1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /** 18 * @addtogroup NdkBinder 19 * @{ 20 */ 21 22 /** 23 * @file binder_ibinder.h 24 * @brief Object which can receive transactions and be sent across processes. 25 */ 26 27 #pragma once 28 29 #include <stdint.h> 30 #include <sys/cdefs.h> 31 #include <sys/types.h> 32 33 #include <android/binder_parcel.h> 34 #include <android/binder_status.h> 35 36 __BEGIN_DECLS 37 #if __ANDROID_API__ >= __ANDROID_API_Q__ 38 39 // Also see TF_* in kernel's binder.h 40 typedef uint32_t binder_flags_t; 41 enum { 42 /** 43 * The transaction will be dispatched and then returned to the caller. The outgoing process 44 * cannot block a call made by this, and execution of the call will not be waited on. An error 45 * can still be returned if the call is unable to be processed by the binder driver. All oneway 46 * calls are guaranteed to be ordered if they are sent on the same AIBinder object. 47 */ 48 FLAG_ONEWAY = 0x01, 49 }; 50 51 // Also see IBinder.h in libbinder 52 typedef uint32_t transaction_code_t; 53 enum { 54 /** 55 * The first transaction code available for user commands (inclusive). 56 */ 57 FIRST_CALL_TRANSACTION = 0x00000001, 58 /** 59 * The last transaction code available for user commands (inclusive). 60 */ 61 LAST_CALL_TRANSACTION = 0x00ffffff, 62 }; 63 64 /** 65 * Represents a type of AIBinder object which can be sent out. 66 */ 67 struct AIBinder_Class; 68 typedef struct AIBinder_Class AIBinder_Class; 69 70 /** 71 * Represents a local or remote object which can be used for IPC or which can itself be sent. 72 * 73 * This object has a refcount associated with it and will be deleted when its refcount reaches zero. 74 * How methods interactive with this refcount is described below. When using this API, it is 75 * intended for a client of a service to hold a strong reference to that service. This also means 76 * that user data typically should hold a strong reference to a local AIBinder object. A remote 77 * AIBinder object automatically holds a strong reference to the AIBinder object in the server's 78 * process. A typically memory layout looks like this: 79 * 80 * Key: 81 * ---> Ownership/a strong reference 82 * ...> A weak reference 83 * 84 * (process boundary) 85 * | 86 * MyInterface ---> AIBinder_Weak | ProxyForMyInterface 87 * ^ . | | 88 * | . | | 89 * | v | v 90 * UserData <--- AIBinder <-|- AIBinder 91 * | 92 * 93 * In this way, you'll notice that a proxy for the interface holds a strong reference to the 94 * implementation and that in the server process, the AIBinder object which was sent can be resent 95 * so that the same AIBinder object always represents the same object. This allows, for instance, an 96 * implementation (usually a callback) to transfer all ownership to a remote process and 97 * automatically be deleted when the remote process is done with it or dies. Other memory models are 98 * possible, but this is the standard one. 99 * 100 * If the process containing an AIBinder dies, it is possible to be holding a strong reference to 101 * an object which does not exist. In this case, transactions to this binder will return 102 * STATUS_DEAD_OBJECT. See also AIBinder_linkToDeath, AIBinder_unlinkToDeath, and AIBinder_isAlive. 103 * 104 * Once an AIBinder is created, anywhere it is passed (remotely or locally), there is a 1-1 105 * correspondence between the address of an AIBinder and the object it represents. This means that 106 * when two AIBinder pointers point to the same address, they represent the same object (whether 107 * that object is local or remote). This correspondance can be broken accidentally if AIBinder_new 108 * is erronesouly called to create the same object multiple times. 109 */ 110 struct AIBinder; 111 typedef struct AIBinder AIBinder; 112 113 /** 114 * The AIBinder object associated with this can be retrieved if it is still alive so that it can be 115 * re-used. The intention of this is to enable the same AIBinder object to always represent the same 116 * object. 117 */ 118 struct AIBinder_Weak; 119 typedef struct AIBinder_Weak AIBinder_Weak; 120 121 /** 122 * Represents a handle on a death notification. See AIBinder_linkToDeath/AIBinder_unlinkToDeath. 123 */ 124 struct AIBinder_DeathRecipient; 125 typedef struct AIBinder_DeathRecipient AIBinder_DeathRecipient; 126 127 /** 128 * This is called whenever a new AIBinder object is needed of a specific class. 129 * 130 * \param args these can be used to construct a new class. These are passed from AIBinder_new. 131 * \return this is the userdata representing the class. It can be retrieved using 132 * AIBinder_getUserData. 