1/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2/*
3 * Copyright (C) 2008 Google, Inc.
4 *
5 * Based on, but no longer compatible with, the original
6 * OpenBinder.org binder driver interface, which is:
7 *
8 * Copyright (c) 2005 Palmsource, Inc.
9 *
10 * This software is licensed under the terms of the GNU General Public
11 * License version 2, as published by the Free Software Foundation, and
12 * may be copied, distributed, and modified under those terms.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 * GNU General Public License for more details.
18 *
19 */
20
21#ifndef _UAPI_LINUX_BINDER_H
22#define _UAPI_LINUX_BINDER_H
23
24#include <linux/types.h>
25#include <linux/ioctl.h>
26
27#define B_PACK_CHARS(c1, c2, c3, c4) \
28	((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
29#define B_TYPE_LARGE 0x85
30
31enum {
32	BINDER_TYPE_BINDER	= B_PACK_CHARS('s', 'b', '*', B_TYPE_LARGE),
33	BINDER_TYPE_WEAK_BINDER	= B_PACK_CHARS('w', 'b', '*', B_TYPE_LARGE),
34	BINDER_TYPE_HANDLE	= B_PACK_CHARS('s', 'h', '*', B_TYPE_LARGE),
35	BINDER_TYPE_WEAK_HANDLE	= B_PACK_CHARS('w', 'h', '*', B_TYPE_LARGE),
36	BINDER_TYPE_FD		= B_PACK_CHARS('f', 'd', '*', B_TYPE_LARGE),
37	BINDER_TYPE_FDA		= B_PACK_CHARS('f', 'd', 'a', B_TYPE_LARGE),
38	BINDER_TYPE_PTR		= B_PACK_CHARS('p', 't', '*', B_TYPE_LARGE),
39};
40
41enum {
42	FLAT_BINDER_FLAG_PRIORITY_MASK = 0xff,
43	FLAT_BINDER_FLAG_ACCEPTS_FDS = 0x100,
44
45	/**
46	 * @FLAT_BINDER_FLAG_TXN_SECURITY_CTX: request security contexts
47	 *
48	 * Only when set, causes senders to include their security
49	 * context
50	 */
51	FLAT_BINDER_FLAG_TXN_SECURITY_CTX = 0x1000,
52};
53
54#ifdef BINDER_IPC_32BIT
55typedef __u32 binder_size_t;
56typedef __u32 binder_uintptr_t;
57#else
58typedef __u64 binder_size_t;
59typedef __u64 binder_uintptr_t;
60#endif
61
62/**
63 * struct binder_object_header - header shared by all binder metadata objects.
64 * @type:	type of the object
65 */
66struct binder_object_header {
67	__u32        type;
68};
69
70/*
71 * This is the flattened representation of a Binder object for transfer
72 * between processes.  The 'offsets' supplied as part of a binder transaction
73 * contains offsets into the data where these structures occur.  The Binder
74 * driver takes care of re-writing the structure type and data as it moves
75 * between processes.
76 */
77struct flat_binder_object {
78	struct binder_object_header	hdr;
79	__u32				flags;
80
81	/* 8 bytes of data. */
82	union {
83		binder_uintptr_t	binder;	/* local object */
84		__u32			handle;	/* remote object */
85	};
86
87	/* extra data associated with local object */
88	binder_uintptr_t	cookie;
89};
90
91/**
92 * struct binder_fd_object - describes a filedescriptor to be fixed up.
93 * @hdr:	common header structure
94 * @pad_flags:	padding to remain compatible with old userspace code
95 * @pad_binder:	padding to remain compatible with old userspace code
96 * @fd:		file descriptor
97 * @cookie:	opaque data, used by user-space
98 */
99struct binder_fd_object {
100	struct binder_object_header	hdr;
101	__u32				pad_flags;
102	union {
103		binder_uintptr_t	pad_binder;
104		__u32			fd;
105	};
106
107	binder_uintptr_t		cookie;
108};
109
110/* struct binder_buffer_object - object describing a userspace buffer
111 * @hdr:		common header structure
112 * @flags:		one or more BINDER_BUFFER_* flags
113 * @buffer:		address of the buffer
114 * @length:		length of the buffer
115 * @parent:		index in offset array pointing to parent buffer
116 * @parent_offset:	offset in @parent pointing to this buffer
117 *
118 * A binder_buffer object represents an object that the
119 * binder kernel driver can copy verbatim to the target
120 * address space. A buffer itself may be pointed to from
121 * within another buffer, meaning that the pointer inside
122 * that other buffer needs to be fixed up as well. This
123 * can be done by setting the BINDER_BUFFER_FLAG_HAS_PARENT
124 * flag in @flags, by setting @parent buffer to the index
125 * in the offset array pointing to the parent binder_buffer_object,
126 * and by setting @parent_offset to the offset in the parent buffer
127 * at which the pointer to this buffer is located.
