Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cdf13984 authored by Robert Carr's avatar Robert Carr
Browse files

WM: Call Transaction#sanitize 

Various elements of the Transaction interface require
a permission in order to apply. In particular the setTrustedOverlay
and setInputWindowInfo fields. These permission checks are
implemented by checking the PID and the UID of the process which
sent the transaction. Unfortunately widespread use of transaction
merging makes this inadequate. At the moment
IWindowSession#finishDrawing seems to be the only boundary on which
transactions move from client to system processes, and so we expose
a sanitize method and use it from there to resolve the situation
in an easily backportable way.

Moving forward it likely make sense to move security sensitive
interfaces off of Transaction. Most of the things behind permissions
currently are not truly security sensitive, more of just a request
not to use them.

It was also considered to sanitize transactions at all process
boundaries through writeToParcel, however this could be disruptive
as previously permissioned processes (WM and SysUI) could freely
exchange transactions. As the change needs to be backportable the
lowest risk option was chosen.

Bug: 213644870
Test: Existing tests pass
Change-Id: I8d4a0ebe0cdfaed7ff1ad862724d49a14ed04478
parent 5cc27dd6

core/java/android/view/SurfaceControl.java

+8 −0
Original line number Diff line number Diff line
@@ -254,6 +254,7 @@ public final class SurfaceControl implements Parcelable { 
    private static native int nativeGetLayerId(long nativeObject);

    private static native void nativeAddTransactionCommittedListener(long nativeObject,

            TransactionCommittedListener listener);

    private static native void nativeSanitize(long transactionObject);



    /**

     * Transforms that can be applied to buffers as they are displayed to a window.
@@ -3696,6 +3697,13 @@ public final class SurfaceControl implements Parcelable { 
            return this;

        }



        /**

         * @hide

         */

        public void sanitize() {

            nativeSanitize(mNativeObject);

        }



        /**

         * Merge the other transaction into this transaction, clearing the

         * other transaction as if it had been applied.

core/jni/android_view_SurfaceControl.cpp

+7 −0
Original line number Diff line number Diff line
@@ -952,6 +952,11 @@ static void nativeSetDropInputMode(JNIEnv* env, jclass clazz, jlong transactionO 
    transaction->setDropInputMode(ctrl, static_cast<gui::DropInputMode>(mode));

}



static void nativeSanitize(JNIEnv* env, jclass clazz, jlong transactionObj) {

    auto transaction = reinterpret_cast<SurfaceComposerClient::Transaction*>(transactionObj);

    transaction->sanitize();

}



static jlongArray nativeGetPhysicalDisplayIds(JNIEnv* env, jclass clazz) {

    const auto displayIds = SurfaceComposerClient::getPhysicalDisplayIds();

    jlongArray array = env->NewLongArray(displayIds.size());
@@ -2131,6 +2136,8 @@ static const JNINativeMethod sSurfaceControlMethods[] = { 
             (void*)nativeSetDropInputMode },

    {"nativeAddTransactionCommittedListener", "(JLandroid/view/TransactionCommittedListener;)V",

            (void*) nativeAddTransactionCommittedListener },

    {"nativeSanitize", "(J)V",

            (void*) nativeSanitize }

        // clang-format on

};

services/core/java/com/android/server/wm/WindowManagerService.java

+4 −0
Original line number Diff line number Diff line
@@ -2627,6 +2627,10 @@ public class WindowManagerService extends IWindowManager.Stub 


    void finishDrawingWindow(Session session, IWindow client,

            @Nullable SurfaceControl.Transaction postDrawTransaction) {

        if (postDrawTransaction != null) {

            postDrawTransaction.sanitize();

        }



        final long origId = Binder.clearCallingIdentity();

        try {

            synchronized (mGlobalLock) {