binder.h source code [linux/include/uapi/linux/android/binder.h]

1	/ SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note /
2	/*
3	* Copyright (C) 2008 Google, Inc.
4	*
5	* Based on, but no longer compatible with, the original
6	* OpenBinder.org binder driver interface, which is:
7	*
8	* Copyright (c) 2005 Palmsource, Inc.
9	*
10	* This software is licensed under the terms of the GNU General Public
11	* License version 2, as published by the Free Software Foundation, and
12	* may be copied, distributed, and modified under those terms.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	*/
20
21	#ifndef _UAPI_LINUX_BINDER_H
22	#define _UAPI_LINUX_BINDER_H
23
24	#include <linux/types.h>
25	#include <linux/ioctl.h>
26
27	#define B_PACK_CHARS(c1, c2, c3, c4) \
28	((((c1)<<24)) \| (((c2)<<16)) \| (((c3)<<8)) \| (c4))
29	#define B_TYPE_LARGE 0x85
30
31	enum {
32	BINDER_TYPE_BINDER = B_PACK_CHARS(`'s'`, `'b'`, `'*'`, B_TYPE_LARGE),
33	BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS(`'w'`, `'b'`, `'*'`, B_TYPE_LARGE),
34	BINDER_TYPE_HANDLE = B_PACK_CHARS(`'s'`, `'h'`, `'*'`, B_TYPE_LARGE),
35	BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS(`'w'`, `'h'`, `'*'`, B_TYPE_LARGE),
36	BINDER_TYPE_FD = B_PACK_CHARS(`'f'`, `'d'`, `'*'`, B_TYPE_LARGE),
37	BINDER_TYPE_FDA = B_PACK_CHARS(`'f'`, `'d'`, `'a'`, B_TYPE_LARGE),
38	BINDER_TYPE_PTR = B_PACK_CHARS(`'p'`, `'t'`, `'*'`, B_TYPE_LARGE),
39	};
40
41	enum {
42	FLAT_BINDER_FLAG_PRIORITY_MASK = `0xff`,
43	FLAT_BINDER_FLAG_ACCEPTS_FDS = `0x100`,
44
45	/**
46	* @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47	*
48	* Only when set, causes senders to include their security
49	* context
50	*/
51	FLAT_BINDER_FLAG_TXN_SECURITY_CTX = `0x1000`,
52	};
53
54	#ifdef BINDER_IPC_32BIT
55	typedef __u32 binder_size_t;
56	typedef __u32 binder_uintptr_t;
57	#else
58	typedef __u64 binder_size_t;
59	typedef __u64 binder_uintptr_t;
60	#endif
61
62	/**
63	* struct binder_object_header - header shared by all binder metadata objects.
64	* @type: type of the object
65	*/
66	struct binder_object_header {
67	__u32 type;
68	};
69
70	/*
71	* This is the flattened representation of a Binder object for transfer
72	* between processes. The 'offsets' supplied as part of a binder transaction
73	* contains offsets into the data where these structures occur. The Binder
74	* driver takes care of re-writing the structure type and data as it moves
75	* between processes.
76	*/
77	struct flat_binder_object {
78	struct binder_object_header hdr;
79	__u32 flags;
80
81	/ 8 bytes of data. /
82	union {
83	binder_uintptr_t binder; / local object /
84	__u32 handle; / remote object /
85	};
86
87	/ extra data associated with local object /
88	binder_uintptr_t cookie;
89	};
90
91	/**
92	* struct binder_fd_object - describes a filedescriptor to be fixed up.