128 */
129struct binder_buffer_object {
130	struct binder_object_header	hdr;
131	__u32				flags;
132	binder_uintptr_t		buffer;
133	binder_size_t			length;
134	binder_size_t			parent;
135	binder_size_t			parent_offset;
136};
137
138enum {
139	BINDER_BUFFER_FLAG_HAS_PARENT = 0x01,
140};
141
142/* struct binder_fd_array_object - object describing an array of fds in a buffer
143 * @hdr:		common header structure
144 * @pad:		padding to ensure correct alignment
145 * @num_fds:		number of file descriptors in the buffer
146 * @parent:		index in offset array to buffer holding the fd array
147 * @parent_offset:	start offset of fd array in the buffer
148 *
149 * A binder_fd_array object represents an array of file
150 * descriptors embedded in a binder_buffer_object. It is
151 * different from a regular binder_buffer_object because it
152 * describes a list of file descriptors to fix up, not an opaque
153 * blob of memory, and hence the kernel needs to treat it differently.
154 *
155 * An example of how this would be used is with Android's
156 * native_handle_t object, which is a struct with a list of integers
157 * and a list of file descriptors. The native_handle_t struct itself
158 * will be represented by a struct binder_buffer_objct, whereas the
159 * embedded list of file descriptors is represented by a
160 * struct binder_fd_array_object with that binder_buffer_object as
161 * a parent.
162 */
163struct binder_fd_array_object {
164	struct binder_object_header	hdr;
165	__u32				pad;
166	binder_size_t			num_fds;
167	binder_size_t			parent;
168	binder_size_t			parent_offset;
169};
170
171/*
172 * On 64-bit platforms where user code may run in 32-bits the driver must
173 * translate the buffer (and local binder) addresses appropriately.
174 */
175
176struct binder_write_read {
177	binder_size_t		write_size;	/* bytes to write */
178	binder_size_t		write_consumed;	/* bytes consumed by driver */
179	binder_uintptr_t	write_buffer;
180	binder_size_t		read_size;	/* bytes to read */
181	binder_size_t		read_consumed;	/* bytes consumed by driver */
182	binder_uintptr_t	read_buffer;
183};
184
185/* Use with BINDER_VERSION, driver fills in fields. */
186struct binder_version {
187	/* driver protocol version -- increment with incompatible change */
188	__s32       protocol_version;
189};
190
191/* This is the current protocol version. */
192#ifdef BINDER_IPC_32BIT
193#define BINDER_CURRENT_PROTOCOL_VERSION 7
194#else
195#define BINDER_CURRENT_PROTOCOL_VERSION 8
196#endif
197
198/*
199 * Use with BINDER_GET_NODE_DEBUG_INFO, driver reads ptr, writes to all fields.
200 * Set ptr to NULL for the first call to get the info for the first node, and
201 * then repeat the call passing the previously returned value to get the next
202 * nodes.  ptr will be 0 when there are no more nodes.
