binder.h source code [include/linux/android/binder.h]

1	/ SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note /
2	/*
3	* Copyright (C) 2008 Google, Inc.
4	*
5	* Based on, but no longer compatible with, the original
6	* OpenBinder.org binder driver interface, which is:
7	*
8	* Copyright (c) 2005 Palmsource, Inc.
9	*
10	* This software is licensed under the terms of the GNU General Public
11	* License version 2, as published by the Free Software Foundation, and
12	* may be copied, distributed, and modified under those terms.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	*/
20
21	#ifndef _LINUX_BINDER_H
22	#define _LINUX_BINDER_H
23
24	#include <linux/types.h>
25	#include <linux/ioctl.h>
26
27	#define B_PACK_CHARS(c1, c2, c3, c4) \
28	((((c1)<<24)) \| (((c2)<<16)) \| (((c3)<<8)) \| (c4))
29	#define B_TYPE_LARGE 0x85
30
31	enum {
32	BINDER_TYPE_BINDER = B_PACK_CHARS(`'s'`, `'b'`, `'*'`, B_TYPE_LARGE),
33	BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS(`'w'`, `'b'`, `'*'`, B_TYPE_LARGE),
34	BINDER_TYPE_HANDLE = B_PACK_CHARS(`'s'`, `'h'`, `'*'`, B_TYPE_LARGE),
35	BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS(`'w'`, `'h'`, `'*'`, B_TYPE_LARGE),
36	BINDER_TYPE_FD = B_PACK_CHARS(`'f'`, `'d'`, `'*'`, B_TYPE_LARGE),
37	BINDER_TYPE_FDA = B_PACK_CHARS(`'f'`, `'d'`, `'a'`, B_TYPE_LARGE),
38	BINDER_TYPE_PTR = B_PACK_CHARS(`'p'`, `'t'`, `'*'`, B_TYPE_LARGE),
39	};
40
41	enum {
42	FLAT_BINDER_FLAG_PRIORITY_MASK = `0xff`,
43	FLAT_BINDER_FLAG_ACCEPTS_FDS = `0x100`,
44
45	/**
46	* @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47	*
48	* Only when set, causes senders to include their security
49	* context
50	*/
51	FLAT_BINDER_FLAG_TXN_SECURITY_CTX = `0x1000`,
52	};
53
54	#ifdef BINDER_IPC_32BIT
55	typedef __u32 binder_size_t;
56	typedef __u32 binder_uintptr_t;
57	#else
58	typedef __u64 binder_size_t;
59	typedef __u64 binder_uintptr_t;
60	#endif
61
62	/**
63	* struct binder_object_header - header shared by all binder metadata objects.
64	* @type: type of the object
65	*/
66	struct binder_object_header {
67	__u32 type;
68	};
69
70	/*
71	* This is the flattened representation of a Binder object for transfer
72	* between processes. The 'offsets' supplied as part of a binder transaction
73	* contains offsets into the data where these structures occur. The Binder
74	* driver takes care of re-writing the structure type and data as it moves
75	* between processes.
76	*/
77	struct flat_binder_object {
78	struct binder_object_header hdr;
79	__u32 flags;
80
81	/ 8 bytes of data. /
82	union {
83	binder_uintptr_t binder; / local object /
84	__u32 handle; / remote object /
85	};
86
87	/ extra data associated with local object /
88	binder_uintptr_t cookie;
89	};
90
91	/**
92	* struct binder_fd_object - describes a filedescriptor to be fixed up.
93	* @hdr: common header structure
94	* @pad_flags: padding to remain compatible with old userspace code
95	* @pad_binder: padding to remain compatible with old userspace code
96	* @fd: file descriptor
97	* @cookie: opaque data, used by user-space
98	*/
99	struct binder_fd_object {
100	struct binder_object_header hdr;
101	__u32 pad_flags;
102	union {
103	binder_uintptr_t pad_binder;
104	__u32 fd;
105	};
106
107	binder_uintptr_t cookie;
108	};
109
110	/ struct binder_buffer_object - object describing a userspace buffer*
111	* @hdr: common header structure
112	* @flags: one or more BINDER_BUFFER_* flags
113	* @buffer: address of the buffer
114	* @length: length of the buffer
115	* @parent: index in offset array pointing to parent buffer
116	* @parent_offset: offset in @parent pointing to this buffer
117	*
118	* A binder_buffer object represents an object that the
119	* binder kernel driver can copy verbatim to the target
120	* address space. A buffer itself may be pointed to from
121	* within another buffer, meaning that the pointer inside
122	* that other buffer needs to be fixed up as well. This
123	* can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124	* flag in @flags, by setting @parent buffer to the index
125	* in the offset array pointing to the parent binder_buffer_object,
126	* and by setting @parent_offset to the offset in the parent buffer
127	* at which the pointer to this buffer is located.
