Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0cfda55b authored by Robert Carr's avatar Robert Carr Committed by Rob Carr
Browse files

DO NOT MERGE: SurfaceControlViewHost: Restrict disclosure of input token 

Currently we send the input (channel) token from the embedded
view hierarchy to the remote embedding process via SurfacePackage.
This is used to call grantEmbeddedWindowFocus. However this could also
allow the host process to invoke updateInputChannel, which is not
desirable. To fix this we rework updateInputChannel to work in terms
of a focusGrantToken, which only carries this 1 capability.
SurfacePackage is modified to not include the input token, but rather
include this focus grant token.

Bug: 215912712
Test: SurfaceControlViewHostTests
Change-Id: Ie278f678f12f50c32f142a4260ff7d1c2a9ca57c
(cherry picked from commit 501ee91b)
parent 8c10a6aa

core/java/android/view/IWindowSession.aidl

+1 −1
Original line number Diff line number Diff line
@@ -306,7 +306,7 @@ interface IWindowSession { 
    */

    void grantInputChannel(int displayId, in SurfaceControl surface, in IWindow window,

            in IBinder hostInputToken, int flags, int privateFlags, int type,

            out InputChannel outInputChannel);

            in IBinder focusGrantToken, out InputChannel outInputChannel);



    /**

     * Update the flags on an input channel associated with a particular surface.

core/java/android/view/SurfaceControlViewHost.java

+1 −1
Original line number Diff line number Diff line
@@ -231,7 +231,7 @@ public class SurfaceControlViewHost { 
    public @Nullable SurfacePackage getSurfacePackage() {

        if (mSurfaceControl != null && mAccessibilityEmbeddedConnection != null) {

            return new SurfacePackage(mSurfaceControl, mAccessibilityEmbeddedConnection,

                    mViewRoot.getInputToken());

                    mWm.getFocusGrantToken());

        } else {

            return null;

        }

core/java/android/view/WindowlessWindowManager.java

+9 −3
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ import android.graphics.PixelFormat; 
import android.graphics.Point;

import android.graphics.Rect;

import android.graphics.Region;

import android.os.Binder;

import android.os.IBinder;

import android.os.RemoteCallback;

import android.os.RemoteException;
@@ -75,6 +76,7 @@ public class WindowlessWindowManager implements IWindowSession { 
    private final Configuration mConfiguration;

    private final IWindowSession mRealWm;

    private final IBinder mHostInputToken;

    private final IBinder mFocusGrantToken = new Binder();



    private int mForceHeight = -1;

    private int mForceWidth = -1;
@@ -91,6 +93,10 @@ public class WindowlessWindowManager implements IWindowSession { 
        mConfiguration.setTo(configuration);

    }



    IBinder getFocusGrantToken() {

        return mFocusGrantToken;

    }



    /**

     * Utility API.

     */
@@ -153,10 +159,10 @@ public class WindowlessWindowManager implements IWindowSession { 
                    mRealWm.grantInputChannel(displayId,

                        new SurfaceControl(sc, "WindowlessWindowManager.addToDisplay"),

                        window, mHostInputToken, attrs.flags, attrs.privateFlags, attrs.type,

                        outInputChannel);

                        mFocusGrantToken, outInputChannel);

                } else {

                    mRealWm.grantInputChannel(displayId, sc, window, mHostInputToken, attrs.flags,

                        attrs.privateFlags, attrs.type, outInputChannel);

                        attrs.privateFlags, attrs.type, mFocusGrantToken, outInputChannel);

                }

            } catch (RemoteException e) {

                Log.e(TAG, "Failed to grant input to surface: ", e);
@@ -464,7 +470,7 @@ public class WindowlessWindowManager implements IWindowSession { 


    @Override

    public void grantInputChannel(int displayId, SurfaceControl surface, IWindow window,

            IBinder hostInputToken, int flags, int privateFlags, int type,

            IBinder hostInputToken, int flags, int privateFlags, int type, IBinder focusGrantToken,

            InputChannel outInputChannel) {

    }

services/core/java/com/android/server/wm/EmbeddedWindowController.java

+30 −3
Original line number Diff line number Diff line
@@ -41,6 +41,8 @@ class EmbeddedWindowController { 
    private static final String TAG = TAG_WITH_CLASS_NAME ? "EmbeddedWindowController" : TAG_WM;

