1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 /**
18  * @addtogroup NdkBinder
19  * @{
20  */
21 
22 /**
23  * @file binder_ibinder.h
24  * @brief Object which can receive transactions and be sent across processes.
25  */
26 
27 #pragma once
28 
29 #include <stdint.h>
30 #include <sys/cdefs.h>
31 #include <sys/types.h>
32 
33 #include <android/binder_parcel.h>
34 #include <android/binder_status.h>
35 
36 __BEGIN_DECLS
37 #if __ANDROID_API__ >= __ANDROID_API_Q__
38 
39 // Also see TF_* in kernel's binder.h
40 typedef uint32_t binder_flags_t;
41 enum {
42     /**
43      * The transaction will be dispatched and then returned to the caller. The outgoing process
44      * cannot block a call made by this, and execution of the call will not be waited on. An error
45      * can still be returned if the call is unable to be processed by the binder driver. All oneway
46      * calls are guaranteed to be ordered if they are sent on the same AIBinder object.
47      */
48     FLAG_ONEWAY = 0x01,
49 };
50 
51 // Also see IBinder.h in libbinder
52 typedef uint32_t transaction_code_t;
53 enum {
54     /**
55      * The first transaction code available for user commands (inclusive).
56      */
57     FIRST_CALL_TRANSACTION = 0x00000001,
58     /**
59      * The last transaction code available for user commands (inclusive).
60      */
61     LAST_CALL_TRANSACTION = 0x00ffffff,
62 };
63 
64 /**
65  * Represents a type of AIBinder object which can be sent out.
66  */
67 struct AIBinder_Class;
68 typedef struct AIBinder_Class AIBinder_Class;
69 
70 /**
71  * Represents a local or remote object which can be used for IPC or which can itself be sent.
72  *
73  * This object has a refcount associated with it and will be deleted when its refcount reaches zero.
74  * How methods interactive with this refcount is described below. When using this API, it is
75  * intended for a client of a service to hold a strong reference to that service. This also means
76  * that user data typically should hold a strong reference to a local AIBinder object. A remote
77  * AIBinder object automatically holds a strong reference to the AIBinder object in the server's
78  * process. A typically memory layout looks like this:
79  *
80  * Key:
81  *   --->         Ownership/a strong reference
82  *   ...>         A weak reference
83  *
84  *                         (process boundary)
85  *                                 |
86  * MyInterface ---> AIBinder_Weak  |  ProxyForMyInterface
87  *      ^                .         |          |
88  *      |                .         |          |
89  *      |                v         |          v
90  *   UserData  <---   AIBinder   <-|-      AIBinder
91  *                                 |
92  *
93  * In this way, you'll notice that a proxy for the interface holds a strong reference to the
94  * implementation and that in the server process, the AIBinder object which was sent can be resent
95  * so that the same AIBinder object always represents the same object. This allows, for instance, an
96  * implementation (usually a callback) to transfer all ownership to a remote process and
97  * automatically be deleted when the remote process is done with it or dies. Other memory models are
98  * possible, but this is the standard one.
99  *
100  * If the process containing an AIBinder dies, it is possible to be holding a strong reference to
101  * an object which does not exist. In this case, transactions to this binder will return
102  * STATUS_DEAD_OBJECT. See also AIBinder_linkToDeath, AIBinder_unlinkToDeath, and AIBinder_isAlive.
103  *
104  * Once an AIBinder is created, anywhere it is passed (remotely or locally), there is a 1-1
105  * correspondence between the address of an AIBinder and the object it represents. This means that
106  * when two AIBinder pointers point to the same address, they represent the same object (whether
107  * that object is local or remote). This correspondance can be broken accidentally if AIBinder_new
108  * is erronesouly called to create the same object multiple times.
109  */
110 struct AIBinder;
111 typedef struct AIBinder AIBinder;
112 
113 /**
114  * The AIBinder object associated with this can be retrieved if it is still alive so that it can be
115  * re-used. The intention of this is to enable the same AIBinder object to always represent the same
116  * object.
117  */
118 struct AIBinder_Weak;
119 typedef struct AIBinder_Weak AIBinder_Weak;
120 
121 /**
122  * Represents a handle on a death notification. See AIBinder_linkToDeath/AIBinder_unlinkToDeath.
123  */
124 struct AIBinder_DeathRecipient;
125 typedef struct AIBinder_DeathRecipient AIBinder_DeathRecipient;
126 
127 /**
128  * This is called whenever a new AIBinder object is needed of a specific class.