128	*/
129	struct binder_buffer_object {
130	struct binder_object_header hdr;
131	__u32 flags;
132	binder_uintptr_t buffer;
133	binder_size_t length;
134	binder_size_t parent;
135	binder_size_t parent_offset;
136	};
137
138	enum {
139	BINDER_BUFFER_FLAG_HAS_PARENT = `0x01`,
140	};
141
142	/ struct binder_fd_array_object - object describing an array of fds in a buffer*
143	* @hdr: common header structure
144	* @pad: padding to ensure correct alignment
145	* @num_fds: number of file descriptors in the buffer
146	* @parent: index in offset array to buffer holding the fd array
147	* @parent_offset: start offset of fd array in the buffer
148	*
149	* A binder_fd_array object represents an array of file
150	* descriptors embedded in a binder_buffer_object. It is
151	* different from a regular binder_buffer_object because it
152	* describes a list of file descriptors to fix up, not an opaque
153	* blob of memory, and hence the kernel needs to treat it differently.
154	*
155	* An example of how this would be used is with Android's
156	* native_handle_t object, which is a struct with a list of integers
157	* and a list of file descriptors. The native_handle_t struct itself
158	* will be represented by a struct binder_buffer_objct, whereas the
159	* embedded list of file descriptors is represented by a
160	* struct binder_fd_array_object with that binder_buffer_object as
161	* a parent.
162	*/
163	struct binder_fd_array_object {
164	struct binder_object_header hdr;
165	__u32 pad;
166	binder_size_t num_fds;
167	binder_size_t parent;
168	binder_size_t parent_offset;
169	};
170
171	/*
172	* On 64-bit platforms where user code may run in 32-bits the driver must
173	* translate the buffer (and local binder) addresses appropriately.
174	*/
175
176	struct binder_write_read {
177	binder_size_t write_size; / bytes to write /
178	binder_size_t write_consumed; / bytes consumed by driver /
179	binder_uintptr_t write_buffer;
180	binder_size_t read_size; / bytes to read /
181	binder_size_t read_consumed; / bytes consumed by driver /
182	binder_uintptr_t read_buffer;
183	};
184
185	/ Use with BINDER_VERSION, driver fills in fields. /
186	struct binder_version {
187	/ driver protocol version -- increment with incompatible change /
188	__s32 protocol_version;
189	};
190
191	/ This is the current protocol version. /
192	#ifdef BINDER_IPC_32BIT
193	#define BINDER_CURRENT_PROTOCOL_VERSION 7
194	#else
195	#define BINDER_CURRENT_PROTOCOL_VERSION 8
196	#endif
197
198	/*
199	* Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200	* Set ptr to NULL for the first call to get the info for the first node, and
201	* then repeat the call passing the previously returned value to get the next
202	* nodes. ptr will be 0 when there are no more nodes.
203	*/
204	struct binder_node_debug_info {
205	binder_uintptr_t ptr;
206	binder_uintptr_t cookie;
207	__u32 has_strong_ref;
208	__u32 has_weak_ref;
209	};
210
211	struct binder_node_info_for_ref {
212	__u32 handle;
213	__u32 strong_count;
214	__u32 weak_count;
215	__u32 reserved1;
216	__u32 reserved2;
217	__u32 reserved3;
218	};
219
220	struct binder_freeze_info {
221	__u32 pid;
222	__u32 enable;
223	__u32 timeout_ms;
224	};
225
226	struct binder_frozen_status_info {
227	__u32 pid;
228
229	/ process received sync transactions since last frozen*
230	* bit 0: received sync transaction after being frozen
231	* bit 1: new pending sync transaction during freezing
232	*/
233	__u32 sync_recv;
234
235	/ process received async transactions since last frozen /
236	__u32 async_recv;
237	};
238
239	#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)
240	#define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64)
241	#define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32)
242	#define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32)
243	#define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32)
244	#define BINDER_THREAD_EXIT _IOW('b', 8, __s32)
245	#define BINDER_VERSION _IOWR('b', 9, struct binder_version)
246	#define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info)
247	#define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref)
248	#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object)
249	#define BINDER_FREEZE _IOW('b', 14, struct binder_freeze_info)
250	#define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info)
251	#define BINDER_ENABLE_ONEWAY_SPAM_DETECTION _IOW('b', 16, __u32)
252
253	/*
254	* NOTE: Two special error codes you should check for when calling
255	* in to the driver are:
256	*
257	* EINTR -- The operation has been interupted. This should be
258	* handled by retrying the ioctl() until a different error code
259	* is returned.
260	*
261	* ECONNREFUSED -- The driver is no longer accepting operations
262	* from your process. That is, the process is being destroyed.
263	* You should handle this by exiting from your process. Note
264	* that once this error code is returned, all further calls to
265	* the driver from any thread will return this same code.
