1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* |
3 | * Copyright (C) 2008 Google, Inc. |
4 | * |
5 | * Based on, but no longer compatible with, the original |
6 | * OpenBinder.org binder driver interface, which is: |
7 | * |
8 | * Copyright (c) 2005 Palmsource, Inc. |
9 | * |
10 | * This software is licensed under the terms of the GNU General Public |
11 | * License version 2, as published by the Free Software Foundation, and |
12 | * may be copied, distributed, and modified under those terms. |
13 | * |
14 | * This program is distributed in the hope that it will be useful, |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | * GNU General Public License for more details. |
18 | * |
19 | */ |
20 | |
21 | #ifndef _UAPI_LINUX_BINDER_H |
22 | #define _UAPI_LINUX_BINDER_H |
23 | |
24 | #include <linux/types.h> |
25 | #include <linux/ioctl.h> |
26 | |
27 | #define B_PACK_CHARS(c1, c2, c3, c4) \ |
28 | ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4)) |
29 | #define B_TYPE_LARGE 0x85 |
30 | |
31 | enum { |
32 | BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE), |
33 | BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE), |
34 | BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE), |
35 | BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE), |
36 | BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE), |
37 | BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE), |
38 | BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE), |
39 | }; |
40 | |
41 | enum { |
42 | FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, |
43 | FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, |
44 | |
45 | /** |
46 | * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts |
47 | * |
48 | * Only when set, causes senders to include their security |
49 | * context |
50 | */ |
51 | FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000, |
52 | }; |
53 | |
54 | #ifdef BINDER_IPC_32BIT |
55 | typedef __u32 binder_size_t; |
56 | typedef __u32 binder_uintptr_t; |
57 | #else |
58 | typedef __u64 binder_size_t; |
59 | typedef __u64 binder_uintptr_t; |
60 | #endif |
61 | |
62 | /** |
63 | * struct binder_object_header - header shared by all binder metadata objects. |
64 | * @type: type of the object |
65 | */ |
66 | struct { |
67 | __u32 ; |
68 | }; |
69 | |
70 | /* |
71 | * This is the flattened representation of a Binder object for transfer |
72 | * between processes. The 'offsets' supplied as part of a binder transaction |
73 | * contains offsets into the data where these structures occur. The Binder |
74 | * driver takes care of re-writing the structure type and data as it moves |
75 | * between processes. |
76 | */ |
77 | struct flat_binder_object { |
78 | struct binder_object_header hdr; |
79 | __u32 flags; |
80 | |
81 | /* 8 bytes of data. */ |
82 | union { |
83 | binder_uintptr_t binder; /* local object */ |
84 | __u32 handle; /* remote object */ |
85 | }; |
86 | |
87 | /* extra data associated with local object */ |
88 | binder_uintptr_t cookie; |
89 | }; |
90 | |
91 | /** |
92 | * struct binder_fd_object - describes a filedescriptor to be fixed up. |
93 | * @hdr: common header structure |
94 | * @pad_flags: padding to remain compatible with old userspace code |
95 | * @pad_binder: padding to remain compatible with old userspace code |
96 | * @fd: file descriptor |
97 | * @cookie: opaque data, used by user-space |
98 | */ |
99 | struct binder_fd_object { |
100 | struct binder_object_header hdr; |
101 | __u32 pad_flags; |
102 | union { |
103 | binder_uintptr_t pad_binder; |
104 | __u32 fd; |
105 | }; |
106 | |
107 | binder_uintptr_t cookie; |
108 | }; |
109 | |
110 | /* struct binder_buffer_object - object describing a userspace buffer |
111 | * @hdr: common header structure |
112 | * @flags: one or more BINDER_BUFFER_* flags |
113 | * @buffer: address of the buffer |
114 | * @length: length of the buffer |
115 | * @parent: index in offset array pointing to parent buffer |
