Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2239c93 authored by Fyodor Kupolov's avatar Fyodor Kupolov
Browse files

Explicitly pass userId to getWindowToken 

UiAutomationConnection.clearWindowContentFrameStats method currently clears
calling identity before calling mAccessibilityManager.getWindowToken. This
doesn't work properly when a call is made by a secondary user, because it
wouldn't pass a check in getWindowToken. This is now fixed by explicitly
passing ID of the calling user.

Bug: 26498396
Change-Id: I8f0cdde33e18f04adb1833c6c0d0c329de921018
parent 292494a5

core/java/android/app/UiAutomationConnection.java

+5 −2
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ import android.os.ParcelFileDescriptor; 
import android.os.Process;

import android.os.RemoteException;

import android.os.ServiceManager;

import android.os.UserHandle;

import android.view.IWindowManager;

import android.view.InputEvent;

import android.view.SurfaceControl;
@@ -167,9 +168,10 @@ public final class UiAutomationConnection extends IUiAutomationConnection.Stub { 
            throwIfShutdownLocked();

            throwIfNotConnectedLocked();

        }

        int callingUserId = UserHandle.getCallingUserId();

        final long identity = Binder.clearCallingIdentity();

        try {

            IBinder token = mAccessibilityManager.getWindowToken(windowId);

            IBinder token = mAccessibilityManager.getWindowToken(windowId, callingUserId);

            if (token == null) {

                return false;

            }
@@ -186,9 +188,10 @@ public final class UiAutomationConnection extends IUiAutomationConnection.Stub { 
            throwIfShutdownLocked();

            throwIfNotConnectedLocked();

        }

        int callingUserId = UserHandle.getCallingUserId();

        final long identity = Binder.clearCallingIdentity();

        try {

            IBinder token = mAccessibilityManager.getWindowToken(windowId);

            IBinder token = mAccessibilityManager.getWindowToken(windowId, callingUserId);

            if (token == null) {

                return null;

            }

core/java/android/view/accessibility/IAccessibilityManager.aidl

+1 −1
Original line number Diff line number Diff line
@@ -58,5 +58,5 @@ interface IAccessibilityManager { 
    void temporaryEnableAccessibilityStateUntilKeyguardRemoved(in ComponentName service,

            boolean touchExplorationEnabled);



    IBinder getWindowToken(int windowId);

    IBinder getWindowToken(int windowId, int userId);

}

services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java

+2 −3
Original line number Diff line number Diff line
@@ -715,7 +715,7 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub { 
    }



    @Override

    public IBinder getWindowToken(int windowId) {

    public IBinder getWindowToken(int windowId, int userId) {

        mSecurityPolicy.enforceCallingPermission(

                Manifest.permission.RETRIEVE_WINDOW_TOKEN,

                GET_WINDOW_TOKEN);
@@ -724,8 +724,7 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub { 
            // share the accessibility state of the parent. The call below

            // performs the current profile parent resolution.

            final int resolvedUserId = mSecurityPolicy

                    .resolveCallingUserIdEnforcingPermissionsLocked(

                            UserHandle.getCallingUserId());

                    .resolveCallingUserIdEnforcingPermissionsLocked(userId);

            if (resolvedUserId != mCurrentUserId) {

                return null;

            }