266	*/
267
268	enum transaction_flags {
269	TF_ONE_WAY = `0x01`, / this is a one-way call: async, no return /
270	TF_ROOT_OBJECT = `0x04`, / contents are the component's root object /
271	TF_STATUS_CODE = `0x08`, / contents are a 32-bit status code /
272	TF_ACCEPT_FDS = `0x10`, / allow replies with file descriptors /
273	TF_CLEAR_BUF = `0x20`, / clear buffer on txn complete /
274	};
275
276	struct binder_transaction_data {
277	/ The first two are only used for bcTRANSACTION and brTRANSACTION,*
278	* identifying the target and contents of the transaction.
279	*/
280	union {
281	/ target descriptor of command transaction /
282	__u32 handle;
283	/ target descriptor of return transaction /
284	binder_uintptr_t ptr;
285	} target;
286	binder_uintptr_t cookie; / target object cookie /
287	__u32 code; / transaction command /
288
289	/ General information about the transaction. /
290	__u32 flags;
291	pid_t sender_pid;
292	uid_t sender_euid;
293	binder_size_t data_size; / number of bytes of data /
294	binder_size_t offsets_size; / number of bytes of offsets /
295
296	/ If this transaction is inline, the data immediately*
297	* follows here; otherwise, it ends with a pointer to
298	* the data buffer.
299	*/
300	union {
301	struct {
302	/ transaction data /
303	binder_uintptr_t buffer;
304	/ offsets from buffer to flat_binder_object structs /
305	binder_uintptr_t offsets;
306	} ptr;
307	__u8 buf[`8`];
308	} data;
309	};
310
311	struct binder_transaction_data_secctx {
312	struct binder_transaction_data transaction_data;
313	binder_uintptr_t secctx;
314	};
315
316	struct binder_transaction_data_sg {
317	struct binder_transaction_data transaction_data;
318	binder_size_t buffers_size;
319	};
320
321	struct binder_ptr_cookie {
322	binder_uintptr_t ptr;
323	binder_uintptr_t cookie;
324	};
325
326	struct binder_handle_cookie {
327	__u32 handle;
328	binder_uintptr_t cookie;
329	} __attribute__((packed));
330
331	struct binder_pri_desc {
332	__s32 priority;
333	__u32 desc;
334	};
335
336	struct binder_pri_ptr_cookie {
337	__s32 priority;
338	binder_uintptr_t ptr;
339	binder_uintptr_t cookie;
340	};
341
342	enum binder_driver_return_protocol {
343	BR_ERROR = _IOR(`'r'`, `0`, __s32),
344	/*
345	* int: error code
346	*/
347
348	BR_OK = _IO(`'r'`, `1`),
349	/ No parameters! /
350
351	BR_TRANSACTION_SEC_CTX = _IOR(`'r'`, `2`,
352	struct binder_transaction_data_secctx),
353	/*
354	* binder_transaction_data_secctx: the received command.
355	*/
356	BR_TRANSACTION = _IOR(`'r'`, `2`, struct binder_transaction_data),
357	BR_REPLY = _IOR(`'r'`, `3`, struct binder_transaction_data),
358	/*
359	* binder_transaction_data: the received command.
360	*/
361
362	BR_ACQUIRE_RESULT = _IOR(`'r'`, `4`, __s32),
363	/*
364	* not currently supported
365	* int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
366	* Else the remote object has acquired a primary reference.
367	*/
368
369	BR_DEAD_REPLY = _IO(`'r'`, `5`),
370	/*
371	* The target of the last transaction (either a bcTRANSACTION or
372	* a bcATTEMPT_ACQUIRE) is no longer with us. No parameters.
373	*/
374
375	BR_TRANSACTION_COMPLETE = _IO(`'r'`, `6`),
376	/*
377	* No parameters... always refers to the last transaction requested
378	* (including replies). Note that this will be sent even for
379	* asynchronous transactions.
380	*/
381
382	BR_INCREFS = _IOR(`'r'`, `7`, struct binder_ptr_cookie),
383	BR_ACQUIRE = _IOR(`'r'`, `8`, struct binder_ptr_cookie),
384	BR_RELEASE = _IOR(`'r'`, `9`, struct binder_ptr_cookie),
385	BR_DECREFS = _IOR(`'r'`, `10`, struct binder_ptr_cookie),
386	/*
387	* void *: ptr to binder
388	* void *: cookie for binder
389	*/
390
391	BR_ATTEMPT_ACQUIRE = _IOR(`'r'`, `11`, struct binder_pri_ptr_cookie),
392	/*
393	* not currently supported
394	* int: priority
395	* void *: ptr to binder
396	* void *: cookie for binder
397	*/
398
399	BR_NOOP = _IO(`'r'`, `12`),
400	/*
401	* No parameters. Do nothing and examine the next command. It exists
402	* primarily so that we can replace it with a BR_SPAWN_LOOPER command.