129  *
130  * \param args these can be used to construct a new class. These are passed from AIBinder_new.
131  * \return this is the userdata representing the class. It can be retrieved using
132  * AIBinder_getUserData.
133  */
134 typedef void* (*AIBinder_Class_onCreate)(void* args);
135 
136 /**
137  * This is called whenever an AIBinder object is no longer referenced and needs destroyed.
138  *
139  * Typically, this just deletes whatever the implementation is.
140  *
141  * \param userData this is the same object returned by AIBinder_Class_onCreate
142  */
143 typedef void (*AIBinder_Class_onDestroy)(void* userData);
144 
145 /**
146  * This is called whenever a transaction needs to be processed by a local implementation.
147  *
148  * \param binder the object being transacted on.
149  * \param code implementation-specific code representing which transaction should be taken.
150  * \param in the implementation-specific input data to this transaction.
151  * \param out the implementation-specific output data to this transaction.
152  *
153  * \return the implementation-specific output code. This may be forwarded from another service, the
154  * result of a parcel read or write, or another error as is applicable to the specific
155  * implementation. Usually, implementation-specific error codes are written to the output parcel,
156  * and the transaction code is reserved for kernel errors or error codes that have been repeated
157  * from subsequent transactions.
158  */
159 typedef binder_status_t (*AIBinder_Class_onTransact)(AIBinder* binder, transaction_code_t code,
160                                                      const AParcel* in, AParcel* out);
161 
162 /**
163  * This creates a new instance of a class of binders which can be instantiated. This is called one
164  * time during library initialization and cleaned up when the process exits or execs.
165  *
166  * None of these parameters can be null.
167  *
168  * \param interfaceDescriptor this is a unique identifier for the class. This is used internally for
169  * sanity checks on transactions.
170  * \param onCreate see AIBinder_Class_onCreate.
171  * \param onDestroy see AIBinder_Class_onDestroy.
172  * \param onTransact see AIBinder_Class_onTransact.
173  *
174  * \return the class object representing these parameters or null on error.
175  */
176 __attribute__((warn_unused_result)) AIBinder_Class* AIBinder_Class_define(
177         const char* interfaceDescriptor, AIBinder_Class_onCreate onCreate,
178         AIBinder_Class_onDestroy onDestroy, AIBinder_Class_onTransact onTransact)
179         __INTRODUCED_IN(29);
180 
181 /**
182  * Dump information about an AIBinder (usually for debugging).
183  *
184  * When no arguments are provided, a brief overview of the interview should be given.
185  *
186  * \param binder interface being dumped
187  * \param fd file descriptor to be dumped to, should be flushed, ownership is not passed.
188  * \param args array of null-terminated strings for dump (may be null if numArgs is 0)
189  * \param numArgs number of args to be sent
190  *
191  * \return binder_status_t result of transaction (if remote, for instance)
192  */
193 typedef binder_status_t (*AIBinder_onDump)(AIBinder* binder, int fd, const char** args,
194                                            uint32_t numArgs);
195 
196 /**
197  * This sets the implementation of the dump method for a class.
198  *
199  * If this isn't set, nothing will be dumped when dump is called (for instance with
200  * android.os.Binder#dump). Must be called before any instance of the class is created.
201  *
202  * \param dump function to call when an instance of this binder class is being dumped.
203  */
204 void AIBinder_Class_setOnDump(AIBinder_Class* clazz, AIBinder_onDump onDump) __INTRODUCED_IN(29);
205 
206 /**
207  * Creates a new binder object of the appropriate class.
208  *
209  * Ownership of args is passed to this object. The lifecycle is implemented with AIBinder_incStrong
210  * and AIBinder_decStrong. When the reference count reaches zero, onDestroy is called.
211  *
212  * When this is called, the refcount is implicitly 1. So, calling decStrong exactly one time is
213  * required to delete this object.
214  *
215  * Once an AIBinder object is created using this API, re-creating that AIBinder for the same
216  * instance of the same class will break pointer equality for that specific AIBinder object. For
217  * instance, if someone erroneously created two AIBinder instances representing the same callback
218  * object and passed one to a hypothetical addCallback function and then later another one to a
219  * hypothetical removeCallback function, the remote process would have no way to determine that
220  * these two objects are actually equal using the AIBinder pointer alone (which they should be able
221  * to do). Also see the suggested memory ownership model suggested above.
