Block untrusted touches in InputDispatcher
With topic CL InputDispatcher now has the effect of each window for
cross-UID touch occlusion rules: ALLOW, USE_OPACITY or BLOCK_UNTRUSTED.
Check topic CL for exact meaning of each. USE_OPACITY is only used by
SAWs for now.
In this CL, InputDispatcher make use of that information for the stack
of windows above the touch-consuming window to block a touch or not.
The summary of the rules are:
* If there is any visible untrusted window from a different UID (than
the touch-consuming window UID) that has state BLOCK_UNTRUSTED, the
touch is blocked.
* Else, if there is any visible untrusted window from a different UID
that has state USE_OPACITY, we compute the composed obscuring opacity
by each stack of USE_OPACITY windows per UID of occluding window.
We take maximum of those and compare with secure setting
"maximum_obscuring_opacity_for_touch", if it's greater than the
setting the touch is blocked. This means the remaining visibility on the
touch-consuming window is not high enough to let the touch happen.
* Else we don't block the touch.
More details on go/cross-uid-touches. This doesn't interfere with
existing flags FLAG_WINDOW_IS_OBSCURED and
FLAG_WINDOW_IS_PARTIALLY_OBSCURED.
To compute the opacity we also propagate the alpha of each window from
SurfaceFlinger to InputDispatcher.
Test: atest WindowUntrustedTouchTest
Test: atest inputflinger_tests inputflinger_benchmarks libinput_tests
Test: go/try-cross-uid-touches for manual testing
Bug: 158002302
Change-Id: I673d7a5f16b19952311e8cb44a48af4349a4bd40
diff --git a/services/inputflinger/dispatcher/InputDispatcher.cpp b/services/inputflinger/dispatcher/InputDispatcher.cpp
index 3ccb0c9..ab0d340 100644
--- a/services/inputflinger/dispatcher/InputDispatcher.cpp
+++ b/services/inputflinger/dispatcher/InputDispatcher.cpp
@@ -402,6 +402,7 @@
// To avoid leaking stack in case that call never comes, and for tests,
// initialize it here anyways.
mInTouchMode(true),
+ mMaximumObscuringOpacityForTouch(1.0f),
mFocusedDisplayId(ADISPLAY_ID_DEFAULT) {
mLooper = new Looper(false);
mReporter = createInputReporter();
@@ -1708,6 +1709,22 @@
}
}
+ // Drop events that can't be trusted due to occlusion
+ if (newTouchedWindowHandle != nullptr &&
+ mBlockUntrustedTouchesMode != BlockUntrustedTouchesMode::DISABLED) {
+ TouchOcclusionInfo occlusionInfo =
+ computeTouchOcclusionInfoLocked(newTouchedWindowHandle, x, y);
+ // The order of the operands in the 'if' below is important because even if the feature
+ // is not BLOCK we want isTouchTrustedLocked() to execute in order to log details to
+ // logcat.
+ if (!isTouchTrustedLocked(occlusionInfo) &&
+ mBlockUntrustedTouchesMode == BlockUntrustedTouchesMode::BLOCK) {
+ ALOGW("Dropping untrusted touch event due to %s/%d",
+ occlusionInfo.obscuringPackage.c_str(), occlusionInfo.obscuringUid);
+ newTouchedWindowHandle = nullptr;
+ }
+ }
+
// Also don't send the new touch event to unresponsive gesture monitors
newGestureMonitors = selectResponsiveMonitorsLocked(newGestureMonitors);
@@ -2121,6 +2138,84 @@
return true;
}
+/**
+ * Returns touch occlusion information in the form of TouchOcclusionInfo. To check if the touch is
+ * untrusted, one should check:
+ *
+ * 1. If result.hasBlockingOcclusion is true.
+ * If it's, it means the touch should be blocked due to a window with occlusion mode of
+ * BLOCK_UNTRUSTED.
+ *
+ * 2. If result.obscuringOpacity > mMaximumObscuringOpacityForTouch.
+ * If it is (and 1 is false), then the touch should be blocked because a stack of windows
+ * (possibly only one) with occlusion mode of USE_OPACITY from one UID resulted in a composed
+ * obscuring opacity above the threshold. Note that if there was no window of occlusion mode
+ * USE_OPACITY, result.obscuringOpacity would've been 0 and since
+ * mMaximumObscuringOpacityForTouch >= 0, the condition above would never be true.
+ *
+ * If neither of those is true, then it means the touch can be allowed.
