1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* |
3 | * Copyright (C) 2008 Google, Inc. |
4 | * |
5 | * Based on, but no longer compatible with, the original |
6 | * OpenBinder.org binder driver interface, which is: |
7 | * |
8 | * Copyright (c) 2005 Palmsource, Inc. |
9 | * |
10 | * This software is licensed under the terms of the GNU General Public |
11 | * License version 2, as published by the Free Software Foundation, and |
12 | * may be copied, distributed, and modified under those terms. |
13 | * |
14 | * This program is distributed in the hope that it will be useful, |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | * GNU General Public License for more details. |
18 | * |
19 | */ |
20 | |
21 | #ifndef _UAPI_LINUX_BINDER_H |
22 | #define _UAPI_LINUX_BINDER_H |
23 | |
24 | #include <linux/types.h> |
25 | #include <linux/ioctl.h> |
26 | |
27 | #define B_PACK_CHARS(c1, c2, c3, c4) \ |
28 | ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4)) |
29 | #define B_TYPE_LARGE 0x85 |
30 | |
31 | enum { |
32 | BINDER_TYPE_BINDER = B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE), |
33 | BINDER_TYPE_WEAK_BINDER = B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE), |
34 | BINDER_TYPE_HANDLE = B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE), |
35 | BINDER_TYPE_WEAK_HANDLE = B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE), |
36 | BINDER_TYPE_FD = B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE), |
37 | BINDER_TYPE_FDA = B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE), |
38 | BINDER_TYPE_PTR = B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE), |
39 | }; |
40 | |
41 | enum { |
42 | FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff, |
43 | FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100, |
44 | |
45 | /** |
46 | * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts |
47 | * |
48 | * Only when set, causes senders to include their security |
49 | * context |
50 | */ |
51 | FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000, |
52 | }; |
53 | |
54 | #ifdef BINDER_IPC_32BIT |
55 | typedef __u32 binder_size_t; |
56 | typedef __u32 binder_uintptr_t; |
57 | #else |
58 | typedef __u64 binder_size_t; |
59 | typedef __u64 binder_uintptr_t; |
60 | #endif |
61 | |
62 | /** |
63 | * struct binder_object_header - header shared by all binder metadata objects. |
64 | * @type: type of the object |
65 | */ |
66 | struct { |
67 | __u32 ; |
68 | }; |
69 | |
70 | /* |
71 | * This is the flattened representation of a Binder object for transfer |
72 | * between processes. The 'offsets' supplied as part of a binder transaction |
73 | * contains offsets into the data where these structures occur. The Binder |
74 | * driver takes care of re-writing the structure type and data as it moves |
75 | * between processes. |
76 | */ |
77 | struct flat_binder_object { |
78 | struct binder_object_header hdr; |
79 | __u32 flags; |
80 | |
81 | /* 8 bytes of data. */ |
82 | union { |
83 | binder_uintptr_t binder; /* local object */ |
84 | __u32 handle; /* remote object */ |
85 | }; |
86 | |
87 | /* extra data associated with local object */ |
88 | binder_uintptr_t cookie; |
89 | }; |
90 | |
91 | /** |
92 | * struct binder_fd_object - describes a filedescriptor to be fixed up. |
93 | * @hdr: common header structure |
94 | * @pad_flags: padding to remain compatible with old userspace code |
95 | * @pad_binder: padding to remain compatible with old userspace code |
96 | * @fd: file descriptor |
97 | * @cookie: opaque data, used by user-space |
98 | */ |
99 | struct binder_fd_object { |
100 | struct binder_object_header hdr; |
101 | __u32 pad_flags; |
102 | union { |
103 | binder_uintptr_t pad_binder; |
104 | __u32 fd; |
105 | }; |
106 | |
107 | binder_uintptr_t cookie; |
108 | }; |
109 | |
110 | /* struct binder_buffer_object - object describing a userspace buffer |
111 | * @hdr: common header structure |
112 | * @flags: one or more BINDER_BUFFER_* flags |
