blob: 7a42cd1b3cbb10730e5523685d161b44dfbb3e1e [file] [log] [blame]
* Copyright (C) 2019 The Android Open Source Project
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* See the License for the specific language governing permissions and
* limitations under the License.
import android.Manifest;
import android.accessibilityservice.AccessibilityServiceInfo;
import android.annotation.NonNull;
import android.annotation.Nullable;
import android.appwidget.AppWidgetManagerInternal;
import android.content.ComponentName;
import android.content.Context;
import android.os.Binder;
import android.os.IBinder;
import android.os.Process;
import android.os.UserHandle;
import android.os.UserManager;
import android.util.ArraySet;
import android.util.Slog;
import android.view.accessibility.AccessibilityEvent;
import libcore.util.EmptyArray;
* This class provides APIs of accessibility security policies for accessibility manager
* to grant accessibility capabilities or events access right to accessibility service.
public class AccessibilitySecurityPolicy {
private static final int OWN_PROCESS_ID = android.os.Process.myPid();
private static final String LOG_TAG = "AccessibilitySecurityPolicy";
private final Context mContext;
private final PackageManager mPackageManager;
private final UserManager mUserManager;
private final AppOpsManager mAppOpsManager;
private AppWidgetManagerInternal mAppWidgetService;
private static final int KEEP_SOURCE_EVENT_TYPES = AccessibilityEvent.TYPE_VIEW_CLICKED
| AccessibilityEvent.TYPE_VIEW_FOCUSED
| AccessibilityEvent.TYPE_VIEW_HOVER_ENTER
| AccessibilityEvent.TYPE_VIEW_HOVER_EXIT
| AccessibilityEvent.TYPE_VIEW_LONG_CLICKED
| AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED
| AccessibilityEvent.TYPE_WINDOWS_CHANGED
| AccessibilityEvent.TYPE_VIEW_SELECTED
| AccessibilityEvent.TYPE_VIEW_SCROLLED
* Methods that should find their way into separate modules, but are still in AMS
* TODO (b/111889696): Refactoring UserState to AccessibilityUserManager.
public interface AccessibilityUserManager {
* Returns current userId maintained in accessibility manager service
int getCurrentUserIdLocked();
// TODO: Should include resolveProfileParentLocked, but that was already in SecurityPolicy
private final AccessibilityUserManager mAccessibilityUserManager;
private AccessibilityWindowManager mAccessibilityWindowManager;
* Constructor for AccessibilityManagerService.
public AccessibilitySecurityPolicy(@NonNull Context context,
@NonNull AccessibilityUserManager a11yUserManager) {
mContext = context;
mAccessibilityUserManager = a11yUserManager;
mPackageManager = mContext.getPackageManager();
mUserManager = (UserManager) mContext.getSystemService(Context.USER_SERVICE);
mAppOpsManager = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
* Setup AccessibilityWindowManager. This isn't part of the constructor because the
* window manager and security policy both call each other.
public void setAccessibilityWindowManager(@NonNull AccessibilityWindowManager awm) {
mAccessibilityWindowManager = awm;
* Setup AppWidgetManger during boot phase.
public void setAppWidgetManager(@NonNull AppWidgetManagerInternal appWidgetManager) {
mAppWidgetService = appWidgetManager;
* Check if an accessibility event can be dispatched. Events should be dispatched only if they
* are dispatched from items that services can see.
* @param userId The userId to check
* @param event The event to check
* @return {@code true} if the event can be dispatched
public boolean canDispatchAccessibilityEventLocked(int userId,
@NonNull AccessibilityEvent event) {
final int eventType = event.getEventType();
switch (eventType) {
// All events that are for changes in a global window
// state should *always* be dispatched.
case AccessibilityEvent.TYPE_WINDOW_STATE_CHANGED:
case AccessibilityEvent.TYPE_ANNOUNCEMENT:
// All events generated by the user touching the
// screen should *always* be dispatched.
case AccessibilityEvent.TYPE_GESTURE_DETECTION_END:
case AccessibilityEvent.TYPE_TOUCH_INTERACTION_END:
case AccessibilityEvent.TYPE_VIEW_HOVER_ENTER:
case AccessibilityEvent.TYPE_VIEW_HOVER_EXIT:
// Also always dispatch the event that assist is reading context.
case AccessibilityEvent.TYPE_ASSIST_READING_CONTEXT:
// Also windows changing should always be dispatched.
