Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 4b36e3aa authored by Daniel Norman's avatar Daniel Norman Committed by Kevin F. Haggerty
Browse files

cleanup: Fix permission protection of setObservedMotionEventSources 

The previous permission protection was done inside a Binder clear
identity call, meaning that it used the permissions of system_server
instead of the permissions of the calling AccessibilityService.

Bug: 419110583
Test: atest AccessibilityServiceInfoTest
Flag: EXEMPT security bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:01bfef47f3b1a14c0bafc2ede609582fc3ba39e7)
Merged-In: If64838388fa31bdc9abb0896d4011bfef8501a7c
Change-Id: If64838388fa31bdc9abb0896d4011bfef8501a7c
parent f91aa873

services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java

+9 −13
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package com.android.server.accessibility;



import static android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING;

import static android.accessibilityservice.AccessibilityService.ACCESSIBILITY_TAKE_SCREENSHOT_REQUEST_INTERVAL_TIMES_MS;

import static android.accessibilityservice.AccessibilityService.KEY_ACCESSIBILITY_SCREENSHOT_COLORSPACE;

import static android.accessibilityservice.AccessibilityService.KEY_ACCESSIBILITY_SCREENSHOT_HARDWAREBUFFER;
@@ -402,19 +403,7 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ 
        mNotificationTimeout = info.notificationTimeout;

        mIsDefault = (info.flags & DEFAULT) != 0;

        mGenericMotionEventSources = info.getMotionEventSources();

        if (android.view.accessibility.Flags.motionEventObserving()) {

            if (mContext.checkCallingOrSelfPermission(

                            android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING)

                    == PackageManager.PERMISSION_GRANTED) {

        mObservedMotionEventSources = info.getObservedMotionEventSources();

            } else {

                Slog.e(

                        LOG_TAG,

                        "Observing motion events requires"

                            + " android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING.");

                mObservedMotionEventSources = 0;

            }

        }



        if (supportsFlagForNotImportantViews(info)) {

            if ((info.flags & AccessibilityServiceInfo.FLAG_INCLUDE_NOT_IMPORTANT_VIEWS) != 0) {
@@ -510,6 +499,13 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ 
            throw new IllegalStateException(

                    "Cannot update service info: size is larger than safe parcelable limits.");

        }

        if (info.getObservedMotionEventSources() != 0

                && mContext.checkCallingPermission(ACCESSIBILITY_MOTION_EVENT_OBSERVING)

                != PackageManager.PERMISSION_GRANTED) {

            Slog.e(LOG_TAG, "Observing motion events requires permission "

                    + ACCESSIBILITY_MOTION_EVENT_OBSERVING);

            info.setObservedMotionEventSources(0);

        }

        final long identity = Binder.clearCallingIdentity();

        try {

            synchronized (mLock) {