116 | * @parent_offset: offset in @parent pointing to this buffer |
117 | * |
118 | * A binder_buffer object represents an object that the |
119 | * binder kernel driver can copy verbatim to the target |
120 | * address space. A buffer itself may be pointed to from |
121 | * within another buffer, meaning that the pointer inside |
122 | * that other buffer needs to be fixed up as well. This |
123 | * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT |
124 | * flag in @flags, by setting @parent buffer to the index |
125 | * in the offset array pointing to the parent binder_buffer_object, |
126 | * and by setting @parent_offset to the offset in the parent buffer |
127 | * at which the pointer to this buffer is located. |
128 | */ |
129 | struct binder_buffer_object { |
130 | struct binder_object_header hdr; |
131 | __u32 flags; |
132 | binder_uintptr_t buffer; |
133 | binder_size_t length; |
134 | binder_size_t parent; |
135 | binder_size_t parent_offset; |
136 | }; |
137 | |
138 | enum { |
139 | BINDER_BUFFER_FLAG_HAS_PARENT = 0x01, |
140 | }; |
141 | |
142 | /* struct binder_fd_array_object - object describing an array of fds in a buffer |
143 | * @hdr: common header structure |
144 | * @pad: padding to ensure correct alignment |
145 | * @num_fds: number of file descriptors in the buffer |
146 | * @parent: index in offset array to buffer holding the fd array |
147 | * @parent_offset: start offset of fd array in the buffer |
148 | * |
149 | * A binder_fd_array object represents an array of file |
150 | * descriptors embedded in a binder_buffer_object. It is |
151 | * different from a regular binder_buffer_object because it |
152 | * describes a list of file descriptors to fix up, not an opaque |
153 | * blob of memory, and hence the kernel needs to treat it differently. |
154 | * |
155 | * An example of how this would be used is with Android's |
156 | * native_handle_t object, which is a struct with a list of integers |
157 | * and a list of file descriptors. The native_handle_t struct itself |
158 | * will be represented by a struct binder_buffer_objct, whereas the |
159 | * embedded list of file descriptors is represented by a |
160 | * struct binder_fd_array_object with that binder_buffer_object as |
161 | * a parent. |
162 | */ |
163 | struct binder_fd_array_object { |
164 | struct binder_object_header hdr; |
165 | __u32 pad; |
166 | binder_size_t num_fds; |
167 | binder_size_t parent; |
168 | binder_size_t parent_offset; |
169 | }; |
170 | |
171 | /* |
172 | * On 64-bit platforms where user code may run in 32-bits the driver must |
173 | * translate the buffer (and local binder) addresses appropriately. |
174 | */ |
175 | |
176 | struct binder_write_read { |
177 | binder_size_t write_size; /* bytes to write */ |
178 | binder_size_t write_consumed; /* bytes consumed by driver */ |
179 | binder_uintptr_t write_buffer; |
180 | binder_size_t read_size; /* bytes to read */ |
181 | binder_size_t read_consumed; /* bytes consumed by driver */ |
182 | binder_uintptr_t read_buffer; |
183 | }; |
184 | |
185 | /* Use with BINDER_VERSION, driver fills in fields. */ |
186 | struct binder_version { |
187 | /* driver protocol version -- increment with incompatible change */ |
188 | __s32 protocol_version; |
189 | }; |
190 | |
191 | /* This is the current protocol version. */ |
192 | #ifdef BINDER_IPC_32BIT |
193 | #define BINDER_CURRENT_PROTOCOL_VERSION 7 |
194 | #else |
195 | #define BINDER_CURRENT_PROTOCOL_VERSION 8 |
196 | #endif |
197 | |
198 | /* |
199 | * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields. |
200 | * Set ptr to NULL for the first call to get the info for the first node, and |
201 | * then repeat the call passing the previously returned value to get the next |
202 | * nodes. ptr will be 0 when there are no more nodes. |
203 | */ |
204 | struct binder_node_debug_info { |
205 | binder_uintptr_t ptr; |
206 | binder_uintptr_t cookie; |
207 | __u32 has_strong_ref; |