case AccessibilityEvent.TYPE_WINDOWS_CHANGED: {
return true;
// All events for changes in window content should be
// dispatched *only* if this window is one of the windows
// the accessibility layer reports which are windows
// that a sighted user can touch.
default: {
return isRetrievalAllowingWindowLocked(userId, event.getWindowId());
* Find a valid package name for an app to expose to accessibility
* @param packageName The package name the app wants to expose
* @param appId The app's id
* @param userId The app's user id
* @return A package name that is valid to report
public String resolveValidReportedPackageLocked(
@Nullable CharSequence packageName, int appId, int userId) {
// Okay to pass no package
if (packageName == null) {
return null;
// The system gets to pass any package
if (appId == Process.SYSTEM_UID) {
return packageName.toString();
// Passing a package in your UID is fine
final String packageNameStr = packageName.toString();
final int resolvedUid = UserHandle.getUid(userId, appId);
if (isValidPackageForUid(packageNameStr, resolvedUid)) {
return packageName.toString();
// Appwidget hosts get to pass packages for widgets they host
if (mAppWidgetService != null && ArrayUtils.contains(mAppWidgetService
.getHostedWidgetPackages(resolvedUid), packageNameStr)) {
return packageName.toString();
// Otherwise, set the package to the first one in the UID
final String[] packageNames = mPackageManager.getPackagesForUid(resolvedUid);
if (ArrayUtils.isEmpty(packageNames)) {
return null;
// Okay, the caller reported a package it does not have access to.
// Instead of crashing the caller for better backwards compatibility
// we report the first package in the UID. Since most of the time apps
// don't use shared user id, this will yield correct results and for
// the edge case of using a shared user id we may report the wrong
// package but this is fine since first, this is a cheating app and
// second there is no way to get the correct package anyway.
return packageNames[0];
* Get the packages that are valid for a uid. In some situations, like app widgets, there
* could be several valid packages
* @param targetPackage A package that is known to be valid for this id
* @param targetUid The whose packages should be checked
* @return An array of all valid package names. An empty array means any package is OK
public String[] computeValidReportedPackages(
@NonNull String targetPackage, int targetUid) {
if (UserHandle.getAppId(targetUid) == Process.SYSTEM_UID) {
// Empty array means any package is Okay
return EmptyArray.STRING;
// IMPORTANT: The target package is already vetted to be in the target UID
String[] uidPackages = new String[]{targetPackage};
// Appwidget hosts get to pass packages for widgets they host
if (mAppWidgetService != null) {
final ArraySet<String> widgetPackages = mAppWidgetService
if (widgetPackages != null && !widgetPackages.isEmpty()) {
final String[] validPackages = new String[uidPackages.length
+ widgetPackages.size()];
System.arraycopy(uidPackages, 0, validPackages, 0, uidPackages.length);
final int widgetPackageCount = widgetPackages.size();
for (int i = 0; i < widgetPackageCount; i++) {
validPackages[uidPackages.length + i] = widgetPackages.valueAt(i);
return validPackages;
return uidPackages;
* Reset the event source for events that should not carry one
* @param event The event potentially to modify
public void updateEventSourceLocked(@NonNull AccessibilityEvent event) {
if ((event.getEventType() & KEEP_SOURCE_EVENT_TYPES) == 0) {
* Check if a service can have access to a window
* @param userId The id of the user running the service
* @param service The service requesting access
* @param windowId The window it wants access to
* @return Whether ot not the service may retrieve info from the window
public boolean canGetAccessibilityNodeInfoLocked(int userId,
@NonNull AbstractAccessibilityServiceConnection service, int windowId) {
return canRetrieveWindowContentLocked(service)
&& isRetrievalAllowingWindowLocked(userId, windowId);
* Check if a service can have access the list of windows
* @param service The service requesting access
* @return Whether ot not the service may retrieve the window list
public boolean canRetrieveWindowsLocked(
@NonNull AbstractAccessibilityServiceConnection service) {
return canRetrieveWindowContentLocked(service) && service.mRetrieveInteractiveWindows;
* Check if a service can have access the content of windows on the screen
* @param service The service requesting access
* @return Whether ot not the service may retrieve the content
public boolean canRetrieveWindowContentLocked(
@NonNull AbstractAccessibilityServiceConnection service) {
return (service.getCapabilities()
* Check if a service can control magnification
* @param service The service requesting access
* @return Whether ot not the service may control magnification
public boolean canControlMagnification(
@NonNull AbstractAccessibilityServiceConnection service) {
return (service.getCapabilities()
* Check if a service can perform gestures
* @param service The service requesting access
* @return Whether ot not the service may perform gestures
public boolean canPerformGestures(@NonNull AccessibilityServiceConnection service) {
return (service.getCapabilities()
& AccessibilityServiceInfo.CAPABILITY_CAN_PERFORM_GESTURES) != 0;
* Check if a service can capture gestures from the fingerprint sensor
* @param service The service requesting access
* @return Whether ot not the service may capture gestures from the fingerprint sensor
public boolean canCaptureFingerprintGestures(@NonNull AccessibilityServiceConnection service) {
return (service.getCapabilities()
* Checks if a service can take screenshot.