113 | * @buffer: address of the buffer |
114 | * @length: length of the buffer |
115 | * @parent: index in offset array pointing to parent buffer |
116 | * @parent_offset: offset in @parent pointing to this buffer |
117 | * |
118 | * A binder_buffer object represents an object that the |
119 | * binder kernel driver can copy verbatim to the target |
120 | * address space. A buffer itself may be pointed to from |
121 | * within another buffer, meaning that the pointer inside |
122 | * that other buffer needs to be fixed up as well. This |
123 | * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT |
124 | * flag in @flags, by setting @parent buffer to the index |
125 | * in the offset array pointing to the parent binder_buffer_object, |
126 | * and by setting @parent_offset to the offset in the parent buffer |
127 | * at which the pointer to this buffer is located. |
128 | */ |
129 | struct binder_buffer_object { |
130 | struct binder_object_header hdr; |
131 | __u32 flags; |
132 | binder_uintptr_t buffer; |
133 | binder_size_t length; |
134 | binder_size_t parent; |
135 | binder_size_t parent_offset; |
136 | }; |
137 | |
138 | enum { |
139 | BINDER_BUFFER_FLAG_HAS_PARENT = 0x01, |
140 | }; |
141 | |
142 | /* struct binder_fd_array_object - object describing an array of fds in a buffer |
143 | * @hdr: common header structure |
144 | * @pad: padding to ensure correct alignment |
145 | * @num_fds: number of file descriptors in the buffer |
146 | * @parent: index in offset array to buffer holding the fd array |
147 | * @parent_offset: start offset of fd array in the buffer |
148 | * |
149 | * A binder_fd_array object represents an array of file |
150 | * descriptors embedded in a binder_buffer_object. It is |
151 | * different from a regular binder_buffer_object because it |
152 | * describes a list of file descriptors to fix up, not an opaque |
153 | * blob of memory, and hence the kernel needs to treat it differently. |
154 | * |
155 | * An example of how this would be used is with Android's |
156 | * native_handle_t object, which is a struct with a list of integers |
157 | * and a list of file descriptors. The native_handle_t struct itself |
158 | * will be represented by a struct binder_buffer_objct, whereas the |
159 | * embedded list of file descriptors is represented by a |
160 | * struct binder_fd_array_object with that binder_buffer_object as |
161 | * a parent. |
162 | */ |
163 | struct binder_fd_array_object { |
164 | struct binder_object_header hdr; |
165 | __u32 pad; |
166 | binder_size_t num_fds; |
167 | binder_size_t parent; |
168 | binder_size_t parent_offset; |
169 | }; |
170 | |
171 | /* |
172 | * On 64-bit platforms where user code may run in 32-bits the driver must |
173 | * translate the buffer (and local binder) addresses appropriately. |
174 | */ |
175 | |
176 | struct binder_write_read { |
177 | binder_size_t write_size; /* bytes to write */ |
178 | binder_size_t write_consumed; /* bytes consumed by driver */ |
179 | binder_uintptr_t write_buffer; |
180 | binder_size_t read_size; /* bytes to read */ |
181 | binder_size_t read_consumed; /* bytes consumed by driver */ |
182 | binder_uintptr_t read_buffer; |
183 | }; |
184 | |
185 | /* Use with BINDER_VERSION, driver fills in fields. */ |
186 | struct binder_version { |
187 | /* driver protocol version -- increment with incompatible change */ |
188 | __s32 protocol_version; |
189 | }; |
190 | |
191 | /* This is the current protocol version. */ |
192 | #ifdef BINDER_IPC_32BIT |
193 | #define BINDER_CURRENT_PROTOCOL_VERSION 7 |
194 | #else |
195 | #define BINDER_CURRENT_PROTOCOL_VERSION 8 |
196 | #endif |
197 | |
198 | /* |
199 | * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields. |
200 | * Set ptr to NULL for the first call to get the info for the first node, and |
201 | * then repeat the call passing the previously returned value to get the next |
202 | * nodes. ptr will be 0 when there are no more nodes. |
203 | */ |
204 | struct binder_node_debug_info { |
