commit 11ac201946b57acd7d7570f73f5eba0a1fdefe5f
author Robert Carr <racarr@google.com> Tue Jan 22 09:05:25 2019 -0800
committer Robert Carr <racarr@google.com> Tue Jan 22 09:05:25 2019 -0800
tree 7ab3085f3261876ac70697a0f157e242b3f17b3a
parent 502fe80d7af0fe4d5abfb600db6c41f7a854bef6

SurfaceFlinger: Only allow update of InputWindowInfo with permission.

This was intended to be in the original CL, but it looks like I never added it or
lost it at some point. This is important as otherwise clients could use modality flags,
global focus, etc...to escape their constraints. The model is the WM can "bless" a surface for input
with given flags (e.g. non-modal) and then the client can manipulate the geometry if it
happens to have the surfacecontrol, but within the constraints of the hierarchy.

Bug: 111440400
Test: Builds
Change-Id: Ifea0882bb26f9791aa2736895c900a05a02ba7cb

services/surfaceflinger/SurfaceFlinger.cpp

diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 5df2876..3f6298f 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp
@@ -3961,8 +3961,12 @@
         if (layer->setSidebandStream(s.sidebandStream)) flags |= eTraversalNeeded;
     }
     if (what & layer_state_t::eInputInfoChanged) {
-        layer->setInputInfo(s.inputInfo);
-        flags |= eTraversalNeeded;
+        if (callingThreadHasUnscopedSurfaceFlingerAccess()) {
+            layer->setInputInfo(s.inputInfo);
+            flags |= eTraversalNeeded;
+        } else {
+            ALOGE("Attempt to update InputWindowInfo without permission ACCESS_SURFACE_FLINGER");
+        }
     }
     std::vector<sp<CallbackHandle>> callbackHandles;
     if ((what & layer_state_t::eListenerCallbacksChanged) && (!s.listenerCallbacks.empty())) {