Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9a72d228 authored by lumark's avatar lumark
Browse files

Don't allow showing IME on untrusted virtual displays 

Sometimes users can have sensitive information in IME window, such as
predictions or custom background.

If app could create a virtual display with system decorations support,
the security leak may happen that app can read the text or image from
the surface.

Add a check if the display is trusted that owned by system
When showSoftInput requested, if the display is not trusted then
show IME on default display.

Note that we also modified ImeDisplayValidator to use dedicated API
IWindowManager#shouldShowIme for checking if IME support on a display.
(And add it as @TestApi for CTS to verify)

Fix: 129443632
Fix: 129881992
Test: atest MultiDisplaySystemDecorationTests

Change-Id: Icfd66689dad4b782c50b56a515194dd138d3b280
parent c17691b3

api/test-current.txt

+1 −0
Original line number Diff line number Diff line
@@ -3205,6 +3205,7 @@ package android.view { 
    method public default void setShouldShowIme(int, boolean);

    method public default void setShouldShowSystemDecors(int, boolean);

    method public default void setShouldShowWithInsecureKeyguard(int, boolean);

    method public default boolean shouldShowIme(int);

    method public default boolean shouldShowSystemDecors(int);

  }

core/java/android/view/WindowManager.java

+13 −2
Original line number Diff line number Diff line
@@ -508,14 +508,25 @@ public interface WindowManager extends ViewManager { 
     *

     * @param displayId Display ID.

     * @param shouldShow Indicates that the display should show IME.

     * @see KeyguardManager#isDeviceSecure()

     * @see KeyguardManager#isDeviceLocked()

     * @hide

     */

    @TestApi

    default void setShouldShowIme(int displayId, boolean shouldShow) {

    }



    /**

     * Indicates that the display should show IME.

     *

     * @param displayId The id of the display.

     * @return {@code true} if the display should show IME when an input field becomes

     * focused on it.

     * @hide

     */

    @TestApi

    default boolean shouldShowIme(int displayId) {

        return false;

    }



    public static class LayoutParams extends ViewGroup.LayoutParams implements Parcelable {

        /**

         * X position for this window.  With the default gravity it is ignored.

core/java/android/view/WindowManagerImpl.java

+9 −0
Original line number Diff line number Diff line
@@ -192,4 +192,13 @@ public final class WindowManagerImpl implements WindowManager { 
        } catch (RemoteException e) {

        }

    }



    @Override

    public boolean shouldShowIme(int displayId) {

        try {

            return WindowManagerGlobal.getWindowManagerService().shouldShowIme(displayId);

        } catch (RemoteException e) {

        }

        return false;

    }

}

services/core/java/com/android/server/inputmethod/InputMethodManagerService.java

+4 −2
Original line number Diff line number Diff line
@@ -1409,7 +1409,7 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 
        mIWindowManager = IWindowManager.Stub.asInterface(

                ServiceManager.getService(Context.WINDOW_SERVICE));

        mWindowManagerInternal = LocalServices.getService(WindowManagerInternal.class);

        mImeDisplayValidator = mWindowManagerInternal::shouldShowSystemDecorOnDisplay;

        mImeDisplayValidator = displayId -> mWindowManagerInternal.shouldShowIme(displayId);

        mCaller = new HandlerCaller(context, null, new HandlerCaller.Callback() {

            @Override

            public void executeMessage(Message msg) {
@@ -2139,7 +2139,9 @@ public class InputMethodManagerService extends IInputMethodManager.Stub 
        if (displayId == DEFAULT_DISPLAY || displayId == INVALID_DISPLAY) {

            return FALLBACK_DISPLAY_ID;

        }

        // Show IME window on fallback display when the display is not allowed.



        // Show IME window on fallback display when the display doesn't support system decorations

        // or the display is virtual and isn't owned by system for security concern.

        return checker.displayCanShowIme(displayId) ? displayId : FALLBACK_DISPLAY_ID;

    }

services/core/java/com/android/server/wm/WindowManagerInternal.java

+8 −0
Original line number Diff line number Diff line
@@ -484,4 +484,12 @@ public abstract class WindowManagerInternal { 
     * Checks if this display is configured and allowed to show system decorations.

     */

    public abstract boolean shouldShowSystemDecorOnDisplay(int displayId);



    /**

     * Indicates that the display should show IME.

     *

     * @param displayId The id of the display.

     * @return {@code true} if the display should show IME when an input field become focused on it.

     */

    public abstract boolean shouldShowIme(int displayId);

}