133 */ 134 typedef void* (*AIBinder_Class_onCreate)(void* args); 135 136 /** 137 * This is called whenever an AIBinder object is no longer referenced and needs destroyed. 138 * 139 * Typically, this just deletes whatever the implementation is. 140 * 141 * \param userData this is the same object returned by AIBinder_Class_onCreate 142 */ 143 typedef void (*AIBinder_Class_onDestroy)(void* userData); 144 145 /** 146 * This is called whenever a transaction needs to be processed by a local implementation. 147 * 148 * \param binder the object being transacted on. 149 * \param code implementation-specific code representing which transaction should be taken. 150 * \param in the implementation-specific input data to this transaction. 151 * \param out the implementation-specific output data to this transaction. 152 * 153 * \return the implementation-specific output code. This may be forwarded from another service, the 154 * result of a parcel read or write, or another error as is applicable to the specific 155 * implementation. Usually, implementation-specific error codes are written to the output parcel, 156 * and the transaction code is reserved for kernel errors or error codes that have been repeated 157 * from subsequent transactions. 158 */ 159 typedef binder_status_t (*AIBinder_Class_onTransact)(AIBinder* binder, transaction_code_t code, 160 const AParcel* in, AParcel* out); 161 162 /** 163 * This creates a new instance of a class of binders which can be instantiated. This is called one 164 * time during library initialization and cleaned up when the process exits or execs. 165 * 166 * None of these parameters can be null. 167 * 168 * \param interfaceDescriptor this is a unique identifier for the class. This is used internally for 169 * sanity checks on transactions. 170 * \param onCreate see AIBinder_Class_onCreate. 171 * \param onDestroy see AIBinder_Class_onDestroy. 172 * \param onTransact see AIBinder_Class_onTransact. 173 * 174 * \return the class object representing these parameters or null on error. 175 */ 176 __attribute__((warn_unused_result)) AIBinder_Class* AIBinder_Class_define( 177 const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate, 178 AIBinder_Class_onDestroy onDestroy, AIBinder_Class_onTransact onTransact) 179 __INTRODUCED_IN(29); 180 181 /** 182 * Dump information about an AIBinder (usually for debugging). 183 * 184 * When no arguments are provided, a brief overview of the interview should be given. 185 * 186 * \param binder interface being dumped 187 * \param fd file descriptor to be dumped to, should be flushed, ownership is not passed. 188 * \param args array of null-terminated strings for dump (may be null if numArgs is 0) 189 * \param numArgs number of args to be sent 190 * 191 * \return binder_status_t result of transaction (if remote, for instance) 192 */ 193 typedef binder_status_t (*AIBinder_onDump)(AIBinder* binder, int fd, const char** args, 194 uint32_t numArgs); 195 196 /** 197 * This sets the implementation of the dump method for a class. 198 * 199 * If this isn't set, nothing will be dumped when dump is called (for instance with 200 * android.os.Binder#dump). Must be called before any instance of the class is created. 201 * 202 * \param dump function to call when an instance of this binder class is being dumped. 203 */ 204 void AIBinder_Class_setOnDump(AIBinder_Class* clazz, AIBinder_onDump onDump) __INTRODUCED_IN(29); 205 206 /** 207 * Creates a new binder object of the appropriate class. 208 * 209 * Ownership of args is passed to this object. The lifecycle is implemented with AIBinder_incStrong 210 * and AIBinder_decStrong. When the reference count reaches zero, onDestroy is called. 211 * 212 * When this is called, the refcount is implicitly 1. So, calling decStrong exactly one time is 213 * required to delete this object. 214 * 215 * Once an AIBinder object is created using this API, re-creating that AIBinder for the same 216 * instance of the same class will break pointer equality for that specific AIBinder object. For 217 * instance, if someone erroneously created two AIBinder instances representing the same callback 218 * object and passed one to a hypothetical addCallback function and then later another one to a 219 * hypothetical removeCallback function, the remote process would have no way to determine that 220 * these two objects are actually equal using the AIBinder pointer alone (which they should be able 221 * to do). Also see the suggested memory ownership model suggested above. 222 * 223 * \param clazz the type of the object to be created. 224 * \param args the args to pass to AIBinder_onCreate for that class. 