_data { |
277 | /* The first two are only used for bcTRANSACTION and brTRANSACTION, |
278 | * identifying the target and contents of the transaction. |
279 | */ |
280 | union { |
281 | /* target descriptor of command transaction */ |
282 | __u32 handle; |
283 | /* target descriptor of return transaction */ |
284 | binder_uintptr_t ptr; |
285 | } target; |
286 | binder_uintptr_t cookie; /* target object cookie */ |
287 | __u32 code; /* transaction command */ |
288 | |
289 | /* General information about the transaction. */ |
290 | __u32 flags; |
291 | pid_t sender_pid; |
292 | uid_t sender_euid; |
293 | binder_size_t data_size; /* number of bytes of data */ |
294 | binder_size_t offsets_size; /* number of bytes of offsets */ |
295 | |
296 | /* If this transaction is inline, the data immediately |
297 | * follows here; otherwise, it ends with a pointer to |
298 | * the data buffer. |
299 | */ |
300 | union { |
301 | struct { |
302 | /* transaction data */ |
303 | binder_uintptr_t buffer; |
304 | /* offsets from buffer to flat_binder_object structs */ |
305 | binder_uintptr_t offsets; |
306 | } ptr; |
307 | __u8 buf[8]; |
308 | } data; |
309 | }; |
310 | |
311 | struct binder_transaction_data_secctx { |
312 | struct binder_transaction_data transaction_data; |
313 | binder_uintptr_t secctx; |
314 | }; |
315 | |
316 | struct binder_transaction_data_sg { |
317 | struct binder_transaction_data transaction_data; |
318 | binder_size_t buffers_size; |
319 | }; |
320 | |
321 | struct binder_ptr_cookie { |
322 | binder_uintptr_t ptr; |
323 | binder_uintptr_t cookie; |
324 | }; |
325 | |
326 | struct binder_handle_cookie { |
327 | __u32 handle; |
328 | binder_uintptr_t cookie; |
329 | } __attribute__((packed)); |
330 | |
331 | struct binder_pri_desc { |
332 | __s32 priority; |
333 | __u32 desc; |
334 | }; |
335 | |
336 | struct binder_pri_ptr_cookie { |
337 | __s32 priority; |
338 | binder_uintptr_t ptr; |
339 | binder_uintptr_t cookie; |
340 | }; |
341 | |
342 | enum binder_driver_return_protocol { |
343 | BR_ERROR = _IOR('r', 0, __s32), |
344 | /* |
345 | * int: error code |
346 | */ |
347 | |
348 | BR_OK = _IO('r', 1), |
349 | /* No parameters! */ |
350 | |
351 | BR_TRANSACTION_SEC_CTX = _IOR('r', 2, |
352 | struct binder_transaction_data_secctx), |
353 | /* |
354 | * binder_transaction_data_secctx: the received command. |
355 | */ |
356 | BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), |
357 | BR_REPLY = _IOR('r', 3, struct binder_transaction_data), |
358 | /* |
359 | * binder_transaction_data: the received command. |
360 | */ |
361 | |
362 | BR_ACQUIRE_RESULT = _IOR('r', 4, __s32), |
363 | /* |
364 | * not currently supported |
365 | * int: 0 if the last bcATTEMPT_ACQUIRE was not successful. |
366 | * Else the remote object has acquired a primary reference. |
367 | */ |
368 | |
369 | BR_DEAD_REPLY = _IO('r', 5), |
370 | /* |
371 | * The target of the last transaction (either a bcTRANSACTION or |
372 | * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters. |
373 | */ |
374 | |
375 | BR_TRANSACTION_COMPLETE = _IO('r', 6), |
376 | /* |
377 | * No parameters... always refers to the last transaction requested |
378 | * (including replies). Note that this will be sent even for |
379 | * asynchronous transactions. |
380 | */ |
381 | |
382 | BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie), |
383 | BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie), |
384 | BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie), |
385 | BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie), |
386 | /* |
387 | * void *: ptr to binder |
388 | * void *: cookie for binder |
389 | */ |
390 | |
391 | BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie), |
392 | /* |
393 | * not currently supported |
394 | * int: priority |
395 | * void *: ptr to binder |
396 | * void *: cookie for binder |
397 | */ |
398 | |
399 | BR_NOOP = _IO('r', 12), |
400 | /* |
401 | * No parameters. Do nothing and examine the next command. It exists |
402 | * primarily so that we can replace it with a BR_SPAWN_LOOPER command. |