93	* @hdr: common header structure
94	* @pad_flags: padding to remain compatible with old userspace code
95	* @pad_binder: padding to remain compatible with old userspace code
96	* @fd: file descriptor
97	* @cookie: opaque data, used by user-space
98	*/
99	struct binder_fd_object {
100	struct binder_object_header hdr;
101	__u32 pad_flags;
102	union {
103	binder_uintptr_t pad_binder;
104	__u32 fd;
105	};
106
107	binder_uintptr_t cookie;
108	};
109
110	/ struct binder_buffer_object - object describing a userspace buffer*
111	* @hdr: common header structure
112	* @flags: one or more BINDER_BUFFER_* flags
113	* @buffer: address of the buffer
114	* @length: length of the buffer
115	* @parent: index in offset array pointing to parent buffer
116	* @parent_offset: offset in @parent pointing to this buffer
117	*
118	* A binder_buffer object represents an object that the
119	* binder kernel driver can copy verbatim to the target
120	* address space. A buffer itself may be pointed to from
121	* within another buffer, meaning that the pointer inside
122	* that other buffer needs to be fixed up as well. This
123	* can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124	* flag in @flags, by setting @parent buffer to the index
125	* in the offset array pointing to the parent binder_buffer_object,
126	* and by setting @parent_offset to the offset in the parent buffer
127	* at which the pointer to this buffer is located.
128	*/
129	struct binder_buffer_object {
130	struct binder_object_header hdr;
131	__u32 flags;
132	binder_uintptr_t buffer;
133	binder_size_t length;
134	binder_size_t parent;
135	binder_size_t parent_offset;
136	};
137
138	enum {
139	BINDER_BUFFER_FLAG_HAS_PARENT = `0x01`,
140	};
141
142	/ struct binder_fd_array_object - object describing an array of fds in a buffer*
143	* @hdr: common header structure
144	* @pad: padding to ensure correct alignment
145	* @num_fds: number of file descriptors in the buffer
146	* @parent: index in offset array to buffer holding the fd array
147	* @parent_offset: start offset of fd array in the buffer
148	*
149	* A binder_fd_array object represents an array of file
150	* descriptors embedded in a binder_buffer_object. It is
151	* different from a regular binder_buffer_object because it
152	* describes a list of file descriptors to fix up, not an opaque
153	* blob of memory, and hence the kernel needs to treat it differently.
154	*
155	* An example of how this would be used is with Android's
156	* native_handle_t object, which is a struct with a list of integers
157	* and a list of file descriptors. The native_handle_t struct itself
158	* will be represented by a struct binder_buffer_objct, whereas the
159	* embedded list of file descriptors is represented by a
160	* struct binder_fd_array_object with that binder_buffer_object as
161	* a parent.
162	*/
163	struct binder_fd_array_object {
164	struct binder_object_header hdr;
165	__u32 pad;
166	binder_size_t num_fds;
167	binder_size_t parent;
168	binder_size_t parent_offset;
169	};
170
171	/*
172	* On 64-bit platforms where user code may run in 32-bits the driver must
173	* translate the buffer (and local binder) addresses appropriately.
174	*/
175
176	struct binder_write_read {
177	binder_size_t write_size; / bytes to write /
178	binder_size_t write_consumed; / bytes consumed by driver /
179	binder_uintptr_t write_buffer;
180	binder_size_t read_size; / bytes to read /
181	binder_size_t read_consumed; / bytes consumed by driver /
182	binder_uintptr_t read_buffer;
183	};
184
185	/ Use with BINDER_VERSION, driver fills in fields. /
186	struct binder_version {
187	/ driver protocol version -- increment with incompatible change /
188	__s32 protocol_version;
189	};
190
191	/ This is the current protocol version. /
192	#ifdef BINDER_IPC_32BIT
193	#define BINDER_CURRENT_PROTOCOL_VERSION 7
194	#else
195	#define BINDER_CURRENT_PROTOCOL_VERSION 8
196	#endif
197
198	/*
199	* Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200	* Set ptr to NULL for the first call to get the info for the first node, and
201	* then repeat the call passing the previously returned value to get the next
202	* nodes. ptr will be 0 when there are no more nodes.