208 | __u32 has_weak_ref; |
209 | }; |
210 | |
211 | struct binder_node_info_for_ref { |
212 | __u32 handle; |
213 | __u32 strong_count; |
214 | __u32 weak_count; |
215 | __u32 reserved1; |
216 | __u32 reserved2; |
217 | __u32 reserved3; |
218 | }; |
219 | |
220 | struct binder_freeze_info { |
221 | __u32 pid; |
222 | __u32 enable; |
223 | __u32 timeout_ms; |
224 | }; |
225 | |
226 | struct binder_frozen_status_info { |
227 | __u32 pid; |
228 | |
229 | /* process received sync transactions since last frozen |
230 | * bit 0: received sync transaction after being frozen |
231 | * bit 1: new pending sync transaction during freezing |
232 | */ |
233 | __u32 sync_recv; |
234 | |
235 | /* process received async transactions since last frozen */ |
236 | __u32 async_recv; |
237 | }; |
238 | |
239 | /* struct binder_extened_error - extended error information |
240 | * @id: identifier for the failed operation |
241 | * @command: command as defined by binder_driver_return_protocol |
242 | * @param: parameter holding a negative errno value |
243 | * |
244 | * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information |
245 | * returned by the driver upon a failed operation. Userspace can pull this |
246 | * data to properly handle specific error scenarios. |
247 | */ |
248 | struct binder_extended_error { |
249 | __u32 id; |
250 | __u32 command; |
251 | __s32 param; |
252 | }; |
253 | |
254 | #define BINDER_WRITE_READ _IOWR('b', 1, struct binder_write_read) |
255 | #define BINDER_SET_IDLE_TIMEOUT _IOW('b', 3, __s64) |
256 | #define BINDER_SET_MAX_THREADS _IOW('b', 5, __u32) |
257 | #define BINDER_SET_IDLE_PRIORITY _IOW('b', 6, __s32) |
258 | #define BINDER_SET_CONTEXT_MGR _IOW('b', 7, __s32) |
259 | #define BINDER_THREAD_EXIT _IOW('b', 8, __s32) |
260 | #define BINDER_VERSION _IOWR('b', 9, struct binder_version) |
261 | #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info) |
262 | #define BINDER_GET_NODE_INFO_FOR_REF _IOWR('b', 12, struct binder_node_info_for_ref) |
263 | #define BINDER_SET_CONTEXT_MGR_EXT _IOW('b', 13, struct flat_binder_object) |
264 | #define BINDER_FREEZE _IOW('b', 14, struct binder_freeze_info) |
265 | #define BINDER_GET_FROZEN_INFO _IOWR('b', 15, struct binder_frozen_status_info) |
266 | #define BINDER_ENABLE_ONEWAY_SPAM_DETECTION _IOW('b', 16, __u32) |
267 | #define BINDER_GET_EXTENDED_ERROR _IOWR('b', 17, struct binder_extended_error) |
268 | |
269 | /* |
270 | * NOTE: Two special error codes you should check for when calling |
271 | * in to the driver are: |
272 | * |
273 | * EINTR -- The operation has been interupted. This should be |
274 | * handled by retrying the ioctl() until a different error code |
275 | * is returned. |
276 | * |
277 | * ECONNREFUSED -- The driver is no longer accepting operations |
278 | * from your process. That is, the process is being destroyed. |
279 | * You should handle this by exiting from your process. Note |
280 | * that once this error code is returned, all further calls to |
281 | * the driver from any thread will return this same code. |
282 | */ |
283 | |
284 | enum transaction_flags { |
285 | TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */ |
286 | TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ |
287 | TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ |
288 | TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ |
289 | TF_CLEAR_BUF = 0x20, /* clear buffer on txn complete */ |
290 | TF_UPDATE_TXN = 0x40, /* update the outdated pending async txn */ |
291 | }; |
292 | |
293 | struct binder_transaction_data { |
294 | /* The first two are only used for bcTRANSACTION and brTRANSACTION, |
295 | * identifying the target and contents of the transaction. |
296 | */ |
297 | union { |
298 | /* target descriptor of command transaction */ |
299 | __u32 handle; |
300 | /* target descriptor of return transaction */ |
301 | binder_uintptr_t ptr; |
302 | } target; |
303 | binder_uintptr_t cookie; /* target object cookie */ |