203 */
204struct binder_node_debug_info {
205	binder_uintptr_t ptr;
206	binder_uintptr_t cookie;
207	__u32            has_strong_ref;
208	__u32            has_weak_ref;
209};
210
211struct binder_node_info_for_ref {
212	__u32            handle;
213	__u32            strong_count;
214	__u32            weak_count;
215	__u32            reserved1;
216	__u32            reserved2;
217	__u32            reserved3;
218};
219
220struct binder_freeze_info {
221	__u32            pid;
222	__u32            enable;
223	__u32            timeout_ms;
224};
225
226struct binder_frozen_status_info {
227	__u32            pid;
228
229	/* process received sync transactions since last frozen
230	 * bit 0: received sync transaction after being frozen
231	 * bit 1: new pending sync transaction during freezing
232	 */
233	__u32            sync_recv;
234
235	/* process received async transactions since last frozen */
236	__u32            async_recv;
237};
238
239/* struct binder_extened_error - extended error information
240 * @id:		identifier for the failed operation
241 * @command:	command as defined by binder_driver_return_protocol
242 * @param:	parameter holding a negative errno value
243 *
244 * Used with BINDER_GET_EXTENDED_ERROR. This extends the error information
245 * returned by the driver upon a failed operation. Userspace can pull this
246 * data to properly handle specific error scenarios.
247 */
248struct binder_extended_error {
249	__u32	id;
250	__u32	command;
251	__s32	param;
252};
253
254enum {
255	BINDER_WRITE_READ		= _IOWR('b', 1, struct binder_write_read),
256	BINDER_SET_IDLE_TIMEOUT		= _IOW('b', 3, __s64),
257	BINDER_SET_MAX_THREADS		= _IOW('b', 5, __u32),
258	BINDER_SET_IDLE_PRIORITY	= _IOW('b', 6, __s32),
259	BINDER_SET_CONTEXT_MGR		= _IOW('b', 7, __s32),
260	BINDER_THREAD_EXIT		= _IOW('b', 8, __s32),
261	BINDER_VERSION			= _IOWR('b', 9, struct binder_version),
262	BINDER_GET_NODE_DEBUG_INFO	= _IOWR('b', 11, struct binder_node_debug_info),
263	BINDER_GET_NODE_INFO_FOR_REF	= _IOWR('b', 12, struct binder_node_info_for_ref),
264	BINDER_SET_CONTEXT_MGR_EXT	= _IOW('b', 13, struct flat_binder_object),
265	BINDER_FREEZE			= _IOW('b', 14, struct binder_freeze_info),
266	BINDER_GET_FROZEN_INFO		= _IOWR('b', 15, struct binder_frozen_status_info),
267	BINDER_ENABLE_ONEWAY_SPAM_DETECTION	= _IOW('b', 16, __u32),
268	BINDER_GET_EXTENDED_ERROR	= _IOWR('b', 17, struct binder_extended_error),
269};
270
271/*
272 * NOTE: Two special error codes you should check for when calling
273 * in to the driver are:
274 *
275 * EINTR -- The operation has been interupted.  This should be
276 * handled by retrying the ioctl() until a different error code
277 * is returned.
278 *
279 * ECONNREFUSED -- The driver is no longer accepting operations
280 * from your process.  That is, the process is being destroyed.
281 * You should handle this by exiting from your process.  Note
282 * that once this error code is returned, all further calls to
283 * the driver from any thread will return this same code.
284 */
285
286enum transaction_flags {
287	TF_ONE_WAY	= 0x01,	/* this is a one-way call: async, no return */
288	TF_ROOT_OBJECT	= 0x04,	/* contents are the component's root object */
289	TF_STATUS_CODE	= 0x08,	/* contents are a 32-bit status code */
290	TF_ACCEPT_FDS	= 0x10,	/* allow replies with file descriptors */
291	TF_CLEAR_BUF	= 0x20,	/* clear buffer on txn complete */
292	TF_UPDATE_TXN	= 0x40,	/* update the outdated pending async txn */
293};
294
295struct binder_transaction_data {
296	/* The first two are only used for bcTRANSACTION and brTRANSACTION,
297	 * identifying the target and contents of the transaction.
298	 */
299	union {
300		/* target descriptor of command transaction */
301		__u32	handle;
302		/* target descriptor of return transaction */
303		binder_uintptr_t ptr;
304	} target;
305	binder_uintptr_t	cookie;	/* target object cookie */
306	__u32		code;		/* transaction command */
307
308	/* General information about the transaction. */
309	__u32	        flags;
310	__kernel_pid_t	sender_pid;
311	__kernel_uid32_t	sender_euid;
312	binder_size_t	data_size;	/* number of bytes of data */
313	binder_size_t	offsets_size;	/* number of bytes of offsets */
314
315	/* If this transaction is inline, the data immediately
316	 * follows here; otherwise, it ends with a pointer to
317	 * the data buffer.
