Fix ANGLE Driver Setting permission on multiuser builds Flag: com.android.frameworks.gpuservice.flags.multiuser_permission_check Test: atest -c GraphicsDriverEnableAngleAsSystemDriverControllerJUnitTest Bug: b/389867658 Change-Id: I761519e00a8042006c1785d70fa7244073d3533a

commit: a10520d92ad590a9c1977f26358f6426090acefa [log] [tgz]
author: Yuxin Hu <yuxinhu@google.com> Thu Jan 16 02:30:53 2025 +0000
committer: Yuxin Hu <yuxinhu@google.com> Mon Feb 10 18:14:20 2025 -0800
tree: b72c949e4eacd66a4b5430a33c9f0ad39da460c9
parent: 0499b3ecb14538a426104d4622b1c42fbdef106f [diff]
diff --git a/services/gpuservice/Android.bp b/services/gpuservice/Android.bp
index 689221f..01287b0 100644
--- a/services/gpuservice/Android.bp
+++ b/services/gpuservice/Android.bp

@@ -7,6 +7,13 @@
     default_applicable_licenses: ["frameworks_native_license"],
 }
 
+aconfig_declarations {
+    name: "gpuservice_flags",
+    package: "com.android.frameworks.gpuservice.flags",
+    container: "system",
+    srcs: ["gpuservice_flags.aconfig"],
+}
+
 cc_defaults {
     name: "gpuservice_defaults",
     cflags: [
@@ -20,6 +27,11 @@
 }
 
 cc_aconfig_library {
+    name: "gpuservice_multiuser_flags_c_lib",
+    aconfig_declarations: "gpuservice_flags",
+}
+
+cc_aconfig_library {
     name: "gpuservice_flags_c_lib",
     aconfig_declarations: "graphicsenv_flags",
 }
@@ -92,6 +104,9 @@
     srcs: [
         ":libgpuservice_sources",
     ],
+    shared_libs: [
+        "gpuservice_multiuser_flags_c_lib",
+    ],
 }
 
 cc_defaults {
@@ -126,4 +141,7 @@
     static_libs: [
         "libgpuservice",
     ],
+    shared_libs: [
+        "gpuservice_multiuser_flags_c_lib",
+    ],
 }

diff --git a/services/gpuservice/GpuService.cpp b/services/gpuservice/GpuService.cpp
index fadb1fd..f74b4fa 100644
--- a/services/gpuservice/GpuService.cpp
+++ b/services/gpuservice/GpuService.cpp

@@ -24,7 +24,9 @@
 #include <binder/IResultReceiver.h>
 #include <binder/Parcel.h>
 #include <binder/PermissionCache.h>
+#include <com_android_frameworks_gpuservice_flags.h>
 #include <cutils/properties.h>
+#include <cutils/multiuser.h>
 #include <gpumem/GpuMem.h>
 #include <gpuwork/GpuWork.h>
 #include <gpustats/GpuStats.h>
@@ -38,6 +40,8 @@
 #include <thread>
 #include <memory>
 
+namespace gpuservice_flags = com::android::frameworks::gpuservice::flags;
+
 namespace android {
 
 using base::StringAppendF;
@@ -113,11 +117,22 @@
 
     // only system_server with the ACCESS_GPU_SERVICE permission is allowed to set
     // persist.graphics.egl
-    if (uid != AID_SYSTEM ||
-        !PermissionCache::checkPermission(sAccessGpuServicePermission, pid, uid)) {
-        ALOGE("Permission Denial: can't set persist.graphics.egl from setAngleAsSystemDriver() "
+    if (gpuservice_flags::multiuser_permission_check()) {
+        // retrieve the appid of Settings app on multiuser builds
+        const int multiuserappid = multiuser_get_app_id(uid);
+        if (multiuserappid != AID_SYSTEM ||
+            !PermissionCache::checkPermission(sAccessGpuServicePermission, pid, uid)) {
+            ALOGE("Permission Denial: can't set persist.graphics.egl from setAngleAsSystemDriver() "
+                "pid=%d, uid=%d\n, multiuserappid=%d", pid, uid, multiuserappid);
+            return;
+        }
+    } else {
+        if (uid != AID_SYSTEM ||
+            !PermissionCache::checkPermission(sAccessGpuServicePermission, pid, uid)) {
+            ALOGE("Permission Denial: can't set persist.graphics.egl from setAngleAsSystemDriver() "
                 "pid=%d, uid=%d\n", pid, uid);
-        return;
+            return;
+        }
     }
 
     std::lock_guard<std::mutex> lock(mLock);

diff --git a/services/gpuservice/gpuservice_flags.aconfig b/services/gpuservice/gpuservice_flags.aconfig
new file mode 100644
index 0000000..be6a7bb
--- /dev/null
+++ b/services/gpuservice/gpuservice_flags.aconfig

@@ -0,0 +1,12 @@
+package: "com.android.frameworks.gpuservice.flags"
+container: "system"
+
+flag {
+    name: "multiuser_permission_check"
+    namespace: "gpu"
+    description: "Whether to consider headless system user mode/multiuser when checking toggleAngleAsSystemDriver permission."
+    bug: "389867658"
+    metadata {
+        purpose: PURPOSE_BUGFIX
+    }
+}

diff --git a/services/gpuservice/tests/fuzzers/Android.bp b/services/gpuservice/tests/fuzzers/Android.bp
index d4d48c4..7be3253 100644
--- a/services/gpuservice/tests/fuzzers/Android.bp
+++ b/services/gpuservice/tests/fuzzers/Android.bp

@@ -13,6 +13,9 @@
         "libgpuservice",
         "liblog",
     ],
+    shared_libs: [
+        "gpuservice_multiuser_flags_c_lib",
+    ],
     fuzz_config: {
         cc: [
             "paulthomson@google.com",

diff --git a/services/gpuservice/tests/unittests/Android.bp b/services/gpuservice/tests/unittests/Android.bp
index d2184d8..0dac24d 100644
--- a/services/gpuservice/tests/unittests/Android.bp
+++ b/services/gpuservice/tests/unittests/Android.bp

@@ -89,6 +89,7 @@
     ],
     header_libs: ["bpf_headers"],
     shared_libs: [
+        "gpuservice_multiuser_flags_c_lib",
         "libbase",
         "libbinder",
         "libbpf_bcc",
commit	a10520d92ad590a9c1977f26358f6426090acefa	[log] [tgz]
author	Yuxin Hu <yuxinhu@google.com>	Thu Jan 16 02:30:53 2025 +0000
committer	Yuxin Hu <yuxinhu@google.com>	Mon Feb 10 18:14:20 2025 -0800
tree	b72c949e4eacd66a4b5430a33c9f0ad39da460c9
parent	0499b3ecb14538a426104d4622b1c42fbdef106f [diff]