203	*/
204	struct binder_node_debug_info {
205	binder_uintptr_t ptr;
206	binder_uintptr_t cookie;
207	__u32 has_strong_ref;
208	__u32 has_weak_ref;
209	};
210
211	struct binder_node_info_for_ref {
212	__u32 handle;
213	__u32 strong_count;
214	__u32 weak_count;
215	__u32 reserved1;
216	__u32 reserved2;
217	__u32 reserved3;
218	};
219
220	struct binder_freeze_info {
221	__u32 pid;
222	__u32 enable;
223	__u32 timeout_ms;
224	};
225
226	struct binder_frozen_status_info {
227	__u32 pid;
228
229	/ process received sync transactions since last frozen*
230	* bit 0: received sync transaction after being frozen
231	* bit 1: new pending sync transaction during freezing
232	*/
233	__u32 sync_recv;
234
235	/ process received async transactions since last frozen /
236	__u32 async_recv;
237	};
238
239	/ struct binder_extened_error - extended error information*
240	* @id: identifier for the failed operation
241	* @command: command as defined by binder_driver_return_protocol
242	* @param: parameter holding a negative errno value
243	*
244	* Used with BINDER_GET_EXTENDED_ERROR. This extends the error information
245	* returned by the driver upon a failed operation. Userspace can pull this
246	* data to properly handle specific error scenarios.
247	*/
248	struct binder_extended_error {
249	__u32 id;
250	__u32 command;
251	__s32 param;
252	};
253
254	#define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read)
255	#define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64)
256	#define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32)
257	#define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32)
258	#define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32)
259	#define BINDER_THREAD_EXIT _IOW('b', 8, __s32)
260	#define BINDER_VERSION _IOWR('b', 9, struct binder_version)
261	#define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info)
262	#define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref)
263	#define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object)
264	#define BINDER_FREEZE _IOW('b', 14, struct binder_freeze_info)
265	#define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info)
266	#define BINDER_ENABLE_ONEWAY_SPAM_DETECTION _IOW('b', 16, __u32)
267	#define BINDER_GET_EXTENDED_ERROR _IOWR('b', 17, struct binder_extended_error)
268
269	/*
270	* NOTE: Two special error codes you should check for when calling
271	* in to the driver are:
272	*
273	* EINTR -- The operation has been interupted. This should be
274	* handled by retrying the ioctl() until a different error code
275	* is returned.
276	*
277	* ECONNREFUSED -- The driver is no longer accepting operations
278	* from your process. That is, the process is being destroyed.
279	* You should handle this by exiting from your process. Note
280	* that once this error code is returned, all further calls to
281	* the driver from any thread will return this same code.
282	*/
283
284	enum transaction_flags {
285	TF_ONE_WAY = `0x01`, / this is a one-way call: async, no return /
286	TF_ROOT_OBJECT = `0x04`, / contents are the component's root object /
287	TF_STATUS_CODE = `0x08`, / contents are a 32-bit status code /
288	TF_ACCEPT_FDS = `0x10`, / allow replies with file descriptors /
289	TF_CLEAR_BUF = `0x20`, / clear buffer on txn complete /
290	TF_UPDATE_TXN = `0x40`, / update the outdated pending async txn /
291	};
292
293	struct binder_transaction_data {
294	/ The first two are only used for bcTRANSACTION and brTRANSACTION,*
295	* identifying the target and contents of the transaction.
296	*/
297	union {
298	/ target descriptor of command transaction /
299	__u32 handle;
300	/ target descriptor of return transaction /
301	binder_uintptr_t ptr;
302	} target;
303	binder_uintptr_t cookie; / target object cookie /
304	__u32 code; / transaction command /
305
306	/ General information about the transaction. /
307	__u32 flags;
308	__kernel_pid_t sender_pid;
309	__kernel_uid32_t sender_euid;
310	binder_size_t data_size; / number of bytes of data /
311	binder_size_t offsets_size; / number of bytes of offsets /
312
313	/ If this transaction is inline, the data immediately*
314	* follows here; otherwise, it ends with a pointer to
315	* the data buffer.