* @param service The service requesting access
* @return Whether ot not the service may take screenshot
public boolean canTakeScreenshotLocked(
@NonNull AbstractAccessibilityServiceConnection service) {
return (service.getCapabilities()
& AccessibilityServiceInfo.CAPABILITY_CAN_TAKE_SCREENSHOT) != 0;
* Returns the parent userId of the profile according to the specified userId.
* @param userId The userId to check
* @return the parent userId of the profile, or self if no parent exist
public int resolveProfileParentLocked(int userId) {
if (userId != mAccessibilityUserManager.getCurrentUserIdLocked()) {
final long identity = Binder.clearCallingIdentity();
try {
UserInfo parent = mUserManager.getProfileParent(userId);
if (parent != null) {
return parent.getUserHandle().getIdentifier();
} finally {
return userId;
* Returns the parent userId of the profile according to the specified userId. Enforcing
* permissions check if specified userId is not caller's userId.
* @param userId The userId to check
* @return the parent userId of the profile, or self if no parent exist
* @throws SecurityException if caller cannot interact across users
* @throws IllegalArgumentException if specified invalid userId
public int resolveCallingUserIdEnforcingPermissionsLocked(int userId) {
final int callingUid = Binder.getCallingUid();
final int currentUserId = mAccessibilityUserManager.getCurrentUserIdLocked();
if (callingUid == 0
|| callingUid == Process.SYSTEM_UID
|| callingUid == Process.SHELL_UID) {
if (userId == UserHandle.USER_CURRENT
|| userId == UserHandle.USER_CURRENT_OR_SELF) {
return currentUserId;
return resolveProfileParentLocked(userId);
final int callingUserId = UserHandle.getUserId(callingUid);
if (callingUserId == userId) {
return resolveProfileParentLocked(userId);
final int callingUserParentId = resolveProfileParentLocked(callingUserId);
if (callingUserParentId == currentUserId && (userId == UserHandle.USER_CURRENT
|| userId == UserHandle.USER_CURRENT_OR_SELF)) {
return currentUserId;
if (!hasPermission(Manifest.permission.INTERACT_ACROSS_USERS)
&& !hasPermission(Manifest.permission.INTERACT_ACROSS_USERS_FULL)) {
throw new SecurityException("Call from user " + callingUserId + " as user "
+ userId + " without permission INTERACT_ACROSS_USERS or "
if (userId == UserHandle.USER_CURRENT
|| userId == UserHandle.USER_CURRENT_OR_SELF) {
return currentUserId;
throw new IllegalArgumentException("Calling user can be changed to only "
+ "UserHandle.USER_CURRENT or UserHandle.USER_CURRENT_OR_SELF.");
* Returns false if caller is not SYSTEM and SHELL, and tried to interact across users.
* @param userId The userId to interact.
* @return false if caller cannot interact across users.
public boolean isCallerInteractingAcrossUsers(int userId) {
final int callingUid = Binder.getCallingUid();
return (Binder.getCallingPid() == android.os.Process.myPid()
|| callingUid == Process.SHELL_UID
|| userId == UserHandle.USER_CURRENT
|| userId == UserHandle.USER_CURRENT_OR_SELF);
private boolean isValidPackageForUid(String packageName, int uid) {
final long token = Binder.clearCallingIdentity();
try {
return uid == mPackageManager.getPackageUidAsUser(
packageName, UserHandle.getUserId(uid));
} catch (PackageManager.NameNotFoundException e) {
return false;
} finally {
private boolean isRetrievalAllowingWindowLocked(int userId, int windowId) {
// The system gets to interact with any window it wants.
