binder.h source code [linux/include/uapi/linux/android/binder.h]

1	/ SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note /
2	/*
3	* Copyright (C) 2008 Google, Inc.
4	*
5	* Based on, but no longer compatible with, the original
6	* OpenBinder.org binder driver interface, which is:
7	*
8	* Copyright (c) 2005 Palmsource, Inc.
9	*
10	* This software is licensed under the terms of the GNU General Public
11	* License version 2, as published by the Free Software Foundation, and
12	* may be copied, distributed, and modified under those terms.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	*/
20
21	#ifndef _UAPI_LINUX_BINDER_H
22	#define _UAPI_LINUX_BINDER_H
23
24	#include <linux/types.h>
25	#include <linux/ioctl.h>
26
27	#define B_PACK_CHARS(c1, c2, c3, c4) \
28	((((c1)<<24)) \| (((c2)<<16)) \| (((c3)<<8)) \| (c4))
29	#define B_TYPE_LARGE 0x85
30
31	enum {
32	BINDER_TYPE_BINDER = B_PACK_CHARS(`'s'`, `'b'`, `'*'`, B_TYPE_LARGE),
33	BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS(`'w'`, `'b'`, `'*'`, B_TYPE_LARGE),
34	BINDER_TYPE_HANDLE = B_PACK_CHARS(`'s'`, `'h'`, `'*'`, B_TYPE_LARGE),
35	BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS(`'w'`, `'h'`, `'*'`, B_TYPE_LARGE),
36	BINDER_TYPE_FD = B_PACK_CHARS(`'f'`, `'d'`, `'*'`, B_TYPE_LARGE),
37	BINDER_TYPE_FDA = B_PACK_CHARS(`'f'`, `'d'`, `'a'`, B_TYPE_LARGE),
38	BINDER_TYPE_PTR = B_PACK_CHARS(`'p'`, `'t'`, `'*'`, B_TYPE_LARGE),
39	};
40
41	enum {
42	FLAT_BINDER_FLAG_PRIORITY_MASK = `0xff`,
43	FLAT_BINDER_FLAG_ACCEPTS_FDS = `0x100`,
44
45	/**
46	* @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47	*
48	* Only when set, causes senders to include their security
49	* context
50	*/
51	FLAT_BINDER_FLAG_TXN_SECURITY_CTX = `0x1000`,
52	};
53
54	#ifdef BINDER_IPC_32BIT
55	typedef __u32 binder_size_t;
56	typedef __u32 binder_uintptr_t;
57	#else
58	typedef __u64 binder_size_t;
59	typedef __u64 binder_uintptr_t;
60	#endif
61
62	/**
63	* struct binder_object_header - header shared by all binder metadata objects.
64	* @type: type of the object
65	*/
66	struct binder_object_header {
67	__u32 type;
68	};
69
70	/*
71	* This is the flattened representation of a Binder object for transfer
72	* between processes. The 'offsets' supplied as part of a binder transaction
73	* contains offsets into the data where these structures occur. The Binder
74	* driver takes care of re-writing the structure type and data as it moves
75	* between processes.
76	*/
77	struct flat_binder_object {
78	struct binder_object_header hdr;
79	__u32 flags;
80
81	/ 8 bytes of data. /
82	union {
83	binder_uintptr_t binder; / local object /
84	__u32 handle; / remote object /
85	};
86
87	/ extra data associated with local object /
88	binder_uintptr_t cookie;
89	};
90
91	/**
92	* struct binder_fd_object - describes a filedescriptor to be fixed up.
93	* @hdr: common header structure
94	* @pad_flags: padding to remain compatible with old userspace code
95	* @pad_binder: padding to remain compatible with old userspace code
96	* @fd: file descriptor
97	* @cookie: opaque data, used by user-space
98	*/
99	struct binder_fd_object {
100	struct binder_object_header hdr;
101	__u32 pad_flags;
102	union {
103	binder_uintptr_t pad_binder;
104	__u32 fd;
105	};
106
107	binder_uintptr_t cookie;
108	};
109
110	/ struct binder_buffer_object - object describing a userspace buffer*
111	* @hdr: common header structure
112	* @flags: one or more BINDER_BUFFER_* flags
113	* @buffer: address of the buffer
114	* @length: length of the buffer
115	* @parent: index in offset array pointing to parent buffer
116	* @parent_offset: offset in @parent pointing to this buffer
117	*
118	* A binder_buffer object represents an object that the
119	* binder kernel driver can copy verbatim to the target
120	* address space. A buffer itself may be pointed to from
121	* within another buffer, meaning that the pointer inside
122	* that other buffer needs to be fixed up as well. This
123	* can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124	* flag in @flags, by setting @parent buffer to the index
125	* in the offset array pointing to the parent binder_buffer_object,
126	* and by setting @parent_offset to the offset in the parent buffer
127	* at which the pointer to this buffer is located.