318	 */
319	union {
320		struct {
321			/* transaction data */
322			binder_uintptr_t	buffer;
323			/* offsets from buffer to flat_binder_object structs */
324			binder_uintptr_t	offsets;
325		} ptr;
326		__u8	buf[8];
327	} data;
328};
329
330struct binder_transaction_data_secctx {
331	struct binder_transaction_data transaction_data;
332	binder_uintptr_t secctx;
333};
334
335struct binder_transaction_data_sg {
336	struct binder_transaction_data transaction_data;
337	binder_size_t buffers_size;
338};
339
340struct binder_ptr_cookie {
341	binder_uintptr_t ptr;
342	binder_uintptr_t cookie;
343};
344
345struct binder_handle_cookie {
346	__u32 handle;
347	binder_uintptr_t cookie;
348} __packed;
349
350struct binder_pri_desc {
351	__s32 priority;
352	__u32 desc;
353};
354
355struct binder_pri_ptr_cookie {
356	__s32 priority;
357	binder_uintptr_t ptr;
358	binder_uintptr_t cookie;
359};
360
361enum binder_driver_return_protocol {
362	BR_ERROR = _IOR('r', 0, __s32),
363	/*
364	 * int: error code
365	 */
366
367	BR_OK = _IO('r', 1),
368	/* No parameters! */
369
370	BR_TRANSACTION_SEC_CTX = _IOR('r', 2,
371				      struct binder_transaction_data_secctx),
372	/*
373	 * binder_transaction_data_secctx: the received command.
374	 */
375	BR_TRANSACTION = _IOR('r', 2, struct binder_transaction_data),
376	BR_REPLY = _IOR('r', 3, struct binder_transaction_data),
377	/*
378	 * binder_transaction_data: the received command.
379	 */
380
381	BR_ACQUIRE_RESULT = _IOR('r', 4, __s32),
382	/*
383	 * not currently supported
384	 * int: 0 if the last bcATTEMPT_ACQUIRE was not successful.
385	 * Else the remote object has acquired a primary reference.
386	 */
387
388	BR_DEAD_REPLY = _IO('r', 5),
389	/*
390	 * The target of the last transaction (either a bcTRANSACTION or
391	 * a bcATTEMPT_ACQUIRE) is no longer with us.  No parameters.
392	 */
393
394	BR_TRANSACTION_COMPLETE = _IO('r', 6),
395	/*
396	 * No parameters... always refers to the last transaction requested
397	 * (including replies).  Note that this will be sent even for
398	 * asynchronous transactions.
399	 */
400
401	BR_INCREFS = _IOR('r', 7, struct binder_ptr_cookie),
402	BR_ACQUIRE = _IOR('r', 8, struct binder_ptr_cookie),
403	BR_RELEASE = _IOR('r', 9, struct binder_ptr_cookie),
404	BR_DECREFS = _IOR('r', 10, struct binder_ptr_cookie),
405	/*
406	 * void *:	ptr to binder
407	 * void *: cookie for binder
408	 */
409
410	BR_ATTEMPT_ACQUIRE = _IOR('r', 11, struct binder_pri_ptr_cookie),
411	/*
412	 * not currently supported
413	 * int:	priority
414	 * void *: ptr to binder
415	 * void *: cookie for binder
416	 */
417
418	BR_NOOP = _IO('r', 12),
419	/*
420	 * No parameters.  Do nothing and examine the next command.  It exists
421	 * primarily so that we can replace it with a BR_SPAWN_LOOPER command.
422	 */
423
424	BR_SPAWN_LOOPER = _IO('r', 13),
425	/*
426	 * No parameters.  The driver has determined that a process has no
427	 * threads waiting to service incoming transactions.  When a process
428	 * receives this command, it must spawn a new service thread and
429	 * register it via bcENTER_LOOPER.