225 * 226 * \return a binder object representing the newly instantiated object. 227 */ 228 __attribute__((warn_unused_result)) AIBinder* AIBinder_new(const AIBinder_Class* clazz, void* args) 229 __INTRODUCED_IN(29); 230 231 /** 232 * If this is hosted in a process other than the current one. 233 * 234 * \param binder the binder being queried. 235 * 236 * \return true if the AIBinder represents an object in another process. 237 */ 238 bool AIBinder_isRemote(const AIBinder* binder) __INTRODUCED_IN(29); 239 240 /** 241 * If this binder is known to be alive. This will not send a transaction to a remote process and 242 * returns a result based on the last known information. That is, whenever a transaction is made, 243 * this is automatically updated to reflect the current alive status of this binder. This will be 244 * updated as the result of a transaction made using AIBinder_transact, but it will also be updated 245 * based on the results of bookkeeping or other transactions made internally. 246 * 247 * \param binder the binder being queried. 248 * 249 * \return true if the binder is alive. 250 */ 251 bool AIBinder_isAlive(const AIBinder* binder) __INTRODUCED_IN(29); 252 253 /** 254 * Built-in transaction for all binder objects. This sends a transaction that will immediately 255 * return. Usually this is used to make sure that a binder is alive, as a placeholder call, or as a 256 * sanity check. 257 * 258 * \param binder the binder being queried. 259 * 260 * \return STATUS_OK if the ping succeeds. 261 */ 262 binder_status_t AIBinder_ping(AIBinder* binder) __INTRODUCED_IN(29); 263 264 /** 265 * Built-in transaction for all binder objects. This dumps information about a given binder. 266 * 267 * See also AIBinder_Class_setOnDump, AIBinder_onDump 268 * 269 * \param binder the binder to dump information about 270 * \param fd where information should be dumped to 271 * \param args null-terminated arguments to pass (may be null if numArgs is 0) 272 * \param numArgs number of args to send 273 * 274 * \return STATUS_OK if dump succeeds (or if there is nothing to dump) 275 */ 276 binder_status_t AIBinder_dump(AIBinder* binder, int fd, const char** args, uint32_t numArgs) 277 __INTRODUCED_IN(29); 278 279 /** 280 * Registers for notifications that the associated binder is dead. The same death recipient may be 281 * associated with multiple different binders. If the binder is local, then no death recipient will 282 * be given (since if the local process dies, then no recipient will exist to recieve a 283 * transaction). The cookie is passed to recipient in the case that this binder dies and can be 284 * null. The exact cookie must also be used to unlink this transaction (see AIBinder_linkToDeath). 285 * This function may return a binder transaction failure. The cookie can be used both for 286 * identification and holding user data. 287 * 288 * If binder is local, this will return STATUS_INVALID_OPERATION. 289 * 290 * \param binder the binder object you want to receive death notifications from. 291 * \param recipient the callback that will receive notifications when/if the binder dies. 292 * \param cookie the value that will be passed to the death recipient on death. 293 * 294 * \return STATUS_OK on success. 295 */ 296 binder_status_t AIBinder_linkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient, 297 void* cookie) __INTRODUCED_IN(29); 298 299 /** 300 * Stops registration for the associated binder dying. Does not delete the recipient. This function 301 * may return a binder transaction failure and in case the death recipient cannot be found, it 302 * returns STATUS_NAME_NOT_FOUND. 303 * 304 * This only ever needs to be called when the AIBinder_DeathRecipient remains for use with other 305 * AIBinder objects. If the death recipient is deleted, all binders will automatically be unlinked. 306 * If the binder dies, it will automatically unlink. If the binder is deleted, it will be 307 * automatically unlinked. 308 * 309 * \param binder the binder object to remove a previously linked death recipient from. 310 * \param recipient the callback to remove. 311 * \param cookie the cookie used to link to death. 312 * 313 * \return STATUS_OK on success. STATUS_NAME_NOT_FOUND if the binder cannot be found to be unlinked. 314 */ 315 binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient, 316 void* cookie) __INTRODUCED_IN(29); 317 318 /** 319 * This returns the calling UID assuming that this thread is called from a thread that is processing 320 * a binder transaction (for instance, in the implementation of AIBinder_Class_onTransact). 