Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9ebd6860 authored by Prabir Pradhan's avatar Prabir Pradhan
Browse files

Introduce INPUT_FEATURE_SENSITIVE_FOR_TRACING 

This new input feature flag will allow a window to be treated as
sensitive for input tracing without explicitly needing the window to
also have FLAG_SECURE.

When the input feature is set, it will get converted to
InputConfig::SENSITVE_FOR_TRACING. Windows with FLAG_SECURE will
automatically have this InputConfig set in SF.

In particular, this will be used to mark the lockscreen as sensitive on
all builds so that it doesn't show up in input traces, even when
FLAG_SECURE is not set.

Bug: 210460522
Test: manual
Change-Id: Iabc38277749d561dd44ea2e3ac3471ca65316796
parent 14c1c515

core/java/android/view/InputWindowHandle.java

+1 −0
Original line number Diff line number Diff line
@@ -67,6 +67,7 @@ public final class InputWindowHandle { 
            InputConfig.SPY,

            InputConfig.INTERCEPTS_STYLUS,

            InputConfig.CLONE,

            InputConfig.SENSITIVE_FOR_TRACING,

    })

    public @interface InputConfigFlags {}

core/java/android/view/WindowManager.java

+17 −0
Original line number Diff line number Diff line
@@ -4369,6 +4369,22 @@ public interface WindowManager extends ViewManager { 
        @RequiresPermission(permission.MONITOR_INPUT)

        public static final int INPUT_FEATURE_SPY = 1 << 2;



        /**

         * Input feature used to indicate that this window is sensitive for tracing.

         * <p>

         * A window that uses {@link LayoutParams#FLAG_SECURE} will automatically be treated as

         * a sensitive for input tracing, but this input feature can be set on windows that don't

         * set FLAG_SECURE. The tracing configuration will determine how these sensitive events

         * are eventually traced.

         * <p>

         * This can only be set for trusted system overlays.

         * <p>

         * Note: Input tracing is only available on userdebug and eng builds.

         *

         * @hide

         */

        public static final int INPUT_FEATURE_SENSITIVE_FOR_TRACING = 1 << 3;



        /**

         * An internal annotation for flags that can be specified to {@link #inputFeatures}.

         *
@@ -4381,6 +4397,7 @@ public interface WindowManager extends ViewManager { 
                INPUT_FEATURE_NO_INPUT_CHANNEL,

                INPUT_FEATURE_DISABLE_USER_ACTIVITY,

                INPUT_FEATURE_SPY,

                INPUT_FEATURE_SENSITIVE_FOR_TRACING,

        })

        public @interface InputFeatureFlags {

        }

services/core/java/com/android/server/wm/InputConfigAdapter.java

+4 −1
Original line number Diff line number Diff line
@@ -56,7 +56,10 @@ class InputConfigAdapter { 
                    InputConfig.DISABLE_USER_ACTIVITY, false /* inverted */),

            new FlagMapping(

                    LayoutParams.INPUT_FEATURE_SPY,

                    InputConfig.SPY, false /* inverted */));

                    InputConfig.SPY, false /* inverted */),

            new FlagMapping(

                    LayoutParams.INPUT_FEATURE_SENSITIVE_FOR_TRACING,

                    InputConfig.SENSITIVE_FOR_TRACING, false /* inverted */));



    @InputConfigFlags

    private static final int INPUT_FEATURE_TO_CONFIG_MASK =

services/core/java/com/android/server/wm/WindowManagerService.java

+27 −16
Original line number Diff line number Diff line
@@ -65,6 +65,7 @@ import static android.view.WindowManager.LayoutParams.FLAG_SHOW_WALLPAPER; 
import static android.view.WindowManager.LayoutParams.FLAG_SHOW_WHEN_LOCKED;

import static android.view.WindowManager.LayoutParams.FLAG_SLIPPERY;

import static android.view.WindowManager.LayoutParams.INPUT_FEATURE_NO_INPUT_CHANNEL;

import static android.view.WindowManager.LayoutParams.INPUT_FEATURE_SENSITIVE_FOR_TRACING;