403	*/
404
405	BR_SPAWN_LOOPER = _IO(`'r'`, `13`),
406	/*
407	* No parameters. The driver has determined that a process has no
408	* threads waiting to service incoming transactions. When a process
409	* receives this command, it must spawn a new service thread and
410	* register it via bcENTER_LOOPER.
411	*/
412
413	BR_FINISHED = _IO(`'r'`, `14`),
414	/*
415	* not currently supported
416	* stop threadpool thread
417	*/
418
419	BR_DEAD_BINDER = _IOR(`'r'`, `15`, binder_uintptr_t),
420	/*
421	* void *: cookie
422	*/
423	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR(`'r'`, `16`, binder_uintptr_t),
424	/*
425	* void *: cookie
426	*/
427
428	BR_FAILED_REPLY = _IO(`'r'`, `17`),
429	/*
430	* The last transaction (either a bcTRANSACTION or
431	* a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters.
432	*/
433
434	BR_FROZEN_REPLY = _IO(`'r'`, `18`),
435	/*
436	* The target of the last transaction (either a bcTRANSACTION or
437	* a bcATTEMPT_ACQUIRE) is frozen. No parameters.
438	*/
439
440	BR_ONEWAY_SPAM_SUSPECT = _IO(`'r'`, `19`),
441	/*
442	* Current process sent too many oneway calls to target, and the last
443	* asynchronous transaction makes the allocated async buffer size exceed
444	* detection threshold. No parameters.
445	*/
446	};
447
448	enum binder_driver_command_protocol {
449	BC_TRANSACTION = _IOW(`'c'`, `0`, struct binder_transaction_data),
450	BC_REPLY = _IOW(`'c'`, `1`, struct binder_transaction_data),
451	/*
452	* binder_transaction_data: the sent command.
453	*/
454
455	BC_ACQUIRE_RESULT = _IOW(`'c'`, `2`, __s32),
456	/*
457	* not currently supported
458	* int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful.
459	* Else you have acquired a primary reference on the object.
460	*/
461
462	BC_FREE_BUFFER = _IOW(`'c'`, `3`, binder_uintptr_t),
463	/*
464	* void *: ptr to transaction data received on a read
465	*/
466
467	BC_INCREFS = _IOW(`'c'`, `4`, __u32),
468	BC_ACQUIRE = _IOW(`'c'`, `5`, __u32),
469	BC_RELEASE = _IOW(`'c'`, `6`, __u32),
470	BC_DECREFS = _IOW(`'c'`, `7`, __u32),
471	/*
472	* int: descriptor
473	*/
474
475	BC_INCREFS_DONE = _IOW(`'c'`, `8`, struct binder_ptr_cookie),
476	BC_ACQUIRE_DONE = _IOW(`'c'`, `9`, struct binder_ptr_cookie),
477	/*
478	* void *: ptr to binder
479	* void *: cookie for binder
480	*/
481
482	BC_ATTEMPT_ACQUIRE = _IOW(`'c'`, `10`, struct binder_pri_desc),
483	/*
484	* not currently supported
485	* int: priority
486	* int: descriptor
487	*/
488
489	BC_REGISTER_LOOPER = _IO(`'c'`, `11`),
490	/*
491	* No parameters.
492	* Register a spawned looper thread with the device.
493	*/
494
495	BC_ENTER_LOOPER = _IO(`'c'`, `12`),
496	BC_EXIT_LOOPER = _IO(`'c'`, `13`),
497	/*
498	* No parameters.
499	* These two commands are sent as an application-level thread
500	* enters and exits the binder loop, respectively. They are
501	* used so the binder can have an accurate count of the number
502	* of looping threads it has available.
503	*/
504
505	BC_REQUEST_DEATH_NOTIFICATION = _IOW(`'c'`, `14`,
506	struct binder_handle_cookie),
507	/*
508	* int: handle
509	* void *: cookie
510	*/
511
512	BC_CLEAR_DEATH_NOTIFICATION = _IOW(`'c'`, `15`,
513	struct binder_handle_cookie),
514	/*
515	* int: handle
516	* void *: cookie
517	*/
518
519	BC_DEAD_BINDER_DONE = _IOW(`'c'`, `16`, binder_uintptr_t),
520	/*
521	* void *: cookie
522	*/
523
524	BC_TRANSACTION_SG = _IOW(`'c'`, `17`, struct binder_transaction_data_sg),
525	BC_REPLY_SG = _IOW(`'c'`, `18`, struct binder_transaction_data_sg),
526	/*
527	* binder_transaction_data_sg: the sent command.
528	*/
529	};
530
531	#endif /* _LINUX_BINDER_H */
532
533

source code of include/linux/android/binder.h