316	*/
317	union {
318	struct {
319	/ transaction data /
320	binder_uintptr_t buffer;
321	/ offsets from buffer to flat_binder_object structs /
322	binder_uintptr_t offsets;
323	} ptr;
324	__u8 buf[`8`];
325	} data;
326	};
327
328	struct binder_transaction_data_secctx {
329	struct binder_transaction_data transaction_data;
330	binder_uintptr_t secctx;
331	};
332
333	struct binder_transaction_data_sg {
334	struct binder_transaction_data transaction_data;
335	binder_size_t buffers_size;
336	};
337
338	struct binder_ptr_cookie {
339	binder_uintptr_t ptr;
340	binder_uintptr_t cookie;
341	};
342
343	struct binder_handle_cookie {
344	__u32 handle;
345	binder_uintptr_t cookie;
346	} __packed;
347
348	struct binder_pri_desc {
349	__s32 priority;
350	__u32 desc;
351	};
352
353	struct binder_pri_ptr_cookie {
354	__s32 priority;
355	binder_uintptr_t ptr;
356	binder_uintptr_t cookie;
357	};
358
359	enum binder_driver_return_protocol {
360	BR_ERROR = _IOR(`'r'`, `0`, __s32),
361	/*
362	* int: error code
363	*/
364
365	BR_OK = _IO(`'r'`, `1`),
366	/ No parameters! /
367
368	BR_TRANSACTION_SEC_CTX = _IOR(`'r'`, `2`,
369	struct binder_transaction_data_secctx),
370	/*
371	* binder_transaction_data_secctx: the received command.
372	*/
373	BR_TRANSACTION = _IOR(`'r'`, `2`, struct binder_transaction_data),
374	BR_REPLY = _IOR(`'r'`, `3`, struct binder_transaction_data),
375	/*
376	* binder_transaction_data: the received command.
377	*/
378
379	BR_ACQUIRE_RESULT = _IOR(`'r'`, `4`, __s32),
380	/*
381	* not currently supported
382	* int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
383	* Else the remote object has acquired a primary reference.
384	*/
385
386	BR_DEAD_REPLY = _IO(`'r'`, `5`),
387	/*
388	* The target of the last transaction (either a bcTRANSACTION or
389	* a bcATTEMPT_ACQUIRE) is no longer with us. No parameters.
390	*/
391
392	BR_TRANSACTION_COMPLETE = _IO(`'r'`, `6`),
393	/*
394	* No parameters... always refers to the last transaction requested
395	* (including replies). Note that this will be sent even for
396	* asynchronous transactions.
397	*/
398
399	BR_INCREFS = _IOR(`'r'`, `7`, struct binder_ptr_cookie),
400	BR_ACQUIRE = _IOR(`'r'`, `8`, struct binder_ptr_cookie),
401	BR_RELEASE = _IOR(`'r'`, `9`, struct binder_ptr_cookie),
402	BR_DECREFS = _IOR(`'r'`, `10`, struct binder_ptr_cookie),
403	/*
404	* void *: ptr to binder
405	* void *: cookie for binder
406	*/
407
408	BR_ATTEMPT_ACQUIRE = _IOR(`'r'`, `11`, struct binder_pri_ptr_cookie),
409	/*
410	* not currently supported
411	* int: priority
412	* void *: ptr to binder
413	* void *: cookie for binder
414	*/
415
416	BR_NOOP = _IO(`'r'`, `12`),
417	/*
418	* No parameters. Do nothing and examine the next command. It exists
419	* primarily so that we can replace it with a BR_SPAWN_LOOPER command.
420	*/
421
422	BR_SPAWN_LOOPER = _IO(`'r'`, `13`),
423	/*
424	* No parameters. The driver has determined that a process has no
425	* threads waiting to service incoming transactions. When a process
426	* receives this command, it must spawn a new service thread and
427	* register it via bcENTER_LOOPER.
428	*/
429
430	BR_FINISHED = _IO(`'r'`, `14`),
431	/*
432	* not currently supported
433	* stop threadpool thread
434	*/
435
436	BR_DEAD_BINDER = _IOR(`'r'`, `15`, binder_uintptr_t),
437	/*
438	* void *: cookie
439	*/
440	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR(`'r'`, `16`, binder_uintptr_t),
441	/*
442	* void *: cookie
443	*/
444
445	BR_FAILED_REPLY = _IO(`'r'`, `17`),
446	/*
447	* The last transaction (either a bcTRANSACTION or
448	* a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters.