+ */
+InputDispatcher::TouchOcclusionInfo InputDispatcher::computeTouchOcclusionInfoLocked(
+ const sp<InputWindowHandle>& windowHandle, int32_t x, int32_t y) const {
+ int32_t displayId = windowHandle->getInfo()->displayId;
+ const std::vector<sp<InputWindowHandle>>& windowHandles = getWindowHandlesLocked(displayId);
+ TouchOcclusionInfo info;
+ info.hasBlockingOcclusion = false;
+ info.obscuringOpacity = 0;
+ info.obscuringUid = -1;
+ std::map<int32_t, float> opacityByUid;
+ for (const sp<InputWindowHandle>& otherHandle : windowHandles) {
+ if (windowHandle == otherHandle) {
+ break; // All future windows are below us. Exit early.
+ }
+ const InputWindowInfo* otherInfo = otherHandle->getInfo();
+ if (canBeObscuredBy(windowHandle, otherHandle) &&
+ windowHandle->getInfo()->ownerUid != otherInfo->ownerUid &&
+ otherInfo->frameContainsPoint(x, y)) {
+ // canBeObscuredBy() has returned true above, which means this window is untrusted, so
+ // we perform the checks below to see if the touch can be propagated or not based on the
+ // window's touch occlusion mode
+ if (otherInfo->touchOcclusionMode == TouchOcclusionMode::BLOCK_UNTRUSTED) {
+ info.hasBlockingOcclusion = true;
+ info.obscuringUid = otherInfo->ownerUid;
+ info.obscuringPackage = otherInfo->packageName;
+ break;
+ }
+ if (otherInfo->touchOcclusionMode == TouchOcclusionMode::USE_OPACITY) {
+ uint32_t uid = otherInfo->ownerUid;
+ float opacity =
+ (opacityByUid.find(uid) == opacityByUid.end()) ? 0 : opacityByUid[uid];
+ // Given windows A and B:
+ // opacity(A, B) = 1 - [1 - opacity(A)] * [1 - opacity(B)]
+ opacity = 1 - (1 - opacity) * (1 - otherInfo->alpha);
+ opacityByUid[uid] = opacity;
+ if (opacity > info.obscuringOpacity) {
+ info.obscuringOpacity = opacity;
+ info.obscuringUid = uid;
+ info.obscuringPackage = otherInfo->packageName;
+ }
+ }
+ }
+ }
+ return info;
+}
+
+bool InputDispatcher::isTouchTrustedLocked(const TouchOcclusionInfo& occlusionInfo) const {
+ if (occlusionInfo.hasBlockingOcclusion) {
+ ALOGW("Untrusted touch due to occlusion by %s/%d", occlusionInfo.obscuringPackage.c_str(),
+ occlusionInfo.obscuringUid);
+ return false;
+ }
+ if (occlusionInfo.obscuringOpacity > mMaximumObscuringOpacityForTouch) {
+ ALOGW("Untrusted touch due to occlusion by %s/%d (obscuring opacity = "
+ "%.2f, maximum allowed = %.2f)",
+ occlusionInfo.obscuringPackage.c_str(), occlusionInfo.obscuringUid,
+ occlusionInfo.obscuringOpacity, mMaximumObscuringOpacityForTouch);
+ return false;
+ }
+ return true;
+}
+
bool InputDispatcher::isWindowObscuredAtPointLocked(const sp<InputWindowHandle>& windowHandle,
int32_t x, int32_t y) const {
int32_t displayId = windowHandle->getInfo()->displayId;
@@ -4060,6 +4155,21 @@
mInTouchMode = inTouchMode;
}
+void InputDispatcher::setMaximumObscuringOpacityForTouch(float opacity) {
+ if (opacity < 0 || opacity > 1) {
+ LOG_ALWAYS_FATAL("Maximum obscuring opacity for touch should be >= 0 and <= 1");
+ return;
+ }
+
+ std::scoped_lock lock(mLock);
+ mMaximumObscuringOpacityForTouch = opacity;
+}
+
+void InputDispatcher::setBlockUntrustedTouchesMode(BlockUntrustedTouchesMode mode) {
+ std::scoped_lock lock(mLock);
+ mBlockUntrustedTouchesMode = mode;
+}
+
bool InputDispatcher::transferTouchFocus(const sp<IBinder>& fromToken, const sp<IBinder>& toToken) {
if (fromToken == toToken) {
if (DEBUG_FOCUS) {
diff --git a/services/inputflinger/dispatcher/InputDispatcher.h b/services/inputflinger/dispatcher/InputDispatcher.h
index 4fcdcc2..d361b17 100644
--- a/services/inputflinger/dispatcher/InputDispatcher.h
+++ b/services/inputflinger/dispatcher/InputDispatcher.h
@@ -112,6 +112,8 @@
