1  /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2  /*
3   * Copyright (C) 2008 Google, Inc.
4   *
5   * Based on, but no longer compatible with, the original
6   * OpenBinder.org binder driver interface, which is:
7   *
8   * Copyright (c) 2005 Palmsource, Inc.
9   *
10   * This software is licensed under the terms of the GNU General Public
11   * License version 2, as published by the Free Software Foundation, and
12   * may be copied, distributed, and modified under those terms.
13   *
14   * This program is distributed in the hope that it will be useful,
15   * but WITHOUT ANY WARRANTY; without even the implied warranty of
16   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17   * GNU General Public License for more details.
18   *
19   */
20  
21  #ifndef _UAPI_LINUX_BINDER_H
22  #define _UAPI_LINUX_BINDER_H
23  
24  #include <linux/types.h>
25  #include <linux/ioctl.h>
26  
27  #define B_PACK_CHARS(c1, c2, c3, c4) \
28  	((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
29  #define B_TYPE_LARGE 0x85
30  
31  enum {
32  	BINDER_TYPE_BINDER	= B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),
33  	BINDER_TYPE_WEAK_BINDER	= B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),
34  	BINDER_TYPE_HANDLE	= B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
35  	BINDER_TYPE_WEAK_HANDLE	= B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
36  	BINDER_TYPE_FD		= B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
37  	BINDER_TYPE_FDA		= B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
38  	BINDER_TYPE_PTR		= B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
39  };
40  
41  enum {
42  	FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
43  	FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
44  
45  	/**
46  	 * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47  	 *
48  	 * Only when set, causes senders to include their security
49  	 * context
50  	 */
51  	FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
52  };
53  
54  #ifdef BINDER_IPC_32BIT
55  typedef __u32 binder_size_t;
56  typedef __u32 binder_uintptr_t;
57  #else
58  typedef __u64 binder_size_t;
59  typedef __u64 binder_uintptr_t;
60  #endif
61  
62  /**
63   * struct binder_object_header - header shared by all binder metadata objects.
64   * @type:	type of the object
65   */
66  struct binder_object_header {
67  	__u32        type;
68  };
69  
70  /*
71   * This is the flattened representation of a Binder object for transfer
72   * between processes.  The 'offsets' supplied as part of a binder transaction
73   * contains offsets into the data where these structures occur.  The Binder
74   * driver takes care of re-writing the structure type and data as it moves
75   * between processes.
76   */
77  struct flat_binder_object {
78  	struct binder_object_header	hdr;
79  	__u32				flags;
80  
81  	/* 8 bytes of data. */
82  	union {
83  		binder_uintptr_t	binder;	/* local object */
84  		__u32			handle;	/* remote object */
85  	};
86  
87  	/* extra data associated with local object */
88  	binder_uintptr_t	cookie;
89  };
90  
91  /**
92   * struct binder_fd_object - describes a filedescriptor to be fixed up.
93   * @hdr:	common header structure
94   * @pad_flags:	padding to remain compatible with old userspace code
95   * @pad_binder:	padding to remain compatible with old userspace code
96   * @fd:		file descriptor
97   * @cookie:	opaque data, used by user-space
98   */
99  struct binder_fd_object {
100  	struct binder_object_header	hdr;
101  	__u32				pad_flags;
102  	union {
103  		binder_uintptr_t	pad_binder;
104  		__u32			fd;
105  	};
106  
107  	binder_uintptr_t		cookie;
108  };
109  
110  /* struct binder_buffer_object - object describing a userspace buffer
111   * @hdr:		common header structure
112   * @flags:		one or more BINDER_BUFFER_* flags
113   * @buffer:		address of the buffer
114   * @length:		length of the buffer
115   * @parent:		index in offset array pointing to parent buffer
116   * @parent_offset:	offset in @parent pointing to this buffer
117   *
118   * A binder_buffer object represents an object that the
119   * binder kernel driver can copy verbatim to the target
120   * address space. A buffer itself may be pointed to from
121   * within another buffer, meaning that the pointer inside
122   * that other buffer needs to be fixed up as well. This
123   * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124   * flag in @flags, by setting @parent buffer to the index
125   * in the offset array pointing to the parent binder_buffer_object,
126   * and by setting @parent_offset to the offset in the parent buffer
127   * at which the pointer to this buffer is located.
128   */
129  struct binder_buffer_object {
130  	struct binder_object_header	hdr;
131  	__u32				flags;
132  	binder_uintptr_t		buffer;
133  	binder_size_t			length;
134  	binder_size_t			parent;
135  	binder_size_t			parent_offset;
136  };
137  
138  enum {
139  	BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
140  };
141  
142  /* struct binder_fd_array_object - object describing an array of fds in a buffer
143   * @hdr:		common header structure
144   * @pad:		padding to ensure correct alignment
145   * @num_fds:		number of file descriptors in the buffer
146   * @parent:		index in offset array to buffer holding the fd array
147   * @parent_offset:	start offset of fd array in the buffer
148   *
149   * A binder_fd_array object represents an array of file
150   * descriptors embedded in a binder_buffer_object. It is
151   * different from a regular binder_buffer_object because it
152   * describes a list of file descriptors to fix up, not an opaque
153   * blob of memory, and hence the kernel needs to treat it differently.