304 | __u32 code; /* transaction command */ |
305 | |
306 | /* General information about the transaction. */ |
307 | __u32 flags; |
308 | __kernel_pid_t sender_pid; |
309 | __kernel_uid32_t sender_euid; |
310 | binder_size_t data_size; /* number of bytes of data */ |
311 | binder_size_t offsets_size; /* number of bytes of offsets */ |
312 | |
313 | /* If this transaction is inline, the data immediately |
314 | * follows here; otherwise, it ends with a pointer to |
315 | * the data buffer. |
316 | */ |
317 | union { |
318 | struct { |
319 | /* transaction data */ |
320 | binder_uintptr_t buffer; |
321 | /* offsets from buffer to flat_binder_object structs */ |
322 | binder_uintptr_t offsets; |
323 | } ptr; |
324 | __u8 buf[8]; |
325 | } data; |
326 | }; |
327 | |
328 | struct binder_transaction_data_secctx { |
329 | struct binder_transaction_data transaction_data; |
330 | binder_uintptr_t secctx; |
331 | }; |
332 | |
333 | struct binder_transaction_data_sg { |
334 | struct binder_transaction_data transaction_data; |
335 | binder_size_t buffers_size; |
336 | }; |
337 | |
338 | struct binder_ptr_cookie { |
339 | binder_uintptr_t ptr; |
340 | binder_uintptr_t cookie; |
341 | }; |
342 | |
343 | struct binder_handle_cookie { |
344 | __u32 handle; |
345 | binder_uintptr_t cookie; |
346 | } __packed; |
347 | |
348 | struct binder_pri_desc { |
349 | __s32 priority; |
350 | __u32 desc; |
351 | }; |
352 | |
353 | struct binder_pri_ptr_cookie { |
354 | __s32 priority; |
355 | binder_uintptr_t ptr; |
356 | binder_uintptr_t cookie; |
357 | }; |
358 | |
359 | enum binder_driver_return_protocol { |
360 | BR_ERROR = _IOR('r', 0, __s32), |
361 | /* |
362 | * int: error code |
363 | */ |
364 | |
365 | BR_OK = _IO('r', 1), |
366 | /* No parameters! */ |
367 | |
368 | BR_TRANSACTION_SEC_CTX = _IOR('r', 2, |
369 | struct binder_transaction_data_secctx), |
370 | /* |
371 | * binder_transaction_data_secctx: the received command. |
372 | */ |
373 | BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), |
374 | BR_REPLY = _IOR('r', 3, struct binder_transaction_data), |
375 | /* |
376 | * binder_transaction_data: the received command. |
377 | */ |
378 | |
379 | BR_ACQUIRE_RESULT = _IOR('r', 4, __s32), |
380 | /* |
381 | * not currently supported |
382 | * int: 0 if the last bcATTEMPT_ACQUIRE was not successful. |
383 | * Else the remote object has acquired a primary reference. |
384 | */ |
385 | |
386 | BR_DEAD_REPLY = _IO('r', 5), |
387 | /* |
388 | * The target of the last transaction (either a bcTRANSACTION or |
389 | * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters. |
390 | */ |
391 | |
392 | BR_TRANSACTION_COMPLETE = _IO('r', 6), |
393 | /* |
394 | * No parameters... always refers to the last transaction requested |
395 | * (including replies). Note that this will be sent even for |
396 | * asynchronous transactions. |
397 | */ |
398 | |
399 | BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie), |
400 | BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie), |
401 | BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie), |
402 | BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie), |
403 | /* |
404 | * void *: ptr to binder |
405 | * void *: cookie for binder |
406 | */ |
407 | |
408 | BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie), |
409 | /* |
410 | * not currently supported |
411 | * int: priority |
412 | * void *: ptr to binder |
413 | * void *: cookie for binder |
414 | */ |
415 | |
416 | BR_NOOP = _IO('r', 12), |
417 | /* |
418 | * No parameters. Do nothing and examine the next command. It exists |
419 | * primarily so that we can replace it with a BR_SPAWN_LOOPER command. |
420 | */ |
421 | |
422 | BR_SPAWN_LOOPER = _IO('r', 13), |
423 | /* |
424 | * No parameters. The driver has determined that a process has no |
425 | * threads waiting to service incoming transactions. When a process |
426 | * receives this command, it must spawn a new service thread and |