222  *
223  * \param clazz the type of the object to be created.
224  * \param args the args to pass to AIBinder_onCreate for that class.
225  *
226  * \return a binder object representing the newly instantiated object.
227  */
228 __attribute__((warn_unused_result)) AIBinder* AIBinder_new(const AIBinder_Class* clazz, void* args)
229         __INTRODUCED_IN(29);
230 
231 /**
232  * If this is hosted in a process other than the current one.
233  *
234  * \param binder the binder being queried.
235  *
236  * \return true if the AIBinder represents an object in another process.
237  */
238 bool AIBinder_isRemote(const AIBinder* binder) __INTRODUCED_IN(29);
239 
240 /**
241  * If this binder is known to be alive. This will not send a transaction to a remote process and
242  * returns a result based on the last known information. That is, whenever a transaction is made,
243  * this is automatically updated to reflect the current alive status of this binder. This will be
244  * updated as the result of a transaction made using AIBinder_transact, but it will also be updated
245  * based on the results of bookkeeping or other transactions made internally.
246  *
247  * \param binder the binder being queried.
248  *
249  * \return true if the binder is alive.
250  */
251 bool AIBinder_isAlive(const AIBinder* binder) __INTRODUCED_IN(29);
252 
253 /**
254  * Built-in transaction for all binder objects. This sends a transaction that will immediately
255  * return. Usually this is used to make sure that a binder is alive, as a placeholder call, or as a
256  * sanity check.
257  *
258  * \param binder the binder being queried.
259  *
260  * \return STATUS_OK if the ping succeeds.
261  */
262 binder_status_t AIBinder_ping(AIBinder* binder) __INTRODUCED_IN(29);
263 
264 /**
265  * Built-in transaction for all binder objects. This dumps information about a given binder.
266  *
267  * See also AIBinder_Class_setOnDump, AIBinder_onDump
268  *
269  * \param binder the binder to dump information about
270  * \param fd where information should be dumped to
271  * \param args null-terminated arguments to pass (may be null if numArgs is 0)
272  * \param numArgs number of args to send
273  *
274  * \return STATUS_OK if dump succeeds (or if there is nothing to dump)
275  */
276 binder_status_t AIBinder_dump(AIBinder* binder, int fd, const char** args, uint32_t numArgs)
277         __INTRODUCED_IN(29);
278 
279 /**
280  * Registers for notifications that the associated binder is dead. The same death recipient may be
281  * associated with multiple different binders. If the binder is local, then no death recipient will
282  * be given (since if the local process dies, then no recipient will exist to recieve a
283  * transaction). The cookie is passed to recipient in the case that this binder dies and can be
284  * null. The exact cookie must also be used to unlink this transaction (see AIBinder_linkToDeath).
285  * This function may return a binder transaction failure. The cookie can be used both for
286  * identification and holding user data.
287  *
288  * If binder is local, this will return STATUS_INVALID_OPERATION.
289  *
290  * \param binder the binder object you want to receive death notifications from.
291  * \param recipient the callback that will receive notifications when/if the binder dies.
292  * \param cookie the value that will be passed to the death recipient on death.
293  *
294  * \return STATUS_OK on success.
295  */
296 binder_status_t AIBinder_linkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
297                                      void* cookie) __INTRODUCED_IN(29);
298 
299 /**
300  * Stops registration for the associated binder dying. Does not delete the recipient. This function
301  * may return a binder transaction failure and in case the death recipient cannot be found, it
302  * returns STATUS_NAME_NOT_FOUND.
303  *
304  * This only ever needs to be called when the AIBinder_DeathRecipient remains for use with other
305  * AIBinder objects. If the death recipient is deleted, all binders will automatically be unlinked.
306  * If the binder dies, it will automatically unlink. If the binder is deleted, it will be
307  * automatically unlinked.
308  *
309  * \param binder the binder object to remove a previously linked death recipient from.
310  * \param recipient the callback to remove.
311  * \param cookie the cookie used to link to death.
312  *
313  * \return STATUS_OK on success. STATUS_NAME_NOT_FOUND if the binder cannot be found to be unlinked.
314  */
315 binder_status_t AIBinder_unlinkToDeath(AIBinder* binder, AIBinder_DeathRecipient* recipient,
316                                        void* cookie) __INTRODUCED_IN(29);
317 
318 /**
319  * This returns the calling UID assuming that this thread is called from a thread that is processing
320  * a binder transaction (for instance, in the implementation of AIBinder_Class_onTransact).