205 | binder_uintptr_t ptr; |
206 | binder_uintptr_t cookie; |
207 | __u32 has_strong_ref; |
208 | __u32 has_weak_ref; |
209 | }; |
210 | |
211 | struct binder_node_info_for_ref { |
212 | __u32 handle; |
213 | __u32 strong_count; |
214 | __u32 weak_count; |
215 | __u32 reserved1; |
216 | __u32 reserved2; |
217 | __u32 reserved3; |
218 | }; |
219 | |
220 | struct binder_freeze_info { |
221 | __u32 pid; |
222 | __u32 enable; |
223 | __u32 timeout_ms; |
224 | }; |
225 | |
226 | struct binder_frozen_status_info { |
227 | __u32 pid; |
228 | |
229 | /* process received sync transactions since last frozen |
230 | * bit 0: received sync transaction after being frozen |
231 | * bit 1: new pending sync transaction during freezing |
232 | */ |
233 | __u32 sync_recv; |
234 | |
235 | /* process received async transactions since last frozen */ |
236 | __u32 async_recv; |
237 | }; |
238 | |
239 | /* struct binder_extened_error - extended error information |
240 | * @id: identifier for the failed operation |
241 | * @command: command as defined by binder_driver_return_protocol |
242 | * @param: parameter holding a negative errno value |
243 | * |
244 | * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information |
245 | * returned by the driver upon a failed operation. Userspace can pull this |
246 | * data to properly handle specific error scenarios. |
247 | */ |
248 | struct binder_extended_error { |
249 | __u32 id; |
250 | __u32 command; |
251 | __s32 param; |
252 | }; |
253 | |
254 | enum { |
255 | BINDER_WRITE_READ = _IOWR('b', 1, struct binder_write_read), |
256 | BINDER_SET_IDLE_TIMEOUT = _IOW('b', 3, __s64), |
257 | BINDER_SET_MAX_THREADS = _IOW('b', 5, __u32), |
258 | BINDER_SET_IDLE_PRIORITY = _IOW('b', 6, __s32), |
259 | BINDER_SET_CONTEXT_MGR = _IOW('b', 7, __s32), |
260 | BINDER_THREAD_EXIT = _IOW('b', 8, __s32), |
261 | BINDER_VERSION = _IOWR('b', 9, struct binder_version), |
262 | BINDER_GET_NODE_DEBUG_INFO = _IOWR('b', 11, struct binder_node_debug_info), |
263 | BINDER_GET_NODE_INFO_FOR_REF = _IOWR('b', 12, struct binder_node_info_for_ref), |
264 | BINDER_SET_CONTEXT_MGR_EXT = _IOW('b', 13, struct flat_binder_object), |
265 | BINDER_FREEZE = _IOW('b', 14, struct binder_freeze_info), |
266 | BINDER_GET_FROZEN_INFO = _IOWR('b', 15, struct binder_frozen_status_info), |
267 | BINDER_ENABLE_ONEWAY_SPAM_DETECTION = _IOW('b', 16, __u32), |
268 | BINDER_GET_EXTENDED_ERROR = _IOWR('b', 17, struct binder_extended_error), |
269 | }; |
270 | |
271 | /* |
272 | * NOTE: Two special error codes you should check for when calling |
273 | * in to the driver are: |
274 | * |
275 | * EINTR -- The operation has been interupted. This should be |
276 | * handled by retrying the ioctl() until a different error code |
277 | * is returned. |
278 | * |
279 | * ECONNREFUSED -- The driver is no longer accepting operations |
280 | * from your process. That is, the process is being destroyed. |
281 | * You should handle this by exiting from your process. Note |
282 | * that once this error code is returned, all further calls to |
283 | * the driver from any thread will return this same code. |
284 | */ |
285 | |
286 | enum transaction_flags { |
287 | TF_ONE_WAY = 0x01, /* this is a one-way call: async, no return */ |
288 | TF_ROOT_OBJECT = 0x04, /* contents are the component's root object */ |
289 | TF_STATUS_CODE = 0x08, /* contents are a 32-bit status code */ |
290 | TF_ACCEPT_FDS = 0x10, /* allow replies with file descriptors */ |
291 | TF_CLEAR_BUF = 0x20, /* clear buffer on txn complete */ |
292 | TF_UPDATE_TXN = 0x40, /* update the outdated pending async txn */ |
293 | }; |
294 | |
295 | struct binder_transaction_data { |
296 | /* The first two are only used for bcTRANSACTION and brTRANSACTION, |
297 | * identifying the target and contents of the transaction. |
298 | */ |
299 | union { |
300 | /* target descriptor of command transaction */ |
301 | __u32 handle; |
302 | /* target descriptor of return transaction */ |
303 | binder_uintptr_t ptr; |