154   *
155   * An example of how this would be used is with Android's
156   * native_handle_t object, which is a struct with a list of integers
157   * and a list of file descriptors. The native_handle_t struct itself
158   * will be represented by a struct binder_buffer_objct, whereas the
159   * embedded list of file descriptors is represented by a
160   * struct binder_fd_array_object with that binder_buffer_object as
161   * a parent.
162   */
163  struct binder_fd_array_object {
164  	struct binder_object_header	hdr;
165  	__u32				pad;
166  	binder_size_t			num_fds;
167  	binder_size_t			parent;
168  	binder_size_t			parent_offset;
169  };
170  
171  /*
172   * On 64-bit platforms where user code may run in 32-bits the driver must
173   * translate the buffer (and local binder) addresses appropriately.
174   */
175  
176  struct binder_write_read {
177  	binder_size_t		write_size;	/* bytes to write */
178  	binder_size_t		write_consumed;	/* bytes consumed by driver */
179  	binder_uintptr_t	write_buffer;
180  	binder_size_t		read_size;	/* bytes to read */
181  	binder_size_t		read_consumed;	/* bytes consumed by driver */
182  	binder_uintptr_t	read_buffer;
183  };
184  
185  /* Use with BINDER_VERSION, driver fills in fields. */
186  struct binder_version {
187  	/* driver protocol version -- increment with incompatible change */
188  	__s32       protocol_version;
189  };
190  
191  /* This is the current protocol version. */
192  #ifdef BINDER_IPC_32BIT
193  #define BINDER_CURRENT_PROTOCOL_VERSION 7
194  #else
195  #define BINDER_CURRENT_PROTOCOL_VERSION 8
196  #endif
197  
198  /*
199   * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200   * Set ptr to NULL for the first call to get the info for the first node, and
201   * then repeat the call passing the previously returned value to get the next
202   * nodes.  ptr will be 0 when there are no more nodes.
203   */
204  struct binder_node_debug_info {
205  	binder_uintptr_t ptr;
206  	binder_uintptr_t cookie;
207  	__u32            has_strong_ref;
208  	__u32            has_weak_ref;
209  };
210  
211  struct binder_node_info_for_ref {
212  	__u32            handle;
213  	__u32            strong_count;
214  	__u32            weak_count;
215  	__u32            reserved1;
216  	__u32            reserved2;
217  	__u32            reserved3;
218  };
219  
220  struct binder_freeze_info {
221  	__u32            pid;
222  	__u32            enable;
223  	__u32            timeout_ms;
224  };
225  
226  struct binder_frozen_status_info {
227  	__u32            pid;
228  
229  	/* process received sync transactions since last frozen
230  	 * bit 0: received sync transaction after being frozen
231  	 * bit 1: new pending sync transaction during freezing
232  	 */
233  	__u32            sync_recv;
234  
235  	/* process received async transactions since last frozen */
236  	__u32            async_recv;
237  };
238  
239  /* struct binder_extened_error - extended error information
240   * @id:		identifier for the failed operation
241   * @command:	command as defined by binder_driver_return_protocol
242   * @param:	parameter holding a negative errno value
243   *
244   * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information
245   * returned by the driver upon a failed operation. Userspace can pull this
246   * data to properly handle specific error scenarios.
247   */
248  struct binder_extended_error {
249  	__u32	id;
250  	__u32	command;
251  	__s32	param;
252  };
253  
254  #define BINDER_WRITE_READ		_IOWR('b', 1, struct binder_write_read)
255  #define BINDER_SET_IDLE_TIMEOUT		_IOW('b', 3, __s64)
256  #define BINDER_SET_MAX_THREADS		_IOW('b', 5, __u32)
257  #define BINDER_SET_IDLE_PRIORITY	_IOW('b', 6, __s32)
258  #define BINDER_SET_CONTEXT_MGR		_IOW('b', 7, __s32)
259  #define BINDER_THREAD_EXIT		_IOW('b', 8, __s32)
260  #define BINDER_VERSION			_IOWR('b', 9, struct binder_version)
261  #define BINDER_GET_NODE_DEBUG_INFO	_IOWR('b', 11, struct binder_node_debug_info)
262  #define BINDER_GET_NODE_INFO_FOR_REF	_IOWR('b', 12, struct binder_node_info_for_ref)
263  #define BINDER_SET_CONTEXT_MGR_EXT	_IOW('b', 13, struct flat_binder_object)
264  #define BINDER_FREEZE			_IOW('b', 14, struct binder_freeze_info)
265  #define BINDER_GET_FROZEN_INFO		_IOWR('b', 15, struct binder_frozen_status_info)
266  #define BINDER_ENABLE_ONEWAY_SPAM_DETECTION	_IOW('b', 16, __u32)
267  #define BINDER_GET_EXTENDED_ERROR	_IOWR('b', 17, struct binder_extended_error)
268  
269  /*
270   * NOTE: Two special error codes you should check for when calling
271   * in to the driver are:
272   *
273   * EINTR -- The operation has been interupted.  This should be
274   * handled by retrying the ioctl() until a different error code
275   * is returned.