321  *
322  * This can be used with higher-level system services to determine the caller's identity and check
323  * permissions.
324  *
325  * \return calling uid or the current process's UID if this thread isn't processing a transaction.
326  */
327 uid_t AIBinder_getCallingUid();
328 
329 /**
330  * This returns the calling PID assuming that this thread is called from a thread that is processing
331  * a binder transaction (for instance, in the implementation of AIBinder_Class_onTransact).
332  *
333  * This can be used with higher-level system services to determine the caller's identity and check
334  * permissions. However, when doing this, one should be aware of possible TOCTOU problems when the
335  * calling process dies and is replaced with another process with elevated permissions and the same
336  * PID.
337  *
338  * \return calling pid or the current process's PID if this thread isn't processing a transaction.
339  * If the transaction being processed is a oneway transaction, then this method will return 0.
340  */
341 pid_t AIBinder_getCallingPid();
342 
343 /**
344  * This can only be called if a strong reference to this object already exists in process.
345  *
346  * \param binder the binder object to add a refcount to.
347  */
348 void AIBinder_incStrong(AIBinder* binder) __INTRODUCED_IN(29);
349 
350 /**
351  * This will delete the object and call onDestroy once the refcount reaches zero.
352  *
353  * \param binder the binder object to remove a refcount from.
354  */
355 void AIBinder_decStrong(AIBinder* binder) __INTRODUCED_IN(29);
356 
357 /**
358  * For debugging only!
359  *
360  * \param binder the binder object to retrieve the refcount of.
361  *
362  * \return the number of strong-refs on this binder in this process. If binder is null, this will be
363  * -1.
364  */
365 int32_t AIBinder_debugGetRefCount(AIBinder* binder) __INTRODUCED_IN(29);
366 
367 /**
368  * This sets the class of an AIBinder object. This checks to make sure the remote object is of
369  * the expected class. A class must be set in order to use transactions on an AIBinder object.
370  * However, if an object is just intended to be passed through to another process or used as a
371  * handle this need not be called.
372  *
373  * This returns true if the class association succeeds. If it fails, no change is made to the
374  * binder object.
375  *
376  * \param binder the object to attach the class to.
377  * \param clazz the clazz to attach to binder.
378  *
379  * \return true if the binder has the class clazz and if the association was successful.
380  */
381 bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) __INTRODUCED_IN(29);
382 
383 /**
384  * Returns the class that this binder was constructed with or associated with.
385  *
386  * \param binder the object that is being queried.
387  *
388  * \return the class that this binder is associated with. If this binder wasn't created with
389  * AIBinder_new, and AIBinder_associateClass hasn't been called, then this will return null.
390  */
391 const AIBinder_Class* AIBinder_getClass(AIBinder* binder) __INTRODUCED_IN(29);
392 
393 /**
394  * Value returned by onCreate for a local binder. For stateless classes (if onCreate returns
395  * null), this also returns null. For a remote binder, this will always return null.
396  *
397  * \param binder the object that is being queried.
398  *
399  * \return the userdata returned from AIBinder_onCreate when this object was created. This may be
400  * null for stateless objects. For remote objects, this is always null.
401  */
402 void* AIBinder_getUserData(AIBinder* binder) __INTRODUCED_IN(29);
403 
404 /**
405  * A transaction is a series of calls to these functions which looks this
406  * - call AIBinder_prepareTransaction
407  * - fill out the in parcel with parameters (lifetime of the 'in' variable)
408  * - call AIBinder_transact
409  * - read results from the out parcel (lifetime of the 'out' variable)
410  */
411 
412 /**
413  * Creates a parcel to start filling out for a transaction. This may add data to the parcel for
414  * security, debugging, or other purposes. This parcel is to be sent via AIBinder_transact and it
415  * represents the input data to the transaction. It is recommended to check if the object is local
416  * and call directly into its user data before calling this as the parceling and unparceling cost
417  * can be avoided. This AIBinder must be either built with a class or associated with a class before
418  * using this API.
419  *
420  * This does not affect the ownership of binder. When this function succeeds, the in parcel's
421  * ownership is passed to the caller. At this point, the parcel can be filled out and passed to
422  * AIBinder_transact. Alternatively, if there is an error while filling out the parcel, it can be
423  * deleted with AParcel_delete.
424  *
425  * \param binder the binder object to start a transaction on.