virtual void setInputDispatchMode(bool enabled, bool frozen) override;
virtual void setInputFilterEnabled(bool enabled) override;
virtual void setInTouchMode(bool inTouchMode) override;
+ virtual void setMaximumObscuringOpacityForTouch(float opacity) override;
+ virtual void setBlockUntrustedTouchesMode(BlockUntrustedTouchesMode mode) override;
virtual bool transferTouchFocus(const sp<IBinder>& fromToken,
const sp<IBinder>& toToken) override;
@@ -296,6 +298,8 @@
bool mDispatchFrozen GUARDED_BY(mLock);
bool mInputFilterEnabled GUARDED_BY(mLock);
bool mInTouchMode GUARDED_BY(mLock);
+ float mMaximumObscuringOpacityForTouch GUARDED_BY(mLock);
+ BlockUntrustedTouchesMode mBlockUntrustedTouchesMode GUARDED_BY(mLock);
std::unordered_map<int32_t, std::vector<sp<InputWindowHandle>>> mWindowHandlesByDisplay
GUARDED_BY(mLock);
@@ -446,6 +450,17 @@
void pokeUserActivityLocked(const EventEntry& eventEntry) REQUIRES(mLock);
bool checkInjectionPermission(const sp<InputWindowHandle>& windowHandle,
const InjectionState* injectionState);
+
+ struct TouchOcclusionInfo {
+ bool hasBlockingOcclusion;
+ float obscuringOpacity;
+ std::string obscuringPackage;
+ int32_t obscuringUid;
+ };
+
+ TouchOcclusionInfo computeTouchOcclusionInfoLocked(const sp<InputWindowHandle>& windowHandle,
+ int32_t x, int32_t y) const REQUIRES(mLock);
+ bool isTouchTrustedLocked(const TouchOcclusionInfo& occlusionInfo) const REQUIRES(mLock);
bool isWindowObscuredAtPointLocked(const sp<InputWindowHandle>& windowHandle, int32_t x,
int32_t y) const REQUIRES(mLock);
bool isWindowObscuredLocked(const sp<InputWindowHandle>& windowHandle) const REQUIRES(mLock);
diff --git a/services/inputflinger/dispatcher/include/InputDispatcherInterface.h b/services/inputflinger/dispatcher/include/InputDispatcherInterface.h
index 67d9a06..65687c4 100644
--- a/services/inputflinger/dispatcher/include/InputDispatcherInterface.h
+++ b/services/inputflinger/dispatcher/include/InputDispatcherInterface.h
@@ -20,12 +20,15 @@
#include <InputListener.h>
#include <android-base/result.h>
#include <android/FocusRequest.h>
+#include <android/os/BlockUntrustedTouchesMode.h>
#include <android/os/ISetInputWindowsListener.h>
#include <input/InputApplication.h>
#include <input/InputTransport.h>
#include <input/InputWindow.h>
#include <unordered_map>
+using android::os::BlockUntrustedTouchesMode;
+
namespace android {
/*
@@ -145,6 +148,21 @@
*/
virtual void setInTouchMode(bool inTouchMode) = 0;
+ /**
+ * Sets the maximum allowed obscuring opacity by UID to propagate touches.
+ * For certain window types (eg. SAWs), the decision of honoring
+ * FLAG_NOT_TOUCHABLE or not depends on the combined obscuring opacity of
+ * the windows above the touch-consuming window.
+ */
+ virtual void setMaximumObscuringOpacityForTouch(float opacity) = 0;
+
+ /**
+ * Sets the mode of the block untrusted touches feature.
+ *
+ * TODO(b/169067926): Clean-up feature modes.
+ */
+ virtual void setBlockUntrustedTouchesMode(BlockUntrustedTouchesMode mode) = 0;
+
/* Transfers touch focus from one window to another window.
*
* Returns true on success. False if the window did not actually have touch focus.
diff --git a/services/surfaceflinger/Layer.cpp b/services/surfaceflinger/Layer.cpp
index 85046a4..0127b31 100644
--- a/services/surfaceflinger/Layer.cpp
+++ b/services/surfaceflinger/Layer.cpp
@@ -2485,6 +2485,7 @@
// InputDispatcher, and obviously if they aren't visible they can't occlude
// anything.
info.visible = hasInputInfo() ? canReceiveInput() : isVisible();
+ info.alpha = getAlpha();
auto cropLayer = mDrawingState.touchableRegionCrop.promote();
if (info.replaceTouchableRegionWithCrop) {