Limit access to head tracker sensor
Lock down access to only internal system usage and CTS due to privacy
considerations.
Bug: 224619073
Test: run SensorHeadTrackerTest with and without "cmd unrestrict-ht"
Change-Id: I0bd37472e058c550de8d0098caa0bd439d8f12a5
diff --git a/include/android/sensor.h b/include/android/sensor.h
index 6112d5f..eef69f4 100644
--- a/include/android/sensor.h
+++ b/include/android/sensor.h
@@ -267,7 +267,8 @@
* {@link ASENSOR_TYPE_HEAD_TRACKER}
* reporting-mode: continuous
*
- * Measures the orientation and rotational velocity of a user's head.
+ * Measures the orientation and rotational velocity of a user's head. Only for internal use
+ * within the Android system.
*/
ASENSOR_TYPE_HEAD_TRACKER = 37,
/**
diff --git a/services/sensorservice/SensorDirectConnection.cpp b/services/sensorservice/SensorDirectConnection.cpp
index fae16f6..2dd12e9 100644
--- a/services/sensorservice/SensorDirectConnection.cpp
+++ b/services/sensorservice/SensorDirectConnection.cpp
@@ -157,7 +157,7 @@
}
const Sensor& s = si->getSensor();
- if (!SensorService::canAccessSensor(s, "config direct channel", mOpPackageName)) {
+ if (!mService->canAccessSensor(s, "config direct channel", mOpPackageName)) {
return PERMISSION_DENIED;
}
diff --git a/services/sensorservice/SensorEventConnection.cpp b/services/sensorservice/SensorEventConnection.cpp
index 6948895..f06f947 100644
--- a/services/sensorservice/SensorEventConnection.cpp
+++ b/services/sensorservice/SensorEventConnection.cpp
@@ -162,7 +162,8 @@
Mutex::Autolock _l(mConnectionLock);
sp<SensorInterface> si = mService->getSensorInterfaceFromHandle(handle);
if (si == nullptr ||
- !canAccessSensor(si->getSensor(), "Add to SensorEventConnection: ", mOpPackageName) ||
+ !mService->canAccessSensor(si->getSensor(), "Add to SensorEventConnection: ",
+ mOpPackageName) ||
mSensorInfo.count(handle) > 0) {
return false;
}
diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp
index 88cf5ab..948692b 100644
--- a/services/sensorservice/SensorService.cpp
+++ b/services/sensorservice/SensorService.cpp
@@ -814,6 +814,12 @@
return handleResetUidState(args, err);
} else if (args[0] == String16("get-uid-state")) {
return handleGetUidState(args, out, err);
+ } else if (args[0] == String16("unrestrict-ht")) {
+ mHtRestricted = false;
+ return NO_ERROR;
+ } else if (args[0] == String16("restrict-ht")) {
+ mHtRestricted = true;
+ return NO_ERROR;
} else if (args.size() == 1 && args[0] == String16("help")) {
printHelp(out);
return NO_ERROR;
@@ -1338,11 +1344,11 @@
Vector<Sensor> SensorService::getDynamicSensorList(const String16& opPackageName) {
Vector<Sensor> accessibleSensorList;
mSensors.forEachSensor(
- [&opPackageName, &accessibleSensorList] (const Sensor& sensor) -> bool {
+ [this, &opPackageName, &accessibleSensorList] (const Sensor& sensor) -> bool {
if (sensor.isDynamicSensor()) {
- if (canAccessSensor(sensor, "getDynamicSensorList", opPackageName)) {
+ if (canAccessSensor(sensor, "can't see", opPackageName)) {
accessibleSensorList.add(sensor);
- } else {
+ } else if (sensor.getType() != SENSOR_TYPE_HEAD_TRACKER) {
ALOGI("Skipped sensor %s because it requires permission %s and app op %" PRId32,
sensor.getName().string(),
sensor.getRequiredPermission().string(),
@@ -1989,6 +1995,20 @@
bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName) {
+ // Special case for Head Tracker sensor type: currently restricted to system usage only, unless
+ // the restriction is specially lifted for testing
+ if (sensor.getType() == SENSOR_TYPE_HEAD_TRACKER &&
+ !isAudioServerOrSystemServerUid(IPCThreadState::self()->getCallingUid())) {
+ if (!mHtRestricted) {
+ ALOGI("Permitting access to HT sensor type outside system (%s)",
+ String8(opPackageName).string());
+ } else {
+ ALOGW("%s %s a sensor (%s) as a non-system client", String8(opPackageName).string(),
+ operation, sensor.getName().string());
+ return false;
+ }
+ }
+
// Check if a permission is required for this sensor
if (sensor.getRequiredPermission().length() <= 0) {
return true;
diff --git a/services/sensorservice/SensorService.h b/services/sensorservice/SensorService.h
index b18d204..234dc9c 100644
--- a/services/sensorservice/SensorService.h
+++ b/services/sensorservice/SensorService.h
@@ -373,7 +373,7 @@
status_t cleanupWithoutDisableLocked(const sp<SensorEventConnection>& connection, int handle);
void cleanupAutoDisabledSensorLocked(const sp<SensorEventConnection>& connection,
sensors_event_t const* buffer, const int count);
- static bool canAccessSensor(const Sensor& sensor, const char* operation,
+ bool canAccessSensor(const Sensor& sensor, const char* operation,
const String16& opPackageName);
static bool hasPermissionForSensor(const Sensor& sensor);
static int getTargetSdkVersion(const String16& opPackageName);
@@ -492,6 +492,10 @@
std::unordered_map<int, SensorServiceUtil::RecentEventLogger*> mRecentEvent;
Mode mCurrentOperatingMode;
+ // true if the head tracker sensor type is currently restricted to system usage only
+ // (can only be unrestricted for testing, via shell cmd)
+ bool mHtRestricted = true;
+
// This packagaName is set when SensorService is in RESTRICTED or DATA_INJECTION mode. Only
// applications with this packageName are allowed to activate/deactivate or call flush on
// sensors. To run CTS this is can be set to ".cts." and only CTS tests will get access to