403 | */ |
404 | |
405 | BR_SPAWN_LOOPER = _IO('r', 13), |
406 | /* |
407 | * No parameters. The driver has determined that a process has no |
408 | * threads waiting to service incoming transactions. When a process |
409 | * receives this command, it must spawn a new service thread and |
410 | * register it via bcENTER_LOOPER. |
411 | */ |
412 | |
413 | BR_FINISHED = _IO('r', 14), |
414 | /* |
415 | * not currently supported |
416 | * stop threadpool thread |
417 | */ |
418 | |
419 | BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t), |
420 | /* |
421 | * void *: cookie |
422 | */ |
423 | BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t), |
424 | /* |
425 | * void *: cookie |
426 | */ |
427 | |
428 | BR_FAILED_REPLY = _IO('r', 17), |
429 | /* |
430 | * The last transaction (either a bcTRANSACTION or |
431 | * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters. |
432 | */ |
433 | |
434 | BR_FROZEN_REPLY = _IO('r', 18), |
435 | /* |
436 | * The target of the last transaction (either a bcTRANSACTION or |
437 | * a bcATTEMPT_ACQUIRE) is frozen. No parameters. |
438 | */ |
439 | |
440 | BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19), |
441 | /* |
442 | * Current process sent too many oneway calls to target, and the last |
443 | * asynchronous transaction makes the allocated async buffer size exceed |
444 | * detection threshold. No parameters. |
445 | */ |
446 | }; |
447 | |
448 | enum binder_driver_command_protocol { |
449 | BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data), |
450 | BC_REPLY = _IOW('c', 1, struct binder_transaction_data), |
451 | /* |
452 | * binder_transaction_data: the sent command. |
453 | */ |
454 | |
455 | BC_ACQUIRE_RESULT = _IOW('c', 2, __s32), |
456 | /* |
457 | * not currently supported |
458 | * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful. |
459 | * Else you have acquired a primary reference on the object. |
460 | */ |
461 | |
462 | BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t), |
463 | /* |
464 | * void *: ptr to transaction data received on a read |
465 | */ |
466 | |
467 | BC_INCREFS = _IOW('c', 4, __u32), |
468 | BC_ACQUIRE = _IOW('c', 5, __u32), |
469 | BC_RELEASE = _IOW('c', 6, __u32), |
470 | BC_DECREFS = _IOW('c', 7, __u32), |
471 | /* |
472 | * int: descriptor |
473 | */ |
474 | |
475 | BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie), |
476 | BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie), |
477 | /* |
478 | * void *: ptr to binder |
479 | * void *: cookie for binder |
480 | */ |
481 | |
482 | BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc), |
483 | /* |
484 | * not currently supported |
485 | * int: priority |
486 | * int: descriptor |
487 | */ |
488 | |
489 | BC_REGISTER_LOOPER = _IO('c', 11), |
490 | /* |
491 | * No parameters. |
492 | * Register a spawned looper thread with the device. |
493 | */ |
494 | |
495 | BC_ENTER_LOOPER = _IO('c', 12), |
496 | BC_EXIT_LOOPER = _IO('c', 13), |
497 | /* |
498 | * No parameters. |
499 | * These two commands are sent as an application-level thread |
500 | * enters and exits the binder loop, respectively. They are |
501 | * used so the binder can have an accurate count of the number |
502 | * of looping threads it has available. |
503 | */ |
504 | |
505 | BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14, |
506 | struct binder_handle_cookie), |
507 | /* |
508 | * int: handle |
509 | * void *: cookie |
510 | */ |
511 | |
512 | BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15, |
513 | struct binder_handle_cookie), |
514 | /* |
515 | * int: handle |
516 | * void *: cookie |
517 | */ |
518 | |
519 | BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t), |
520 | /* |
521 | * void *: cookie |
522 | */ |
523 | |
524 | BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg), |
525 | BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg), |
526 | /* |
527 | * binder_transaction_data_sg: the sent command. |
528 | */ |
529 | }; |
530 | |
531 | #endif /* _LINUX_BINDER_H */ |
532 | |
533 | |