Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 03480e23 authored by Robert Carr's avatar Robert Carr
Browse files

Restore ability of system to screenshot secure layers. 

In previous iterations of the code the "secureLayerIsVisible" block
had a guard for "localProducer" which was set to true if the IGBP we
were screenshotting to was originally allocated by SurfaceFlinger. What
this means is that it came from a SurfaceControl, rather than just being
allocated on the client side. Note that the caller could still read the
Screenshot back out from the surface, so the old logic just ensured
you can't screenshot secure layers unless you have a SurfaceControl. Having
a SurfaceControl meant you had either the permission ACCESS_SURFACE_FLINGER,
were from AID_SYSTEM/AID_GRAPHICS, or had been granted a SurfaceControl. This
allowed the system server to screenshot secure layers for the screen rotation
animation. When switching to the GraphicBuffer based interface we eliminated
this permisivity. This CL reintroduces it in what is hopefully
a clearer way, by explicitly only granting the ability to system
components.

Bug: 70403018
Test: Manual
Change-Id: Icbc51e897f5d46838a68c1387e993b8e6a68cd1d
parent 154f5bba

services/surfaceflinger/SurfaceFlinger.cpp

+9 −2
Original line number Original line Diff line number Diff line
@@ -4400,6 +4400,9 @@ status_t SurfaceFlinger::captureScreenCommon(RenderArea& renderArea, 
    int syncFd = -1;

    int syncFd = -1;

    std::optional<status_t> captureResult;

    std::optional<status_t> captureResult;





    const int uid = IPCThreadState::self()->getCallingUid();

    const bool forSystem = uid == AID_GRAPHICS || uid == AID_SYSTEM;



    sp<LambdaMessage> message = new LambdaMessage([&]() {

    sp<LambdaMessage> message = new LambdaMessage([&]() {

        // If there is a refresh pending, bug out early and tell the binder thread to try again

        // If there is a refresh pending, bug out early and tell the binder thread to try again

        // after the refresh.

        // after the refresh.
@@ -4416,7 +4419,7 @@ status_t SurfaceFlinger::captureScreenCommon(RenderArea& renderArea, 
        {

        {

            Mutex::Autolock _l(mStateLock);

            Mutex::Autolock _l(mStateLock);

            result = captureScreenImplLocked(renderArea, traverseLayers, (*outBuffer).get(),

            result = captureScreenImplLocked(renderArea, traverseLayers, (*outBuffer).get(),

                                             useIdentityTransform, &fd);

                                             useIdentityTransform, forSystem, &fd);

        }

        }





        {

        {
@@ -4513,6 +4516,7 @@ status_t SurfaceFlinger::captureScreenImplLocked(const RenderArea& renderArea, 
                                                 TraverseLayersFunction traverseLayers,

                                                 TraverseLayersFunction traverseLayers,

                                                 ANativeWindowBuffer* buffer,

                                                 ANativeWindowBuffer* buffer,

                                                 bool useIdentityTransform,

                                                 bool useIdentityTransform,

                                                 bool forSystem,

                                                 int* outSyncFd) {

                                                 int* outSyncFd) {

    ATRACE_CALL();

    ATRACE_CALL();
@@ -4522,7 +4526,10 @@ status_t SurfaceFlinger::captureScreenImplLocked(const RenderArea& renderArea, 
        secureLayerIsVisible = secureLayerIsVisible || (layer->isVisible() && layer->isSecure());

        secureLayerIsVisible = secureLayerIsVisible || (layer->isVisible() && layer->isSecure());

    });

    });





    if (secureLayerIsVisible) {

    // We allow the system server to take screenshots of secure layers for

    // use in situations like the Screen-rotation animation and place

    // the impetus on WindowManager to not persist them.

    if (secureLayerIsVisible && !forSystem) {

        ALOGW("FB is protected: PERMISSION_DENIED");

        ALOGW("FB is protected: PERMISSION_DENIED");

        return PERMISSION_DENIED;

        return PERMISSION_DENIED;

    }

    }

services/surfaceflinger/SurfaceFlinger.h

+1 −1
Original line number Original line Diff line number Diff line
@@ -524,7 +524,7 @@ private: 
    status_t captureScreenImplLocked(const RenderArea& renderArea,

    status_t captureScreenImplLocked(const RenderArea& renderArea,

                                     TraverseLayersFunction traverseLayers,

                                     TraverseLayersFunction traverseLayers,

                                     ANativeWindowBuffer* buffer, bool useIdentityTransform,

                                     ANativeWindowBuffer* buffer, bool useIdentityTransform,

                                     int* outSyncFd);

                                     bool forSystem, int* outSyncFd);

    void traverseLayersInDisplay(const sp<const DisplayDevice>& display, int32_t minLayerZ,

    void traverseLayersInDisplay(const sp<const DisplayDevice>& display, int32_t minLayerZ,

                                 int32_t maxLayerZ, const LayerVector::Visitor& visitor);

                                 int32_t maxLayerZ, const LayerVector::Visitor& visitor);