    /* maps input token to an embedded window */

    private ArrayMap<IBinder /*input token */, EmbeddedWindow> mWindows = new ArrayMap<>();

    private ArrayMap<IBinder /*focus grant token */, EmbeddedWindow> mWindowsByFocusToken =

        new ArrayMap<>();

    private final Object mGlobalLock;

    private final ActivityTaskManagerService mAtmService;
@@ -59,10 +61,13 @@ class EmbeddedWindowController { 
    void add(IBinder inputToken, EmbeddedWindow window) {

        try {

            mWindows.put(inputToken, window);

            final IBinder focusToken = window.getFocusGrantToken();

            mWindowsByFocusToken.put(focusToken, window);

            updateProcessController(window);

            window.mClient.asBinder().linkToDeath(()-> {

                synchronized (mGlobalLock) {

                    mWindows.remove(inputToken);

                    mWindowsByFocusToken.remove(focusToken);

                }

            }, 0);

        } catch (RemoteException e) {
@@ -95,8 +100,10 @@ class EmbeddedWindowController { 


    void remove(IWindow client) {

        for (int i = mWindows.size() - 1; i >= 0; i--) {

            if (mWindows.valueAt(i).mClient.asBinder() == client.asBinder()) {

            EmbeddedWindow ew = mWindows.valueAt(i);

            if (ew.mClient.asBinder() == client.asBinder()) {

                mWindows.removeAt(i).onRemoved();

                mWindowsByFocusToken.remove(ew.getFocusGrantToken());

                return;

            }

        }
@@ -104,8 +111,10 @@ class EmbeddedWindowController { 


    void onWindowRemoved(WindowState host) {

        for (int i = mWindows.size() - 1; i >= 0; i--) {

            if (mWindows.valueAt(i).mHostWindowState == host) {

            EmbeddedWindow ew = mWindows.valueAt(i);

            if (ew.mHostWindowState == host) {

                mWindows.removeAt(i).onRemoved();

                mWindowsByFocusToken.remove(ew.getFocusGrantToken());

            }

        }

    }
@@ -114,6 +123,10 @@ class EmbeddedWindowController { 
        return mWindows.get(inputToken);

    }



    EmbeddedWindow getByFocusToken(IBinder focusGrantToken) {

        return mWindowsByFocusToken.get(focusGrantToken);

    }



    void onActivityRemoved(ActivityRecord activityRecord) {

        for (int i = mWindows.size() - 1; i >= 0; i--) {

            final EmbeddedWindow window = mWindows.valueAt(i);
@@ -139,6 +152,8 @@ class EmbeddedWindowController { 
        InputChannel mInputChannel;

        final int mWindowType;



        private IBinder mFocusGrantToken;



        /**

         * @param session  calling session to check ownership of the window

         * @param clientToken client token used to clean up the map if the embedding process dies
@@ -153,7 +168,7 @@ class EmbeddedWindowController { 
         */

        EmbeddedWindow(Session session, WindowManagerService service, IWindow clientToken,

                       WindowState hostWindowState, int ownerUid, int ownerPid, int windowType,

                       int displayId) {

                       int displayId, IBinder focusGrantToken) {

            mSession = session;

            mWmService = service;

            mClient = clientToken;
@@ -164,6 +179,7 @@ class EmbeddedWindowController { 
            mOwnerPid = ownerPid;

            mWindowType = windowType;

            mDisplayId = displayId;

            mFocusGrantToken = focusGrantToken;

        }



        @Override
@@ -216,5 +232,16 @@ class EmbeddedWindowController { 
        public int getPid() {

            return mOwnerPid;

        }



        IBinder getFocusGrantToken() {

            return mFocusGrantToken;

        }



        IBinder getInputChannelToken() {

            if (mInputChannel != null) {

                return mInputChannel.getToken();

            }

            return null;

        }

    }

}

services/core/java/com/android/server/wm/Session.java

+2 −2
Original line number Diff line number Diff line
@@ -807,7 +807,7 @@ class Session extends IWindowSession.Stub implements IBinder.DeathRecipient { 
    @Override

    public void grantInputChannel(int displayId, SurfaceControl surface,

            IWindow window, IBinder hostInputToken, int flags, int privateFlags, int type,

            InputChannel outInputChannel) {

            IBinder focusGrantToken, InputChannel outInputChannel) {

        if (hostInputToken == null && !mCanAddInternalSystemWindow) {

            // Callers without INTERNAL_SYSTEM_WINDOW permission cannot grant input channel to

            // embedded windows without providing a host window input token
@@ -823,7 +823,7 @@ class Session extends IWindowSession.Stub implements IBinder.DeathRecipient { 
        try {

            mService.grantInputChannel(this, mUid, mPid, displayId, surface, window, hostInputToken,

                    flags, mCanAddInternalSystemWindow ? privateFlags : 0,

                    mCanAddInternalSystemWindow ? type : 0, outInputChannel);

                    mCanAddInternalSystemWindow ? type : 0, focusGrantToken, outInputChannel);

        } finally {

            Binder.restoreCallingIdentity(identity);

        }