128	*/
129	struct binder_buffer_object {
130	struct binder_object_header hdr;
131	__u32 flags;
132	binder_uintptr_t buffer;
133	binder_size_t length;
134	binder_size_t parent;
135	binder_size_t parent_offset;
136	};
137
138	enum {
139	BINDER_BUFFER_FLAG_HAS_PARENT = `0x01`,
140	};
141
142	/ struct binder_fd_array_object - object describing an array of fds in a buffer*
143	* @hdr: common header structure
144	* @pad: padding to ensure correct alignment
145	* @num_fds: number of file descriptors in the buffer
146	* @parent: index in offset array to buffer holding the fd array
147	* @parent_offset: start offset of fd array in the buffer
148	*
149	* A binder_fd_array object represents an array of file
150	* descriptors embedded in a binder_buffer_object. It is
151	* different from a regular binder_buffer_object because it
152	* describes a list of file descriptors to fix up, not an opaque
153	* blob of memory, and hence the kernel needs to treat it differently.
154	*
155	* An example of how this would be used is with Android's
156	* native_handle_t object, which is a struct with a list of integers
157	* and a list of file descriptors. The native_handle_t struct itself
158	* will be represented by a struct binder_buffer_objct, whereas the
159	* embedded list of file descriptors is represented by a
160	* struct binder_fd_array_object with that binder_buffer_object as
161	* a parent.
162	*/
163	struct binder_fd_array_object {
164	struct binder_object_header hdr;
165	__u32 pad;
166	binder_size_t num_fds;
167	binder_size_t parent;
168	binder_size_t parent_offset;
169	};
170
171	/*
172	* On 64-bit platforms where user code may run in 32-bits the driver must
173	* translate the buffer (and local binder) addresses appropriately.
174	*/
175
176	struct binder_write_read {
177	binder_size_t write_size; / bytes to write /
178	binder_size_t write_consumed; / bytes consumed by driver /
179	binder_uintptr_t write_buffer;
180	binder_size_t read_size; / bytes to read /
181	binder_size_t read_consumed; / bytes consumed by driver /
182	binder_uintptr_t read_buffer;
183	};
184
185	/ Use with BINDER_VERSION, driver fills in fields. /
186	struct binder_version {
187	/ driver protocol version -- increment with incompatible change /
188	__s32 protocol_version;
189	};
190
191	/ This is the current protocol version. /
192	#ifdef BINDER_IPC_32BIT
193	#define BINDER_CURRENT_PROTOCOL_VERSION 7
194	#else
195	#define BINDER_CURRENT_PROTOCOL_VERSION 8
196	#endif
197
198	/*
199	* Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200	* Set ptr to NULL for the first call to get the info for the first node, and
201	* then repeat the call passing the previously returned value to get the next
202	* nodes. ptr will be 0 when there are no more nodes.
203	*/
204	struct binder_node_debug_info {
205	binder_uintptr_t ptr;
206	binder_uintptr_t cookie;
207	__u32 has_strong_ref;
208	__u32 has_weak_ref;
209	};
210
211	struct binder_node_info_for_ref {
212	__u32 handle;
213	__u32 strong_count;
214	__u32 weak_count;
215	__u32 reserved1;
216	__u32 reserved2;
217	__u32 reserved3;
218	};
219
220	struct binder_freeze_info {
221	__u32 pid;
222	__u32 enable;
223	__u32 timeout_ms;
224	};
225
226	struct binder_frozen_status_info {
227	__u32 pid;
228
229	/ process received sync transactions since last frozen*
230	* bit 0: received sync transaction after being frozen
231	* bit 1: new pending sync transaction during freezing
232	*/
233	__u32 sync_recv;
234
235	/ process received async transactions since last frozen /
236	__u32 async_recv;
237	};
238
239	/ struct binder_extened_error - extended error information*
240	* @id: identifier for the failed operation
241	* @command: command as defined by binder_driver_return_protocol
242	* @param: parameter holding a negative errno value
243	*
244	* Used with BINDER_GET_EXTENDED_ERROR. This extends the error information
245	* returned by the driver upon a failed operation. Userspace can pull this
246	* data to properly handle specific error scenarios.