449	*/
450
451	BR_FROZEN_REPLY = _IO(`'r'`, `18`),
452	/*
453	* The target of the last sync transaction (either a bcTRANSACTION or
454	* a bcATTEMPT_ACQUIRE) is frozen. No parameters.
455	*/
456
457	BR_ONEWAY_SPAM_SUSPECT = _IO(`'r'`, `19`),
458	/*
459	* Current process sent too many oneway calls to target, and the last
460	* asynchronous transaction makes the allocated async buffer size exceed
461	* detection threshold. No parameters.
462	*/
463
464	BR_TRANSACTION_PENDING_FROZEN = _IO(`'r'`, `20`),
465	/*
466	* The target of the last async transaction is frozen. No parameters.
467	*/
468	};
469
470	enum binder_driver_command_protocol {
471	BC_TRANSACTION = _IOW(`'c'`, `0`, struct binder_transaction_data),
472	BC_REPLY = _IOW(`'c'`, `1`, struct binder_transaction_data),
473	/*
474	* binder_transaction_data: the sent command.
475	*/
476
477	BC_ACQUIRE_RESULT = _IOW(`'c'`, `2`, __s32),
478	/*
479	* not currently supported
480	* int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful.
481	* Else you have acquired a primary reference on the object.
482	*/
483
484	BC_FREE_BUFFER = _IOW(`'c'`, `3`, binder_uintptr_t),
485	/*
486	* void *: ptr to transaction data received on a read
487	*/
488
489	BC_INCREFS = _IOW(`'c'`, `4`, __u32),
490	BC_ACQUIRE = _IOW(`'c'`, `5`, __u32),
491	BC_RELEASE = _IOW(`'c'`, `6`, __u32),
492	BC_DECREFS = _IOW(`'c'`, `7`, __u32),
493	/*
494	* int: descriptor
495	*/
496
497	BC_INCREFS_DONE = _IOW(`'c'`, `8`, struct binder_ptr_cookie),
498	BC_ACQUIRE_DONE = _IOW(`'c'`, `9`, struct binder_ptr_cookie),
499	/*
500	* void *: ptr to binder
501	* void *: cookie for binder
502	*/
503
504	BC_ATTEMPT_ACQUIRE = _IOW(`'c'`, `10`, struct binder_pri_desc),
505	/*
506	* not currently supported
507	* int: priority
508	* int: descriptor
509	*/
510
511	BC_REGISTER_LOOPER = _IO(`'c'`, `11`),
512	/*
513	* No parameters.
514	* Register a spawned looper thread with the device.
515	*/
516
517	BC_ENTER_LOOPER = _IO(`'c'`, `12`),
518	BC_EXIT_LOOPER = _IO(`'c'`, `13`),
519	/*
520	* No parameters.
521	* These two commands are sent as an application-level thread
522	* enters and exits the binder loop, respectively. They are
523	* used so the binder can have an accurate count of the number
524	* of looping threads it has available.
525	*/
526
527	BC_REQUEST_DEATH_NOTIFICATION = _IOW(`'c'`, `14`,
528	struct binder_handle_cookie),
529	/*
530	* int: handle
531	* void *: cookie
532	*/
533
534	BC_CLEAR_DEATH_NOTIFICATION = _IOW(`'c'`, `15`,
535	struct binder_handle_cookie),
536	/*
537	* int: handle
538	* void *: cookie
539	*/
540
541	BC_DEAD_BINDER_DONE = _IOW(`'c'`, `16`, binder_uintptr_t),
542	/*
543	* void *: cookie
544	*/
545
546	BC_TRANSACTION_SG = _IOW(`'c'`, `17`, struct binder_transaction_data_sg),
547	BC_REPLY_SG = _IOW(`'c'`, `18`, struct binder_transaction_data_sg),
548	/*
549	* binder_transaction_data_sg: the sent command.
550	*/
551	};
552
553	#endif /* _UAPI_LINUX_BINDER_H */
554
555

source code of linux/include/uapi/linux/android/binder.h