import static android.view.WindowManager.LayoutParams.INPUT_FEATURE_SPY;

import static android.view.WindowManager.LayoutParams.INVALID_WINDOW_TYPE;

import static android.view.WindowManager.LayoutParams.LAST_APPLICATION_WINDOW;
@@ -1718,8 +1719,8 @@ public class WindowManagerService extends IWindowManager.Stub 
            final DisplayPolicy displayPolicy = displayContent.getDisplayPolicy();

            displayPolicy.adjustWindowParamsLw(win, win.mAttrs);

            attrs.flags = sanitizeFlagSlippery(attrs.flags, win.getName(), callingUid, callingPid);

            attrs.inputFeatures = sanitizeSpyWindow(attrs.inputFeatures, win.getName(), callingUid,

                    callingPid);

            attrs.inputFeatures = sanitizeInputFeatures(attrs.inputFeatures, win.getName(),

                    callingUid, callingPid, win.isTrustedOverlay());

            win.setRequestedVisibleTypes(requestedVisibleTypes);



            res = displayPolicy.validateAddingWindowLw(attrs, callingPid, callingUid);
@@ -2289,8 +2290,8 @@ public class WindowManagerService extends IWindowManager.Stub 
            if (attrs != null) {

                displayPolicy.adjustWindowParamsLw(win, attrs);

                attrs.flags = sanitizeFlagSlippery(attrs.flags, win.getName(), uid, pid);

                attrs.inputFeatures = sanitizeSpyWindow(attrs.inputFeatures, win.getName(), uid,

                        pid);

                attrs.inputFeatures = sanitizeInputFeatures(attrs.inputFeatures, win.getName(), uid,

                        pid, win.isTrustedOverlay());

                int disableFlags =

                        (attrs.systemUiVisibility | attrs.subtreeSystemUiVisibility) & DISABLE_MASK;

                if (disableFlags != 0 && !hasStatusBarPermission(pid, uid)) {
@@ -9105,19 +9106,27 @@ public class WindowManagerService extends IWindowManager.Stub 
    }



    /**

     * You need MONITOR_INPUT permission to be able to set INPUT_FEATURE_SPY.

     * Ensure the caller has the right permissions to be able to set the requested input features.

     */

    private int sanitizeSpyWindow(int inputFeatures, String windowName, int callingUid,

            int callingPid) {

        if ((inputFeatures & INPUT_FEATURE_SPY) == 0) {

            return inputFeatures;

        }

    private int sanitizeInputFeatures(int inputFeatures, String windowName, int callingUid,

            int callingPid, boolean isTrustedOverlay) {

        // You need MONITOR_INPUT permission to be able to set INPUT_FEATURE_SPY.

        if ((inputFeatures & INPUT_FEATURE_SPY) != 0) {

            final int permissionResult = mContext.checkPermission(

                    permission.MONITOR_INPUT, callingPid, callingUid);

            if (permissionResult != PackageManager.PERMISSION_GRANTED) {

            throw new IllegalArgumentException("Cannot use INPUT_FEATURE_SPY from '" + windowName

                throw new IllegalArgumentException(

                        "Cannot use INPUT_FEATURE_SPY from '" + windowName

                                + "' because it doesn't the have MONITOR_INPUT permission");

            }

        }



        // You can only use INPUT_FEATURE_SENSITIVE_FOR_TRACING on a trusted overlay.

        if ((inputFeatures & INPUT_FEATURE_SENSITIVE_FOR_TRACING) != 0 && !isTrustedOverlay) {

            Slog.w(TAG, "Removing INPUT_FEATURE_SENSITIVE_FOR_TRACING from '" + windowName

                    + "' because it isn't a trusted overlay");

            return inputFeatures & ~INPUT_FEATURE_SENSITIVE_FOR_TRACING;

        }

        return inputFeatures;