427 | * register it via bcENTER_LOOPER. |
428 | */ |
429 | |
430 | BR_FINISHED = _IO('r', 14), |
431 | /* |
432 | * not currently supported |
433 | * stop threadpool thread |
434 | */ |
435 | |
436 | BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t), |
437 | /* |
438 | * void *: cookie |
439 | */ |
440 | BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t), |
441 | /* |
442 | * void *: cookie |
443 | */ |
444 | |
445 | BR_FAILED_REPLY = _IO('r', 17), |
446 | /* |
447 | * The last transaction (either a bcTRANSACTION or |
448 | * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters. |
449 | */ |
450 | |
451 | BR_FROZEN_REPLY = _IO('r', 18), |
452 | /* |
453 | * The target of the last sync transaction (either a bcTRANSACTION or |
454 | * a bcATTEMPT_ACQUIRE) is frozen. No parameters. |
455 | */ |
456 | |
457 | BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19), |
458 | /* |
459 | * Current process sent too many oneway calls to target, and the last |
460 | * asynchronous transaction makes the allocated async buffer size exceed |
461 | * detection threshold. No parameters. |
462 | */ |
463 | |
464 | BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20), |
465 | /* |
466 | * The target of the last async transaction is frozen. No parameters. |
467 | */ |
468 | }; |
469 | |
470 | enum binder_driver_command_protocol { |
471 | BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data), |
472 | BC_REPLY = _IOW('c', 1, struct binder_transaction_data), |
473 | /* |
474 | * binder_transaction_data: the sent command. |
475 | */ |
476 | |
477 | BC_ACQUIRE_RESULT = _IOW('c', 2, __s32), |
478 | /* |
479 | * not currently supported |
480 | * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful. |
481 | * Else you have acquired a primary reference on the object. |
482 | */ |
483 | |
484 | BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t), |
485 | /* |
486 | * void *: ptr to transaction data received on a read |
487 | */ |
488 | |
489 | BC_INCREFS = _IOW('c', 4, __u32), |
490 | BC_ACQUIRE = _IOW('c', 5, __u32), |
491 | BC_RELEASE = _IOW('c', 6, __u32), |
492 | BC_DECREFS = _IOW('c', 7, __u32), |
493 | /* |
494 | * int: descriptor |
495 | */ |
496 | |
497 | BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie), |
498 | BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie), |
499 | /* |
500 | * void *: ptr to binder |
501 | * void *: cookie for binder |
502 | */ |
503 | |
504 | BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc), |
505 | /* |
506 | * not currently supported |
507 | * int: priority |
508 | * int: descriptor |
509 | */ |
510 | |
511 | BC_REGISTER_LOOPER = _IO('c', 11), |
512 | /* |
513 | * No parameters. |
514 | * Register a spawned looper thread with the device. |
515 | */ |
516 | |
517 | BC_ENTER_LOOPER = _IO('c', 12), |
518 | BC_EXIT_LOOPER = _IO('c', 13), |
519 | /* |
520 | * No parameters. |
521 | * These two commands are sent as an application-level thread |
522 | * enters and exits the binder loop, respectively. They are |
523 | * used so the binder can have an accurate count of the number |
524 | * of looping threads it has available. |
525 | */ |
526 | |
527 | BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14, |
528 | struct binder_handle_cookie), |
529 | /* |
530 | * int: handle |
531 | * void *: cookie |
532 | */ |
533 | |
534 | BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15, |
535 | struct binder_handle_cookie), |
536 | /* |
537 | * int: handle |
538 | * void *: cookie |
539 | */ |
540 | |
541 | BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t), |
542 | /* |
543 | * void *: cookie |
544 | */ |
545 | |
546 | BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg), |
547 | BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg), |
548 | /* |
549 | * binder_transaction_data_sg: the sent command. |
550 | */ |
551 | }; |
552 | |
553 | #endif /* _UAPI_LINUX_BINDER_H */ |
554 | |
555 | |