304 | } target; |
305 | binder_uintptr_t cookie; /* target object cookie */ |
306 | __u32 code; /* transaction command */ |
307 | |
308 | /* General information about the transaction. */ |
309 | __u32 flags; |
310 | __kernel_pid_t sender_pid; |
311 | __kernel_uid32_t sender_euid; |
312 | binder_size_t data_size; /* number of bytes of data */ |
313 | binder_size_t offsets_size; /* number of bytes of offsets */ |
314 | |
315 | /* If this transaction is inline, the data immediately |
316 | * follows here; otherwise, it ends with a pointer to |
317 | * the data buffer. |
318 | */ |
319 | union { |
320 | struct { |
321 | /* transaction data */ |
322 | binder_uintptr_t buffer; |
323 | /* offsets from buffer to flat_binder_object structs */ |
324 | binder_uintptr_t offsets; |
325 | } ptr; |
326 | __u8 buf[8]; |
327 | } data; |
328 | }; |
329 | |
330 | struct binder_transaction_data_secctx { |
331 | struct binder_transaction_data transaction_data; |
332 | binder_uintptr_t secctx; |
333 | }; |
334 | |
335 | struct binder_transaction_data_sg { |
336 | struct binder_transaction_data transaction_data; |
337 | binder_size_t buffers_size; |
338 | }; |
339 | |
340 | struct binder_ptr_cookie { |
341 | binder_uintptr_t ptr; |
342 | binder_uintptr_t cookie; |
343 | }; |
344 | |
345 | struct binder_handle_cookie { |
346 | __u32 handle; |
347 | binder_uintptr_t cookie; |
348 | } __packed; |
349 | |
350 | struct binder_pri_desc { |
351 | __s32 priority; |
352 | __u32 desc; |
353 | }; |
354 | |
355 | struct binder_pri_ptr_cookie { |
356 | __s32 priority; |
357 | binder_uintptr_t ptr; |
358 | binder_uintptr_t cookie; |
359 | }; |
360 | |
361 | enum binder_driver_return_protocol { |
362 | BR_ERROR = _IOR('r', 0, __s32), |
363 | /* |
364 | * int: error code |
365 | */ |
366 | |
367 | BR_OK = _IO('r', 1), |
368 | /* No parameters! */ |
369 | |
370 | BR_TRANSACTION_SEC_CTX = _IOR('r', 2, |
371 | struct binder_transaction_data_secctx), |
372 | /* |
373 | * binder_transaction_data_secctx: the received command. |
374 | */ |
375 | BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data), |
376 | BR_REPLY = _IOR('r', 3, struct binder_transaction_data), |
377 | /* |
378 | * binder_transaction_data: the received command. |
379 | */ |
380 | |
381 | BR_ACQUIRE_RESULT = _IOR('r', 4, __s32), |
382 | /* |
383 | * not currently supported |
384 | * int: 0 if the last bcATTEMPT_ACQUIRE was not successful. |
385 | * Else the remote object has acquired a primary reference. |
386 | */ |
387 | |
388 | BR_DEAD_REPLY = _IO('r', 5), |
389 | /* |
390 | * The target of the last transaction (either a bcTRANSACTION or |
391 | * a bcATTEMPT_ACQUIRE) is no longer with us. No parameters. |
392 | */ |
393 | |
394 | BR_TRANSACTION_COMPLETE = _IO('r', 6), |
395 | /* |
396 | * No parameters... always refers to the last transaction requested |
397 | * (including replies). Note that this will be sent even for |
398 | * asynchronous transactions. |
399 | */ |
400 | |
401 | BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie), |
402 | BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie), |
403 | BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie), |
404 | BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie), |
405 | /* |
406 | * void *: ptr to binder |
407 | * void *: cookie for binder |
408 | */ |
409 | |
410 | BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie), |
411 | /* |
412 | * not currently supported |
413 | * int: priority |
414 | * void *: ptr to binder |
415 | * void *: cookie for binder |
416 | */ |
417 | |
418 | BR_NOOP = _IO('r', 12), |
419 | /* |
420 | * No parameters. Do nothing and examine the next command. It exists |
421 | * primarily so that we can replace it with a BR_SPAWN_LOOPER command. |
422 | */ |
423 | |
424 | BR_SPAWN_LOOPER = _IO('r', 13), |
425 | /* |
426 | * No parameters. The driver has determined that a process has no |
427 | * threads waiting to service incoming transactions. When a process |
