Validate originating process for transferTouchGesture API (ea329372) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/wm/EmbeddedWindowController.java

+10 −2

Original line number	Diff line number	Diff line
		@@ -181,22 +181,30 @@ class EmbeddedWindowController {
		return true;
		}

		boolean transferToHost(@NonNull InputTransferToken embeddedWindowToken,
		boolean transferToHost(int callingUid, @NonNull InputTransferToken embeddedWindowToken,
		@NonNull WindowState transferToHostWindowState) {
		EmbeddedWindow ew = getByInputTransferToken(embeddedWindowToken);
		if (!isValidTouchGestureParams(transferToHostWindowState, ew)) {
		return false;
		}
		if (callingUid != ew.mOwnerUid) {
		throw new SecurityException(
		"Transfer request must originate from owner of transferFromToken");
		}
		return mInputManagerService.transferTouchGesture(ew.getInputChannelToken(),
		transferToHostWindowState.mInputChannelToken);
		}

		boolean transferToEmbedded(WindowState hostWindowState,
		boolean transferToEmbedded(int callingUid, WindowState hostWindowState,
		@NonNull InputTransferToken transferToToken) {
		final EmbeddedWindowController.EmbeddedWindow ew = getByInputTransferToken(transferToToken);
		if (!isValidTouchGestureParams(hostWindowState, ew)) {
		return false;
		}
		if (callingUid != hostWindowState.mOwnerUid) {
		throw new SecurityException(
		"Transfer request must originate from owner of transferFromToken");
		}
		return mInputManagerService.transferTouchGesture(hostWindowState.mInputChannelToken,
		ew.getInputChannelToken());
		}

+7 −2

Original line number	Diff line number	Diff line
		@@ -9212,6 +9212,8 @@ public class WindowManagerService extends IWindowManager.Stub
		final InputApplicationHandle applicationHandle;
		final String name;
		Objects.requireNonNull(outInputChannel);
		Objects.requireNonNull(inputTransferToken);

		synchronized (mGlobalLock) {
		WindowState hostWindowState = hostInputTransferToken != null
		? mInputToWindowMap.get(hostInputTransferToken.getToken()) : null;
		@@ -9236,6 +9238,7 @@ public class WindowManagerService extends IWindowManager.Stub
		Objects.requireNonNull(transferFromToken);
		Objects.requireNonNull(transferToToken);

		final int callingUid = Binder.getCallingUid();
		final long identity = Binder.clearCallingIdentity();
		boolean didTransfer;
		try {
		@@ -9245,12 +9248,14 @@ public class WindowManagerService extends IWindowManager.Stub
		// represents an embedded window so transfer from host to embedded.
		WindowState windowStateTo = mInputToWindowMap.get(transferToToken.getToken());
		if (windowStateTo != null) {
		didTransfer = mEmbeddedWindowController.transferToHost(transferFromToken,
		didTransfer = mEmbeddedWindowController.transferToHost(callingUid,
		transferFromToken,
		windowStateTo);
		} else {
		WindowState windowStateFrom = mInputToWindowMap.get(
		transferFromToken.getToken());
		didTransfer = mEmbeddedWindowController.transferToEmbedded(windowStateFrom,
		didTransfer = mEmbeddedWindowController.transferToEmbedded(callingUid,
		windowStateFrom,
		transferToToken);
		}
		}