    }
@@ -9194,8 +9203,10 @@ public class WindowManagerService extends IWindowManager.Stub 
        h.setWindowToken(clientToken);

        h.name = name;



        final boolean isTrustedOverlay = (privateFlags & PRIVATE_FLAG_TRUSTED_OVERLAY) != 0;

        flags = sanitizeFlagSlippery(flags, name, callingUid, callingPid);

        inputFeatures = sanitizeSpyWindow(inputFeatures, name, callingUid, callingPid);

        inputFeatures = sanitizeInputFeatures(inputFeatures, name, callingUid, callingPid,

                isTrustedOverlay);



        final int sanitizedLpFlags =

                (flags & (FLAG_NOT_TOUCHABLE | FLAG_SLIPPERY | LayoutParams.FLAG_NOT_FOCUSABLE))
@@ -9232,7 +9243,7 @@ public class WindowManagerService extends IWindowManager.Stub 


        final SurfaceControl.Transaction t = mTransactionFactory.get();

        //  Check private trusted overlay flag to set trustedOverlay field of input window handle.

        h.setTrustedOverlay(t, surface, (privateFlags & PRIVATE_FLAG_TRUSTED_OVERLAY) != 0);

        h.setTrustedOverlay(t, surface, isTrustedOverlay);

        t.setInputWindowInfo(surface, h);

        t.apply();

        t.close();

services/tests/wmtests/src/com/android/server/wm/WindowManagerServiceTests.java

+29 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ import static android.view.Display.INVALID_DISPLAY; 
import static android.view.flags.Flags.FLAG_SENSITIVE_CONTENT_APP_PROTECTION;

import static android.view.WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE;

import static android.view.WindowManager.LayoutParams.FLAG_SECURE;

import static android.view.WindowManager.LayoutParams.INPUT_FEATURE_SENSITIVE_FOR_TRACING;

import static android.view.WindowManager.LayoutParams.INPUT_FEATURE_SPY;

import static android.view.WindowManager.LayoutParams.INVALID_WINDOW_TYPE;

import static android.view.WindowManager.LayoutParams.PRIVATE_FLAG_TRUSTED_OVERLAY;
@@ -1115,6 +1116,34 @@ public class WindowManagerServiceTests extends WindowTestsBase { 
                argThat(h -> (h.inputConfig & InputConfig.SPY) == InputConfig.SPY));

    }



    @Test

    public void testUpdateInputChannel_sanitizeInputFeatureSensitive_forUntrustedWindows() {

        final Session session = mock(Session.class);

        final int callingUid = Process.FIRST_APPLICATION_UID;

        final int callingPid = 1234;

        final SurfaceControl surfaceControl = mock(SurfaceControl.class);

        final IBinder window = new Binder();

        final InputTransferToken inputTransferToken = mock(InputTransferToken.class);



        final InputChannel inputChannel = new InputChannel();

        mWm.grantInputChannel(session, callingUid, callingPid, DEFAULT_DISPLAY, surfaceControl,

                window, null /* hostInputToken */, FLAG_NOT_FOCUSABLE, 0 /* privateFlags */,

                INPUT_FEATURE_SENSITIVE_FOR_TRACING, TYPE_APPLICATION, null /* windowToken */,

                inputTransferToken,

                "TestInputChannel", inputChannel);

        verify(mTransaction).setInputWindowInfo(

                eq(surfaceControl),

                argThat(h -> (h.inputConfig & InputConfig.SENSITIVE_FOR_TRACING) == 0));



        mWm.updateInputChannel(inputChannel.getToken(), DEFAULT_DISPLAY, surfaceControl,

                FLAG_NOT_FOCUSABLE, PRIVATE_FLAG_TRUSTED_OVERLAY,

                INPUT_FEATURE_SENSITIVE_FOR_TRACING,

                null /* region */);

        verify(mTransaction).setInputWindowInfo(

                eq(surfaceControl),

                argThat(h -> (h.inputConfig & InputConfig.SENSITIVE_FOR_TRACING) != 0));

    }



    @RequiresFlagsDisabled(Flags.FLAG_ALWAYS_DRAW_MAGNIFICATION_FULLSCREEN_BORDER)

    @Test

    public void testDrawMagnifiedViewport() {