430	 */
431
432	BR_FINISHED = _IO('r', 14),
433	/*
434	 * not currently supported
435	 * stop threadpool thread
436	 */
437
438	BR_DEAD_BINDER = _IOR('r', 15, binder_uintptr_t),
439	/*
440	 * void *: cookie
441	 */
442	BR_CLEAR_DEATH_NOTIFICATION_DONE = _IOR('r', 16, binder_uintptr_t),
443	/*
444	 * void *: cookie
445	 */
446
447	BR_FAILED_REPLY = _IO('r', 17),
448	/*
449	 * The last transaction (either a bcTRANSACTION or
450	 * a bcATTEMPT_ACQUIRE) failed (e.g. out of memory).  No parameters.
451	 */
452
453	BR_FROZEN_REPLY = _IO('r', 18),
454	/*
455	 * The target of the last sync transaction (either a bcTRANSACTION or
456	 * a bcATTEMPT_ACQUIRE) is frozen.  No parameters.
457	 */
458
459	BR_ONEWAY_SPAM_SUSPECT = _IO('r', 19),
460	/*
461	 * Current process sent too many oneway calls to target, and the last
462	 * asynchronous transaction makes the allocated async buffer size exceed
463	 * detection threshold.  No parameters.
464	 */
465
466	BR_TRANSACTION_PENDING_FROZEN = _IO('r', 20),
467	/*
468	 * The target of the last async transaction is frozen.  No parameters.
469	 */
470};
471
472enum binder_driver_command_protocol {
473	BC_TRANSACTION = _IOW('c', 0, struct binder_transaction_data),
474	BC_REPLY = _IOW('c', 1, struct binder_transaction_data),
475	/*
476	 * binder_transaction_data: the sent command.
477	 */
478
479	BC_ACQUIRE_RESULT = _IOW('c', 2, __s32),
480	/*
481	 * not currently supported
482	 * int:  0 if the last BR_ATTEMPT_ACQUIRE was not successful.
483	 * Else you have acquired a primary reference on the object.
484	 */
485
486	BC_FREE_BUFFER = _IOW('c', 3, binder_uintptr_t),
487	/*
488	 * void *: ptr to transaction data received on a read
489	 */
490
491	BC_INCREFS = _IOW('c', 4, __u32),
492	BC_ACQUIRE = _IOW('c', 5, __u32),
493	BC_RELEASE = _IOW('c', 6, __u32),
494	BC_DECREFS = _IOW('c', 7, __u32),
495	/*
496	 * int:	descriptor
497	 */
498
499	BC_INCREFS_DONE = _IOW('c', 8, struct binder_ptr_cookie),
500	BC_ACQUIRE_DONE = _IOW('c', 9, struct binder_ptr_cookie),
501	/*
502	 * void *: ptr to binder
503	 * void *: cookie for binder
504	 */
505
506	BC_ATTEMPT_ACQUIRE = _IOW('c', 10, struct binder_pri_desc),
507	/*
508	 * not currently supported
509	 * int: priority
510	 * int: descriptor
511	 */
512
513	BC_REGISTER_LOOPER = _IO('c', 11),
514	/*
515	 * No parameters.
516	 * Register a spawned looper thread with the device.
517	 */
518
519	BC_ENTER_LOOPER = _IO('c', 12),
520	BC_EXIT_LOOPER = _IO('c', 13),
521	/*
522	 * No parameters.
523	 * These two commands are sent as an application-level thread
524	 * enters and exits the binder loop, respectively.  They are
525	 * used so the binder can have an accurate count of the number
526	 * of looping threads it has available.
527	 */
528
529	BC_REQUEST_DEATH_NOTIFICATION = _IOW('c', 14,
530						struct binder_handle_cookie),
531	/*
532	 * int: handle
533	 * void *: cookie
534	 */
535
536	BC_CLEAR_DEATH_NOTIFICATION = _IOW('c', 15,
537						struct binder_handle_cookie),
538	/*
539	 * int: handle
540	 * void *: cookie
541	 */
542
543	BC_DEAD_BINDER_DONE = _IOW('c', 16, binder_uintptr_t),
544	/*
545	 * void *: cookie
546	 */
547
548	BC_TRANSACTION_SG = _IOW('c', 17, struct binder_transaction_data_sg),
549	BC_REPLY_SG = _IOW('c', 18, struct binder_transaction_data_sg),
550	/*
551	 * binder_transaction_data_sg: the sent command.
552	 */
553};
554
555#endif /* _UAPI_LINUX_BINDER_H */
556
557