426  * \param in out parameter for input data to the transaction.
427  *
428  * \return STATUS_OK on success. This will return STATUS_INVALID_OPERATION if the binder has not yet
429  * been associated with a class (see AIBinder_new and AIBinder_associateClass).
430  */
431 binder_status_t AIBinder_prepareTransaction(AIBinder* binder, AParcel** in) __INTRODUCED_IN(29);
432 
433 /**
434  * Transact using a parcel created from AIBinder_prepareTransaction. This actually communicates with
435  * the object representing this binder object. This also passes out a parcel to be used for the
436  * return transaction. This takes ownership of the in parcel and automatically deletes it after it
437  * is sent to the remote process. The output parcel is the result of the transaction. If the
438  * transaction has FLAG_ONEWAY, the out parcel will be empty. Otherwise, this will block until the
439  * remote process has processed the transaction, and the out parcel will contain the output data
440  * from transaction.
441  *
442  * This does not affect the ownership of binder. The out parcel's ownership is passed to the caller
443  * and must be released with AParcel_delete when finished reading.
444  *
445  * \param binder the binder object to transact on.
446  * \param code the implementation-specific code representing which transaction should be taken.
447  * \param in the implementation-specific input data to this transaction.
448  * \param out the implementation-specific output data to this transaction.
449  * \param flags possible flags to alter the way in which the transaction is conducted or 0.
450  *
451  * \return the result from the kernel or from the remote process. Usually, implementation-specific
452  * error codes are written to the output parcel, and the transaction code is reserved for kernel
453  * errors or error codes that have been repeated from subsequent transactions.
454  */
455 binder_status_t AIBinder_transact(AIBinder* binder, transaction_code_t code, AParcel** in,
456                                   AParcel** out, binder_flags_t flags) __INTRODUCED_IN(29);
457 
458 /**
459  * This does not take any ownership of the input binder, but it can be used to retrieve it if
460  * something else in some process still holds a reference to it.
461  *
462  * \param binder object to create a weak pointer to.
463  *
464  * \return object representing a weak pointer to binder (or null if binder is null).
465  */
466 __attribute__((warn_unused_result)) AIBinder_Weak* AIBinder_Weak_new(AIBinder* binder)
467         __INTRODUCED_IN(29);
468 
469 /**
470  * Deletes the weak reference. This will have no impact on the lifetime of the binder.
471  *
472  * \param weakBinder object created with AIBinder_Weak_new.
473  */
474 void AIBinder_Weak_delete(AIBinder_Weak* weakBinder) __INTRODUCED_IN(29);
475 
476 /**
477  * If promotion succeeds, result will have one strong refcount added to it. Otherwise, this returns
478  * null.
479  *
480  * \param weakBinder weak pointer to attempt retrieving the original object from.
481  *
482  * \return an AIBinder object with one refcount given to the caller or null.
483  */
484 __attribute__((warn_unused_result)) AIBinder* AIBinder_Weak_promote(AIBinder_Weak* weakBinder)
485         __INTRODUCED_IN(29);
486 
487 /**
488  * This function is executed on death receipt. See AIBinder_linkToDeath/AIBinder_unlinkToDeath.
489  *
490  * \param cookie the cookie passed to AIBinder_linkToDeath.
491  */
492 typedef void (*AIBinder_DeathRecipient_onBinderDied)(void* cookie) __INTRODUCED_IN(29);
493 
494 /**
495  * Creates a new binder death recipient. This can be attached to multiple different binder objects.
496  *
497  * \param onBinderDied the callback to call when this death recipient is invoked.
498  *
499  * \return the newly constructed object (or null if onBinderDied is null).
500  */
501 __attribute__((warn_unused_result)) AIBinder_DeathRecipient* AIBinder_DeathRecipient_new(
502         AIBinder_DeathRecipient_onBinderDied onBinderDied) __INTRODUCED_IN(29);
503 
504 /**
505  * Deletes a binder death recipient. It is not necessary to call AIBinder_unlinkToDeath before
506  * calling this as these will all be automatically unlinked.
507  *
508  * \param recipient the binder to delete (previously created with AIBinder_DeathRecipient_new).
509  */
510 void AIBinder_DeathRecipient_delete(AIBinder_DeathRecipient* recipient) __INTRODUCED_IN(29);
511 
512 #endif  //__ANDROID_API__ >= __ANDROID_API_Q__
513 __END_DECLS
514 
515 /** @} */
516