247	*/
248	struct binder_extended_error {
249	__u32 id;
250	__u32 command;
251	__s32 param;
252	};
253
254	enum {
255	BINDER_WRITE_READ = _IOWR(`'b'`, `1`, struct binder_write_read),
256	BINDER_SET_IDLE_TIMEOUT = _IOW(`'b'`, `3`, __s64),
257	BINDER_SET_MAX_THREADS = _IOW(`'b'`, `5`, __u32),
258	BINDER_SET_IDLE_PRIORITY = _IOW(`'b'`, `6`, __s32),
259	BINDER_SET_CONTEXT_MGR = _IOW(`'b'`, `7`, __s32),
260	BINDER_THREAD_EXIT = _IOW(`'b'`, `8`, __s32),
261	BINDER_VERSION = _IOWR(`'b'`, `9`, struct binder_version),
262	BINDER_GET_NODE_DEBUG_INFO = _IOWR(`'b'`, `11`, struct binder_node_debug_info),
263	BINDER_GET_NODE_INFO_FOR_REF = _IOWR(`'b'`, `12`, struct binder_node_info_for_ref),
264	BINDER_SET_CONTEXT_MGR_EXT = _IOW(`'b'`, `13`, struct flat_binder_object),
265	BINDER_FREEZE = _IOW(`'b'`, `14`, struct binder_freeze_info),
266	BINDER_GET_FROZEN_INFO = _IOWR(`'b'`, `15`, struct binder_frozen_status_info),
267	BINDER_ENABLE_ONEWAY_SPAM_DETECTION = _IOW(`'b'`, `16`, __u32),
268	BINDER_GET_EXTENDED_ERROR = _IOWR(`'b'`, `17`, struct binder_extended_error),
269	};
270
271	/*
272	* NOTE: Two special error codes you should check for when calling
273	* in to the driver are:
274	*
275	* EINTR -- The operation has been interupted. This should be
276	* handled by retrying the ioctl() until a different error code
277	* is returned.
278	*
279	* ECONNREFUSED -- The driver is no longer accepting operations
280	* from your process. That is, the process is being destroyed.
281	* You should handle this by exiting from your process. Note
282	* that once this error code is returned, all further calls to
283	* the driver from any thread will return this same code.
284	*/
285
286	enum transaction_flags {
287	TF_ONE_WAY = `0x01`, / this is a one-way call: async, no return /
288	TF_ROOT_OBJECT = `0x04`, / contents are the component's root object /
289	TF_STATUS_CODE = `0x08`, / contents are a 32-bit status code /
290	TF_ACCEPT_FDS = `0x10`, / allow replies with file descriptors /
291	TF_CLEAR_BUF = `0x20`, / clear buffer on txn complete /
292	TF_UPDATE_TXN = `0x40`, / update the outdated pending async txn /
293	};
294
295	struct binder_transaction_data {
296	/ The first two are only used for bcTRANSACTION and brTRANSACTION,*
297	* identifying the target and contents of the transaction.
298	*/
299	union {
300	/ target descriptor of command transaction /
301	__u32 handle;
302	/ target descriptor of return transaction /
303	binder_uintptr_t ptr;
304	} target;
305	binder_uintptr_t cookie; / target object cookie /
306	__u32 code; / transaction command /
307
308	/ General information about the transaction. /
309	__u32 flags;
310	__kernel_pid_t sender_pid;
311	__kernel_uid32_t sender_euid;
312	binder_size_t data_size; / number of bytes of data /
313	binder_size_t offsets_size; / number of bytes of offsets /
314
315	/ If this transaction is inline, the data immediately*
316	* follows here; otherwise, it ends with a pointer to
317	* the data buffer.
