Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / native / 8007daf43e35cc9502b8168db239a010d0165eb7^! / . / services / inputflinger / dispatcher / InputDispatcher.cpp
commit8007daf43e35cc9502b8168db239a010d0165eb7[log] [tgz]
authorBernardo Rufino <brufino@google.com>Tue Sep 22 09:40:01 2020 +0000
committerBernardo Rufino <brufino@google.com>Tue Sep 29 18:42:57 2020 +0000
treeab5bfd0e88a198aee2e2bb39b86570c40dd8d6fb
parent6d68b18f16478f4c647620091050d3a94e643ca9 [diff] [blame]
[Attempt #2] Consider UID instead of PID in canBeObscuredBy()

CL ag/12660805 got reverted as ag/12671244 because it broke tests that
were introduced after the base point of the CL in ag/12556011. Fixed the
breaking tests in topic CL. This is a roll forward of the initial CL.

-- Original commit message:

This method is used to inform the decision to include flags
FLAG_WINDOW_IS_OBSCURED, FLAG_WINDOW_IS_PARTIALLY_OBSCURED or not. These
flags were created to enhance the opt-in security of apps (ag/64561,
ag/903312), ie. an app can decide to filter out events that contain
these flags if desired. Filtering out events obscured by the same UID
but by a different process does not have any effect on security since in
this case apps with the same UID can already inject motion events into
each other (
http://cs/android/frameworks/native/services/inputflinger/dispatcher/InputDispatcher.cpp?l=2069&rcl=c8118551a204469df34ad6d5445e15ffb46ef96b),
but more generally those apps share the same identity, so, in practice,
for the system they act like the same (eg. they share all permissions,
they usually can act as another package from the same UID, can access
the private data of the other app, etc). Finally, if 2 apps share the
same process, they necessarily share the same UID (
https://developer.android.com/guide/topics/manifest/application-element.html#proc),
so this wouldn't create app-compat problems with the check before, it
would probably help since it wouldn't generate some obscured events
unnecessarily.

This is also in preparation for ag/12408004.

Test: With child CL, atest WindowCrossTouchTest
Test: TH pass
Test: atest inputflinger_tests inputflinger_benchmarks libinput_tests libgui_test
Test: atest WindowInputTests
Bug: 158002302
Change-Id: I15af3ad8d40491fe3cf2274ab6d440dafeadb5e5

diff --git a/services/inputflinger/dispatcher/InputDispatcher.cpp b/services/inputflinger/dispatcher/InputDispatcher.cpp
index 3ccb0c9..efe2bb1 100644
--- a/services/inputflinger/dispatcher/InputDispatcher.cpp
+++ b/services/inputflinger/dispatcher/InputDispatcher.cpp

@@ -2109,9 +2109,9 @@
     auto otherInfo = otherHandle->getInfo();
     if (!otherInfo->visible) {
         return false;
-    } else if (info->ownerPid == otherInfo->ownerPid) {
-        // If ownerPid is the same we don't generate occlusion events as there
-        // is no in-process security boundary.
+    } else if (info->ownerUid == otherInfo->ownerUid) {
+        // If ownerUid is the same we don't generate occlusion events as there
+        // is no security boundary within an uid.
         return false;
     } else if (otherInfo->trustedOverlay) {
         return false;