428 | * receives this command, it must spawn a new service thread and |
429 | * register it via bcENTER_LOOPER. |
430 | */ |
431 | |
432 | BR_FINISHED = _IO('r', 14), |
433 | /* |
434 | * not currently supported |
435 | * stop threadpool thread |
436 | */ |
437 | |
438 | BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t), |
439 | /* |
440 | * void *: cookie |
441 | */ |
442 | BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t), |
443 | /* |
444 | * void *: cookie |
445 | */ |
446 | |
447 | BR_FAILED_REPLY = _IO('r', 17), |
448 | /* |
449 | * The last transaction (either a bcTRANSACTION or |
450 | * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory). No parameters. |
451 | */ |
452 | |
453 | BR_FROZEN_REPLY = _IO('r', 18), |
454 | /* |
455 | * The target of the last sync transaction (either a bcTRANSACTION or |
456 | * a bcATTEMPT_ACQUIRE) is frozen. No parameters. |
457 | */ |
458 | |
459 | BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19), |
460 | /* |
461 | * Current process sent too many oneway calls to target, and the last |
462 | * asynchronous transaction makes the allocated async buffer size exceed |
463 | * detection threshold. No parameters. |
464 | */ |
465 | |
466 | BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20), |
467 | /* |
468 | * The target of the last async transaction is frozen. No parameters. |
469 | */ |
470 | }; |
471 | |
472 | enum binder_driver_command_protocol { |
473 | BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data), |
474 | BC_REPLY = _IOW('c', 1, struct binder_transaction_data), |
475 | /* |
476 | * binder_transaction_data: the sent command. |
477 | */ |
478 | |
479 | BC_ACQUIRE_RESULT = _IOW('c', 2, __s32), |
480 | /* |
481 | * not currently supported |
482 | * int: 0 if the last BR_ATTEMPT_ACQUIRE was not successful. |
483 | * Else you have acquired a primary reference on the object. |
484 | */ |
485 | |
486 | BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t), |
487 | /* |
488 | * void *: ptr to transaction data received on a read |
489 | */ |
490 | |
491 | BC_INCREFS = _IOW('c', 4, __u32), |
492 | BC_ACQUIRE = _IOW('c', 5, __u32), |
493 | BC_RELEASE = _IOW('c', 6, __u32), |
494 | BC_DECREFS = _IOW('c', 7, __u32), |
495 | /* |
496 | * int: descriptor |
497 | */ |
498 | |
499 | BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie), |
500 | BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie), |
501 | /* |
502 | * void *: ptr to binder |
503 | * void *: cookie for binder |
504 | */ |
505 | |
506 | BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc), |
507 | /* |
508 | * not currently supported |
509 | * int: priority |
510 | * int: descriptor |
511 | */ |
512 | |
513 | BC_REGISTER_LOOPER = _IO('c', 11), |
514 | /* |
515 | * No parameters. |
516 | * Register a spawned looper thread with the device. |
517 | */ |
518 | |
519 | BC_ENTER_LOOPER = _IO('c', 12), |
520 | BC_EXIT_LOOPER = _IO('c', 13), |
521 | /* |
522 | * No parameters. |
523 | * These two commands are sent as an application-level thread |
524 | * enters and exits the binder loop, respectively. They are |
525 | * used so the binder can have an accurate count of the number |
526 | * of looping threads it has available. |
527 | */ |
528 | |
529 | BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14, |
530 | struct binder_handle_cookie), |
531 | /* |
532 | * int: handle |
533 | * void *: cookie |
534 | */ |
535 | |
536 | BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15, |
537 | struct binder_handle_cookie), |
538 | /* |
539 | * int: handle |
540 | * void *: cookie |
541 | */ |
542 | |
543 | BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t), |
544 | /* |
545 | * void *: cookie |
546 | */ |
547 | |
548 | BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg), |
549 | BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg), |
550 | /* |
551 | * binder_transaction_data_sg: the sent command. |
552 | */ |
553 | }; |
554 | |
555 | #endif /* _UAPI_LINUX_BINDER_H */ |
556 | |
557 | |