318	*/
319	union {
320	struct {
321	/ transaction data /
322	binder_uintptr_t buffer;
323	/ offsets from buffer to flat_binder_object structs /
324	binder_uintptr_t offsets;
325	} ptr;
326	__u8 buf[`8`];
327	} data;
328	};
329
330	struct binder_transaction_data_secctx {
331	struct binder_transaction_data transaction_data;
332	binder_uintptr_t secctx;
333	};
334
335	struct binder_transaction_data_sg {
336	struct binder_transaction_data transaction_data;
337	binder_size_t buffers_size;
338	};
339
340	struct binder_ptr_cookie {
341	binder_uintptr_t ptr;
342	binder_uintptr_t cookie;
343	};
344
345	struct binder_handle_cookie {
346	__u32 handle;
347	binder_uintptr_t cookie;
348	} __packed;
349
350	struct binder_pri_desc {
351	__s32 priority;
352	__u32 desc;
353	};
354
355	struct binder_pri_ptr_cookie {
356	__s32 priority;
357	binder_uintptr_t ptr;
358	binder_uintptr_t cookie;
359	};
360
361	enum binder_driver_return_protocol {
362	BR_ERROR = _IOR(`'r'`, `0`, __s32),
363	/*
364	* int: error code
365	*/
366
367	BR_OK = _IO(`'r'`, `1`),
368	/ No parameters! /
369
370	BR_TRANSACTION_SEC_CTX = _IOR(`'r'`, `2`,
371	struct binder_transaction_data_secctx),
372	/*
373	* binder_transaction_data_secctx: the received command.
374	*/
375	BR_TRANSACTION = _IOR(`'r'`, `2`, struct binder_transaction_data),
376	BR_REPLY = _IOR(`'r'`, `3`, struct binder_transaction_data),
377	/*
378	* binder_transaction_data: the received command.
379	*/
380
381	BR_ACQUIRE_RESULT = _IOR(`'r'`, `4`, __s32),
382	/*
383	* not currently supported
384	* int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
385	* Else the remote object has acquired a primary reference.
386	*/
387
388	BR_DEAD_REPLY = _IO(`'r'`, `5`),
389	/*
390	* The target of the last transaction (either a bcTRANSACTION or
391	* a bcATTEMPT_ACQUIRE) is no longer with us. No parameters.
392	*/
393
394	BR_TRANSACTION_COMPLETE = _IO(`'r'`, `6`),
395	/*
396	* No parameters... always refers to the last transaction requested
397	* (including replies). Note that this will be sent even for
398	* asynchronous transactions.
399	*/
400
401	BR_INCREFS = _IOR(`'r'`, `7`, struct binder_ptr_cookie),
402	BR_ACQUIRE = _IOR(`'r'`, `8`, struct binder_ptr_cookie),
403	BR_RELEASE = _IOR(`'r'`, `9`, struct binder_ptr_cookie),
404	BR_DECREFS = _IOR(`'r'`, `10`, struct binder_ptr_cookie),
405	/*
406	* void *: ptr to binder
407	* void *: cookie for binder
408	*/
409
410	BR_ATTEMPT_ACQUIRE = _IOR(`'r'`, `11`, struct binder_pri_ptr_cookie),
411	/*
412	* not currently supported
413	* int: priority
414	* void *: ptr to binder
415	* void *: cookie for binder
416	*/
417
418	BR_NOOP = _IO(`'r'`, `12`),
419	/*
420	* No parameters. Do nothing and examine the next command. It exists
421	* primarily so that we can replace it with a BR_SPAWN_LOOPER command.
422	*/
423
424	BR_SPAWN_LOOPER = _IO(`'r'`, `13`),
425	/*
426	* No parameters. The driver has determined that a process has no
427	* threads waiting to service incoming transactions. When a process
428	* receives this command, it must spawn a new service thread and
429	* register it via bcENTER_LOOPER.
430	*/
431
432	BR_FINISHED = _IO(`'r'`, `14`),
433	/*
434	* not currently supported
435	* stop threadpool thread
436	*/
437
438	BR_DEAD_BINDER = _IOR(`'r'`, `15`, binder_uintptr_t),
439	/*
440	* void *: cookie
441	*/
442	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR(`'r'`, `16`, binder_uintptr_t),
443	/*
444	* void *: cookie
445	*/
446
447	BR_FAILED_REPLY = _IO(`'r'`, `17`),
448	/*
449	* The last transaction (either a bcTRANSACTION or
450	* a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters.