if (Binder.getCallingUid() == Process.SYSTEM_UID) {
return true;
if (Binder.getCallingUid() == Process.SHELL_UID) {
if (!isShellAllowedToRetrieveWindowLocked(userId, windowId)) {
return false;
// TODO: Check parent windowId if the giving windowId is from embedded view hierarchy.
if (windowId == mAccessibilityWindowManager.getActiveWindowId(userId)) {
return true;
return mAccessibilityWindowManager.findA11yWindowInfoByIdLocked(windowId) != null;
private boolean isShellAllowedToRetrieveWindowLocked(int userId, int windowId) {
long token = Binder.clearCallingIdentity();
try {
IBinder windowToken = mAccessibilityWindowManager
.getWindowTokenForUserAndWindowIdLocked(userId, windowId);
if (windowToken == null) {
return false;
int windowOwnerUserId = mAccessibilityWindowManager.getWindowOwnerUserId(windowToken);
if (windowOwnerUserId == UserHandle.USER_NULL) {
return false;
return !mUserManager.hasUserRestriction(
UserManager.DISALLOW_DEBUGGING_FEATURES, UserHandle.of(windowOwnerUserId));
} finally {
* Enforcing permission check to caller.
* @param permission The permission to check
* @param function The function name to check
public void enforceCallingPermission(@NonNull String permission, @Nullable String function) {
if (OWN_PROCESS_ID == Binder.getCallingPid()) {
if (!hasPermission(permission)) {
throw new SecurityException("You do not have " + permission
+ " required to call " + function + " from pid="
+ Binder.getCallingPid() + ", uid=" + Binder.getCallingUid());
* Permission check to caller.
* @param permission The permission to check
* @return true if caller has permission
public boolean hasPermission(@NonNull String permission) {
return mContext.checkCallingPermission(permission) == PackageManager.PERMISSION_GRANTED;
* Checks if accessibility service could register into the system.
* @param serviceInfo The ServiceInfo
* @return True if it could register into the system
public boolean canRegisterService(@NonNull ServiceInfo serviceInfo) {
if (!android.Manifest.permission.BIND_ACCESSIBILITY_SERVICE.equals(
serviceInfo.permission)) {
Slog.w(LOG_TAG, "Skipping accessibility service " + new ComponentName(
+ ": it does not require the permission "
+ android.Manifest.permission.BIND_ACCESSIBILITY_SERVICE);
return false;
int servicePackageUid = serviceInfo.applicationInfo.uid;
if (mAppOpsManager.noteOpNoThrow(AppOpsManager.OPSTR_BIND_ACCESSIBILITY_SERVICE,
servicePackageUid, serviceInfo.packageName) != AppOpsManager.MODE_ALLOWED) {
Slog.w(LOG_TAG, "Skipping accessibility service " + new ComponentName(
+ ": disallowed by AppOps");
return false;
return true;
* Checks if accessibility service could execute accessibility operations.
* @param service The accessibility service connection
* @return True if it could execute accessibility operations
public boolean checkAccessibilityAccess(AbstractAccessibilityServiceConnection service) {
final String packageName = service.getComponentName().getPackageName();
final ResolveInfo resolveInfo = service.getServiceInfo().getResolveInfo();
if (resolveInfo == null) {
// For InteractionBridge and UiAutomation
return true;
final int uid = resolveInfo.serviceInfo.applicationInfo.uid;
final long identityToken = Binder.clearCallingIdentity();
try {
// For the caller is system, just block the data to a11y services.
if (OWN_PROCESS_ID == Binder.getCallingPid()) {
return mAppOpsManager.noteOpNoThrow(AppOpsManager.OPSTR_ACCESS_ACCESSIBILITY,
uid, packageName) == AppOpsManager.MODE_ALLOWED;
return mAppOpsManager.noteOp(AppOpsManager.OPSTR_ACCESS_ACCESSIBILITY,
uid, packageName) == AppOpsManager.MODE_ALLOWED;
} finally {
* Enforcing permission check to IPC caller or grant it if it's not through IPC.
* @param permission The permission to check
public void enforceCallingOrSelfPermission(@NonNull String permission) {
if (mContext.checkCallingOrSelfPermission(permission)
!= PackageManager.PERMISSION_GRANTED) {
throw new SecurityException("Caller does not hold permission "
+ permission);