321 * 322 * This can be used with higher-level system services to determine the caller's identity and check 323 * permissions. 324 * 325 * \return calling uid or the current process's UID if this thread isn't processing a transaction. 326 */ 327 uid_t AIBinder_getCallingUid(); 328 329 /** 330 * This returns the calling PID assuming that this thread is called from a thread that is processing 331 * a binder transaction (for instance, in the implementation of AIBinder_Class_onTransact). 332 * 333 * This can be used with higher-level system services to determine the caller's identity and check 334 * permissions. However, when doing this, one should be aware of possible TOCTOU problems when the 335 * calling process dies and is replaced with another process with elevated permissions and the same 336 * PID. 337 * 338 * \return calling pid or the current process's PID if this thread isn't processing a transaction. 339 * If the transaction being processed is a oneway transaction, then this method will return 0. 340 */ 341 pid_t AIBinder_getCallingPid(); 342 343 /** 344 * This can only be called if a strong reference to this object already exists in process. 345 * 346 * \param binder the binder object to add a refcount to. 347 */ 348 void AIBinder_incStrong(AIBinder* binder) __INTRODUCED_IN(29); 349 350 /** 351 * This will delete the object and call onDestroy once the refcount reaches zero. 352 * 353 * \param binder the binder object to remove a refcount from. 354 */ 355 void AIBinder_decStrong(AIBinder* binder) __INTRODUCED_IN(29); 356 357 /** 358 * For debugging only! 359 * 360 * \param binder the binder object to retrieve the refcount of. 361 * 362 * \return the number of strong-refs on this binder in this process. If binder is null, this will be 363 * -1. 364 */ 365 int32_t AIBinder_debugGetRefCount(AIBinder* binder) __INTRODUCED_IN(29); 366 367 /** 368 * This sets the class of an AIBinder object. This checks to make sure the remote object is of 369 * the expected class. A class must be set in order to use transactions on an AIBinder object. 370 * However, if an object is just intended to be passed through to another process or used as a 371 * handle this need not be called. 372 * 373 * This returns true if the class association succeeds. If it fails, no change is made to the 374 * binder object. 375 * 376 * \param binder the object to attach the class to. 377 * \param clazz the clazz to attach to binder. 378 * 379 * \return true if the binder has the class clazz and if the association was successful. 380 */ 381 bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) __INTRODUCED_IN(29); 382 383 /** 384 * Returns the class that this binder was constructed with or associated with. 385 * 386 * \param binder the object that is being queried. 387 * 388 * \return the class that this binder is associated with. If this binder wasn't created with 389 * AIBinder_new, and AIBinder_associateClass hasn't been called, then this will return null. 390 */ 391 const AIBinder_Class* AIBinder_getClass(AIBinder* binder) __INTRODUCED_IN(29); 392 393 /** 394 * Value returned by onCreate for a local binder. For stateless classes (if onCreate returns 395 * null), this also returns null. For a remote binder, this will always return null. 396 * 397 * \param binder the object that is being queried. 398 * 399 * \return the userdata returned from AIBinder_onCreate when this object was created. This may be 400 * null for stateless objects. For remote objects, this is always null. 401 */ 402 void* AIBinder_getUserData(AIBinder* binder) __INTRODUCED_IN(29); 403 404 /** 405 * A transaction is a series of calls to these functions which looks this 406 * - call AIBinder_prepareTransaction 407 * - fill out the in parcel with parameters (lifetime of the 'in' variable) 408 * - call AIBinder_transact 409 * - read results from the out parcel (lifetime of the 'out' variable) 410 */ 411 412 /** 413 * Creates a parcel to start filling out for a transaction. This may add data to the parcel for 414 * security, debugging, or other purposes. This parcel is to be sent via AIBinder_transact and it 415 * represents the input data to the transaction. It is recommended to check if the object is local 416 * and call directly into its user data before calling this as the parceling and unparceling cost 417 * can be avoided. This AIBinder must be either built with a class or associated with a class before 418 * using this API. 419 * 420 * This does not affect the ownership of binder. When this function succeeds, the in parcel's 421 * ownership is passed to the caller. At this point, the parcel can be filled out and passed to 422 * AIBinder_transact. Alternatively, if there is an error while filling out the parcel, it can be 423 * deleted with AParcel_delete. 