451	*/
452
453	BR_FROZEN_REPLY = _IO(`'r'`, `18`),
454	/*
455	* The target of the last sync transaction (either a bcTRANSACTION or
456	* a bcATTEMPT_ACQUIRE) is frozen. No parameters.
457	*/
458
459	BR_ONEWAY_SPAM_SUSPECT = _IO(`'r'`, `19`),
460	/*
461	* Current process sent too many oneway calls to target, and the last
462	* asynchronous transaction makes the allocated async buffer size exceed
463	* detection threshold. No parameters.
464	*/
465
466	BR_TRANSACTION_PENDING_FROZEN = _IO(`'r'`, `20`),
467	/*
468	* The target of the last async transaction is frozen. No parameters.
469	*/
470	};
471
472	enum binder_driver_command_protocol {
473	BC_TRANSACTION = _IOW(`'c'`, `0`, struct binder_transaction_data),
474	BC_REPLY = _IOW(`'c'`, `1`, struct binder_transaction_data),
475	/*
476	* binder_transaction_data: the sent command.
477	*/
478
479	BC_ACQUIRE_RESULT = _IOW(`'c'`, `2`, __s32),
480	/*
481	* not currently supported
482	* int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful.
483	* Else you have acquired a primary reference on the object.
484	*/
485
486	BC_FREE_BUFFER = _IOW(`'c'`, `3`, binder_uintptr_t),
487	/*
488	* void *: ptr to transaction data received on a read
489	*/
490
491	BC_INCREFS = _IOW(`'c'`, `4`, __u32),
492	BC_ACQUIRE = _IOW(`'c'`, `5`, __u32),
493	BC_RELEASE = _IOW(`'c'`, `6`, __u32),
494	BC_DECREFS = _IOW(`'c'`, `7`, __u32),
495	/*
496	* int: descriptor
497	*/
498
499	BC_INCREFS_DONE = _IOW(`'c'`, `8`, struct binder_ptr_cookie),
500	BC_ACQUIRE_DONE = _IOW(`'c'`, `9`, struct binder_ptr_cookie),
501	/*
502	* void *: ptr to binder
503	* void *: cookie for binder
504	*/
505
506	BC_ATTEMPT_ACQUIRE = _IOW(`'c'`, `10`, struct binder_pri_desc),
507	/*
508	* not currently supported
509	* int: priority
510	* int: descriptor
511	*/
512
513	BC_REGISTER_LOOPER = _IO(`'c'`, `11`),
514	/*
515	* No parameters.
516	* Register a spawned looper thread with the device.
517	*/
518
519	BC_ENTER_LOOPER = _IO(`'c'`, `12`),
520	BC_EXIT_LOOPER = _IO(`'c'`, `13`),
521	/*
522	* No parameters.
523	* These two commands are sent as an application-level thread
524	* enters and exits the binder loop, respectively. They are
525	* used so the binder can have an accurate count of the number
526	* of looping threads it has available.
527	*/
528
529	BC_REQUEST_DEATH_NOTIFICATION = _IOW(`'c'`, `14`,
530	struct binder_handle_cookie),
531	/*
532	* int: handle
533	* void *: cookie
534	*/
535
536	BC_CLEAR_DEATH_NOTIFICATION = _IOW(`'c'`, `15`,
537	struct binder_handle_cookie),
538	/*
539	* int: handle
540	* void *: cookie
541	*/
542
543	BC_DEAD_BINDER_DONE = _IOW(`'c'`, `16`, binder_uintptr_t),
544	/*
545	* void *: cookie
546	*/
547
548	BC_TRANSACTION_SG = _IOW(`'c'`, `17`, struct binder_transaction_data_sg),
549	BC_REPLY_SG = _IOW(`'c'`, `18`, struct binder_transaction_data_sg),
550	/*
551	* binder_transaction_data_sg: the sent command.
552	*/
553	};
554
555	#endif /* _UAPI_LINUX_BINDER_H */
556
557

source code of linux/include/uapi/linux/android/binder.h