276   *
277   * ECONNREFUSED -- The driver is no longer accepting operations
278   * from your process.  That is, the process is being destroyed.
279   * You should handle this by exiting from your process.  Note
280   * that once this error code is returned, all further calls to
281   * the driver from any thread will return this same code.
282   */
283  
284  enum transaction_flags {
285  	TF_ONE_WAY	= 0x01,	/* this is a one-way call: async, no return */
286  	TF_ROOT_OBJECT	= 0x04,	/* contents are the component's root object */
287  	TF_STATUS_CODE	= 0x08,	/* contents are a 32-bit status code */
288  	TF_ACCEPT_FDS	= 0x10,	/* allow replies with file descriptors */
289  	TF_CLEAR_BUF	= 0x20,	/* clear buffer on txn complete */
290  	TF_UPDATE_TXN	= 0x40,	/* update the outdated pending async txn */
291  };
292  
293  struct binder_transaction_data {
294  	/* The first two are only used for bcTRANSACTION and brTRANSACTION,
295  	 * identifying the target and contents of the transaction.
296  	 */
297  	union {
298  		/* target descriptor of command transaction */
299  		__u32	handle;
300  		/* target descriptor of return transaction */
301  		binder_uintptr_t ptr;
302  	} target;
303  	binder_uintptr_t	cookie;	/* target object cookie */
304  	__u32		code;		/* transaction command */
305  
306  	/* General information about the transaction. */
307  	__u32	        flags;
308  	__kernel_pid_t	sender_pid;
309  	__kernel_uid32_t	sender_euid;
310  	binder_size_t	data_size;	/* number of bytes of data */
311  	binder_size_t	offsets_size;	/* number of bytes of offsets */
312  
313  	/* If this transaction is inline, the data immediately
314  	 * follows here; otherwise, it ends with a pointer to
315  	 * the data buffer.
316  	 */
317  	union {
318  		struct {
319  			/* transaction data */
320  			binder_uintptr_t	buffer;
321  			/* offsets from buffer to flat_binder_object structs */
322  			binder_uintptr_t	offsets;
323  		} ptr;
324  		__u8	buf[8];
325  	} data;
326  };
327  
328  struct binder_transaction_data_secctx {
329  	struct binder_transaction_data transaction_data;
330  	binder_uintptr_t secctx;
331  };
332  
333  struct binder_transaction_data_sg {
334  	struct binder_transaction_data transaction_data;
335  	binder_size_t buffers_size;
336  };
337  
338  struct binder_ptr_cookie {
339  	binder_uintptr_t ptr;
340  	binder_uintptr_t cookie;
341  };
342  
343  struct binder_handle_cookie {
344  	__u32 handle;
345  	binder_uintptr_t cookie;
346  } __packed;
347  
348  struct binder_pri_desc {
349  	__s32 priority;
350  	__u32 desc;
351  };
352  
353  struct binder_pri_ptr_cookie {
354  	__s32 priority;
355  	binder_uintptr_t ptr;
356  	binder_uintptr_t cookie;
357  };
358  
359  enum binder_driver_return_protocol {
360  	BR_ERROR = _IOR('r', 0, __s32),
361  	/*
362  	 * int: error code
363  	 */
364  
365  	BR_OK = _IO('r', 1),
366  	/* No parameters! */
367  
368  	BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
369  				      struct binder_transaction_data_secctx),
370  	/*
371  	 * binder_transaction_data_secctx: the received command.
372  	 */
373  	BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
374  	BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
375  	/*
376  	 * binder_transaction_data: the received command.
377  	 */
378  
379  	BR_ACQUIRE_RESULT = _IOR('r', 4, __s32),
380  	/*
381  	 * not currently supported
382  	 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
383  	 * Else the remote object has acquired a primary reference.
384  	 */
385  
386  	BR_DEAD_REPLY = _IO('r', 5),
387  	/*
388  	 * The target of the last transaction (either a bcTRANSACTION or
389  	 * a bcATTEMPT_ACQUIRE) is no longer with us.  No parameters.
