Clear calling ID before using SensorPrivacyManager
This is needed because some methods of SensorPrivacyManager have been
gated by a system permission. As a result, we have to clear binder
caller identity before calling these methods so that they are executed
with the same level of privilege as the SensorService. Otherwise, if an
app A makes a request to the SensorService to set up a sensor data
connection and the SensorService needs to call SensorPrivacyService
e.g., to register for a mic toggle state listener, the SensorPrivacyService
will think that it's app A that is calling, hence failing the permission
check.
Test: atest CtsSensorTestCases CtsSensorRatePermissionTestCases
Bug: 136069189
Bug: 179649922
Change-Id: Ib665230fe4b6dd7c598289b8af62171222855e03
diff --git a/services/sensorservice/SensorService.h b/services/sensorservice/SensorService.h
index 9c5060a..a563a60 100644
--- a/services/sensorservice/SensorService.h
+++ b/services/sensorservice/SensorService.h
@@ -242,6 +242,22 @@
userid_t mUserId;
};
+ // A class automatically clearing and restoring binder caller identity inside
+ // a code block (scoped variable).
+ // Declare one systematically before calling SensorPrivacyManager methods so that they are
+ // executed with the same level of privilege as the SensorService process.
+ class AutoCallerClear {
+ public:
+ AutoCallerClear() :
+ mToken(IPCThreadState::self()->clearCallingIdentity()) {}
+ ~AutoCallerClear() {
+ IPCThreadState::self()->restoreCallingIdentity(mToken);
+ }
+
+ private:
+ const int64_t mToken;
+ };
+
enum Mode {
// The regular operating mode where any application can register/unregister/call flush on
// sensors.