424 * 425 * \param binder the binder object to start a transaction on. 426 * \param in out parameter for input data to the transaction. 427 * 428 * \return STATUS_OK on success. This will return STATUS_INVALID_OPERATION if the binder has not yet 429 * been associated with a class (see AIBinder_new and AIBinder_associateClass). 430 */ 431 binder_status_t AIBinder_prepareTransaction(AIBinder* binder, AParcel** in) __INTRODUCED_IN(29); 432 433 /** 434 * Transact using a parcel created from AIBinder_prepareTransaction. This actually communicates with 435 * the object representing this binder object. This also passes out a parcel to be used for the 436 * return transaction. This takes ownership of the in parcel and automatically deletes it after it 437 * is sent to the remote process. The output parcel is the result of the transaction. If the 438 * transaction has FLAG_ONEWAY, the out parcel will be empty. Otherwise, this will block until the 439 * remote process has processed the transaction, and the out parcel will contain the output data 440 * from transaction. 441 * 442 * This does not affect the ownership of binder. The out parcel's ownership is passed to the caller 443 * and must be released with AParcel_delete when finished reading. 444 * 445 * \param binder the binder object to transact on. 446 * \param code the implementation-specific code representing which transaction should be taken. 447 * \param in the implementation-specific input data to this transaction. 448 * \param out the implementation-specific output data to this transaction. 449 * \param flags possible flags to alter the way in which the transaction is conducted or 0. 450 * 451 * \return the result from the kernel or from the remote process. Usually, implementation-specific 452 * error codes are written to the output parcel, and the transaction code is reserved for kernel 453 * errors or error codes that have been repeated from subsequent transactions. 454 */ 455 binder_status_t AIBinder_transact(AIBinder* binder, transaction_code_t code, AParcel** in, 456 AParcel** out, binder_flags_t flags) __INTRODUCED_IN(29); 457 458 /** 459 * This does not take any ownership of the input binder, but it can be used to retrieve it if 460 * something else in some process still holds a reference to it. 461 * 462 * \param binder object to create a weak pointer to. 463 * 464 * \return object representing a weak pointer to binder (or null if binder is null). 465 */ 466 __attribute__((warn_unused_result)) AIBinder_Weak* AIBinder_Weak_new(AIBinder* binder) 467 __INTRODUCED_IN(29); 468 469 /** 470 * Deletes the weak reference. This will have no impact on the lifetime of the binder. 471 * 472 * \param weakBinder object created with AIBinder_Weak_new. 473 */ 474 void AIBinder_Weak_delete(AIBinder_Weak* weakBinder) __INTRODUCED_IN(29); 475 476 /** 477 * If promotion succeeds, result will have one strong refcount added to it. Otherwise, this returns 478 * null. 479 * 480 * \param weakBinder weak pointer to attempt retrieving the original object from. 481 * 482 * \return an AIBinder object with one refcount given to the caller or null. 483 */ 484 __attribute__((warn_unused_result)) AIBinder* AIBinder_Weak_promote(AIBinder_Weak* weakBinder) 485 __INTRODUCED_IN(29); 486 487 /** 488 * This function is executed on death receipt. See AIBinder_linkToDeath/AIBinder_unlinkToDeath. 489 * 490 * \param cookie the cookie passed to AIBinder_linkToDeath. 491 */ 492 typedef void (*AIBinder_DeathRecipient_onBinderDied)(void* cookie) __INTRODUCED_IN(29); 493 494 /** 495 * Creates a new binder death recipient. This can be attached to multiple different binder objects. 496 * 497 * \param onBinderDied the callback to call when this death recipient is invoked. 498 * 499 * \return the newly constructed object (or null if onBinderDied is null). 500 */ 501 __attribute__((warn_unused_result)) AIBinder_DeathRecipient* AIBinder_DeathRecipient_new( 502 AIBinder_DeathRecipient_onBinderDied onBinderDied) __INTRODUCED_IN(29); 503 504 /** 505 * Deletes a binder death recipient. It is not necessary to call AIBinder_unlinkToDeath before 506 * calling this as these will all be automatically unlinked. 507 * 508 * \param recipient the binder to delete (previously created with AIBinder_DeathRecipient_new). 509 */ 510 void AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient* recipient) __INTRODUCED_IN(29); 511 512 #endif //__ANDROID_API__ >= __ANDROID_API_Q__ 513 __END_DECLS 514 515 /** @} */ 516