Introduce an API to verify trusted caller apps by UID.

LOCAL_PATH := $(call my-dir)

exported_include_dirs := \

  $(LOCAL_PATH)/include

include_dirs := \

  frameworks/native/include/vr/vr_manager \

  $(exported_include_dirs)

src_files := \

  vr_manager.cpp \

inc_files := \

  frameworks/native/include/vr/vr_manager

  trusted_uids.cpp

static_libs := \

  libutils \

include $(CLEAR_VARS)

LOCAL_SRC_FILES := $(src_files)

LOCAL_C_INCLUDES := $(inc_files)

LOCAL_C_INCLUDES := $(include_dirs)

LOCAL_EXPORT_C_INCLUDE_DIRS := $(exported_include_dirs)

LOCAL_CFLAGS += -Wall

LOCAL_CFLAGS += -Werror

LOCAL_CFLAGS += -Wunused

LOCAL_CFLAGS += -Wunreachable-code

LOCAL_EXPORT_C_INCLUDE_DIRS := $(inc_files)

#LOCAL_SHARED_LIBRARIES := $(sharedLibraries)

LOCAL_STATIC_LIBRARIES := $(static_libs)

LOCAL_MODULE := libvr_manager

include $(BUILD_STATIC_LIBRARY)

#ifndef ANDROID_DVR_TRUSTED_UIDS_H_

#define ANDROID_DVR_TRUSTED_UIDS_H_

#include <sys/types.h>

namespace android {

namespace dvr {

/**

 * Tells if a provided UID can be trusted to access restricted VR APIs.

 *

 * UID trust is based on the android.permission.RESTRICTED_VR_ACCESS permission.

 * AID_SYSTEM and AID_ROOT are automatically trusted by Android.

 *

 * UIDs are guaranteed not to be reused until the next reboot even in case

 * of package reinstall. For performance reasons this method caches results by

 * default, as otherwise every check would trigger a Java call.

 *

 * This function is thread-safe.

 *

 * @param uid The uid to check.

 * @param use_cache If true any cached result for the provided uid will be

 *     reused. If false this call will reach the Application Manager Service

 *     in Java to get updated values. Any updates will be stored in the cache.

 * @return true if the uid is trusted, false if not or if the VR Manager Service

 *         could not be reached to verify the uid.

 */

bool IsTrustedUid(uid_t uid, bool use_cache = true);

}  // namespace dvr

}  // namespace android

#endif  // ANDROID_DVR_TRUSTED_UIDS_H_

#include "private/dvr/trusted_uids.h"

#include <mutex>

#include <unordered_map>

#include <binder/IPermissionController.h>

#include <binder/IServiceManager.h>

#include <private/android_filesystem_config.h>

#include <utils/String16.h>

#include <vr/vr_manager/vr_manager.h>

namespace android {

namespace dvr {

bool IsTrustedUid(uid_t uid, bool use_cache) {

  static std::unordered_map<uid_t, bool> uid_cache;

  static std::mutex uid_cache_mutex;

  // Whitelist requests from the system UID.

  // These are already whitelisted by the permission service, but it might not

  // be available if the ActivityManagerService is up during boot.

  // This ensures the correct result for system services while booting up.

  if (uid == AID_SYSTEM)

    return true;

  std::lock_guard<std::mutex> lock(uid_cache_mutex);

  if (use_cache) {

    auto it = uid_cache.find(uid);

    if (it != uid_cache.end())

      return it->second;

  }

  sp<IBinder> binder = defaultServiceManager()->getService(String16("permission"));

  if (binder == 0) {

    ALOGW("Could not access permission service");

    return false;

  }

  // Note: we ignore the pid because it's only used to automatically reply

  // true if the caller is the Activity Manager Service.

  bool trusted = interface_cast<IPermissionController>(binder)->checkPermission(

      String16("android.permission.RESTRICTED_VR_ACCESS"), -1, uid);

  // Cache the information for this uid to avoid future Java calls.

  uid_cache[uid] = trusted;

  return trusted;

}

}  // namespace dvr

}  // namespace android

	libperformance \

	libsensor \

	libpdx_default_transport \

	libvr_manager \

sharedLibraries := \

	android.dvr.composer@1.0 \