390  	 */
391  
392  	BR_TRANSACTION_COMPLETE = _IO('r', 6),
393  	/*
394  	 * No parameters... always refers to the last transaction requested
395  	 * (including replies).  Note that this will be sent even for
396  	 * asynchronous transactions.
397  	 */
398  
399  	BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie),
400  	BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie),
401  	BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie),
402  	BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie),
403  	/*
404  	 * void *:	ptr to binder
405  	 * void *: cookie for binder
406  	 */
407  
408  	BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie),
409  	/*
410  	 * not currently supported
411  	 * int:	priority
412  	 * void *: ptr to binder
413  	 * void *: cookie for binder
414  	 */
415  
416  	BR_NOOP = _IO('r', 12),
417  	/*
418  	 * No parameters.  Do nothing and examine the next command.  It exists
419  	 * primarily so that we can replace it with a BR_SPAWN_LOOPER command.
420  	 */
421  
422  	BR_SPAWN_LOOPER = _IO('r', 13),
423  	/*
424  	 * No parameters.  The driver has determined that a process has no
425  	 * threads waiting to service incoming transactions.  When a process
426  	 * receives this command, it must spawn a new service thread and
427  	 * register it via bcENTER_LOOPER.
428  	 */
429  
430  	BR_FINISHED = _IO('r', 14),
431  	/*
432  	 * not currently supported
433  	 * stop threadpool thread
434  	 */
435  
436  	BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t),
437  	/*
438  	 * void *: cookie
439  	 */
440  	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t),
441  	/*
442  	 * void *: cookie
443  	 */
444  
445  	BR_FAILED_REPLY = _IO('r', 17),
446  	/*
447  	 * The last transaction (either a bcTRANSACTION or
448  	 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory).  No parameters.
449  	 */
450  
451  	BR_FROZEN_REPLY = _IO('r', 18),
452  	/*
453  	 * The target of the last sync transaction (either a bcTRANSACTION or
454  	 * a bcATTEMPT_ACQUIRE) is frozen.  No parameters.
455  	 */
456  
457  	BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19),
458  	/*
459  	 * Current process sent too many oneway calls to target, and the last
460  	 * asynchronous transaction makes the allocated async buffer size exceed
461  	 * detection threshold.  No parameters.
462  	 */
463  
464  	BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20),
465  	/*
466  	 * The target of the last async transaction is frozen.  No parameters.
467  	 */
468  };
469  
470  enum binder_driver_command_protocol {
471  	BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data),
472  	BC_REPLY = _IOW('c', 1, struct binder_transaction_data),
473  	/*
474  	 * binder_transaction_data: the sent command.
475  	 */
476  
477  	BC_ACQUIRE_RESULT = _IOW('c', 2, __s32),
478  	/*
479  	 * not currently supported
480  	 * int:  0 if the last BR_ATTEMPT_ACQUIRE was not successful.
481  	 * Else you have acquired a primary reference on the object.
482  	 */
483  
484  	BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t),
485  	/*
486  	 * void *: ptr to transaction data received on a read
487  	 */
488  
489  	BC_INCREFS = _IOW('c', 4, __u32),
490  	BC_ACQUIRE = _IOW('c', 5, __u32),
491  	BC_RELEASE = _IOW('c', 6, __u32),
492  	BC_DECREFS = _IOW('c', 7, __u32),
493  	/*
494  	 * int:	descriptor
495  	 */
496  
497  	BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie),
498  	BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie),
499  	/*
500  	 * void *: ptr to binder
501  	 * void *: cookie for binder
502  	 */
503  
504  	BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc),
505  	/*
506  	 * not currently supported
507  	 * int: priority
508  	 * int: descriptor
509  	 */
510  
511  	BC_REGISTER_LOOPER = _IO('c', 11),
512  	/*
513  	 * No parameters.
514  	 * Register a spawned looper thread with the device.
515  	 */
516  
517  	BC_ENTER_LOOPER = _IO('c', 12),
518  	BC_EXIT_LOOPER = _IO('c', 13),
519  	/*
520  	 * No parameters.
521  	 * These two commands are sent as an application-level thread
522  	 * enters and exits the binder loop, respectively.  They are
523  	 * used so the binder can have an accurate count of the number
524  	 * of looping threads it has available.
525  	 */
526  
527  	BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14,
528  						struct binder_handle_cookie),
529  	/*
530  	 * int: handle
531  	 * void *: cookie
532  	 */
533  
534  	BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15,
535  						struct binder_handle_cookie),
536  	/*
537  	 * int: handle
538  	 * void *: cookie
539  	 */
540  
541  	BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t),
542  	/*
543  	 * void *: cookie
544  	 */
545  
546  	BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg),
547  	BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg),
548  	/*
549  	 * binder_transaction_data_sg: the sent command.
550  	 */
551  };
552  
553  #endif /* _UAPI_LINUX_BINDER_H */
554  
555