Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c027f365 authored by brycelee's avatar brycelee
Browse files

Clear Binder identity on calls into DreamService. 

There are multiple entry points where DreamService is accessed
by the either the System or SystemUI. In these cases, the
Binder identity should be cleared to prevent the DreamService
implementation from running in an elevated state.

Test: atest DreamServiceTest
Fixed: 406895224
Flag: EXEMPT bugfix
Change-Id: I8e76f590d6f65ae689f5220b233b7197f2e731b4
parent 1f0f41a6

core/java/android/service/dreams/DreamService.java

+40 −9
Original line number Diff line number Diff line
@@ -1211,13 +1211,23 @@ public class DreamService extends Service implements Window.Callback { 
        mOverlayCallback = new IDreamOverlayCallback.Stub() {

            @Override

            public void onExitRequested() {

                final long token = Binder.clearCallingIdentity();

                try {

                    // Simply finish dream when exit is requested.

                    mHandler.post(() -> finishInternal());

                } finally {

                    Binder.restoreCallingIdentity(token);

                }

            }



            @Override

            public void onRedirectWake(boolean redirect) {

                final long token = Binder.clearCallingIdentity();

                try {

                    mRedirectWake = redirect;

                } finally {

                    Binder.restoreCallingIdentity(token);

                }

            }

        };
@@ -1883,25 +1893,46 @@ public class DreamService extends Service implements Window.Callback { 
        @Override

        public void attach(final IBinder dreamToken, final boolean canDoze,

                final boolean isPreviewMode, IRemoteCallback started) {

            post(dreamService -> dreamService.attach(dreamToken, canDoze, isPreviewMode, started));

            final long token = Binder.clearCallingIdentity();

            try {

                post(dreamService -> dreamService.attach(dreamToken, canDoze, isPreviewMode,

                        started));

            } finally {

                Binder.restoreCallingIdentity(token);

            }

        }



        @Override

        public void detach() {

            final long token = Binder.clearCallingIdentity();

            try {

                post(DreamService::detach);

            } finally {

                Binder.restoreCallingIdentity(token);

            }

        }



        @Override

        public void wakeUp() {

            final long token = Binder.clearCallingIdentity();

            try {

                post(dreamService -> dreamService.wakeUp(true /*fromSystem*/));

            } finally {

                Binder.restoreCallingIdentity(token);

            }

        }



        @Override

        public void comeToFront() {

            final long token = Binder.clearCallingIdentity();

            try {

                if (!dreamHandlesBeingObscured()) {

                    return;

                }

                post(DreamService::comeToFront);

            } finally {

                Binder.restoreCallingIdentity(token);

            }

        }

    }