InputTracer: Adjust traced event sensitivity based on allow-list
An allow-list of packages will be defined in the perfetto config for
input traces. We can only allow an event to traced completely (i.e.
treated as a non-sensitive event) if _all_ of the UIDs that the event is
targeting are allow-listed for the trace.
In each trace instace, we maintain a cache of whether UIDs seen so far
are allow-listed. Since the allow-list is specified through a list of
package names, we must query PackageManager through the InputDispatcher
policy to look up the packages that correspond to each UID that we see.
Bug: 210460522
Test: manual with perfetto
Change-Id: I9c19a5ed941ebc239dccc0363cc6553733e16afd
diff --git a/services/inputflinger/dispatcher/InputDispatcher.cpp b/services/inputflinger/dispatcher/InputDispatcher.cpp
index dc220fe..065c5c8 100644
--- a/services/inputflinger/dispatcher/InputDispatcher.cpp
+++ b/services/inputflinger/dispatcher/InputDispatcher.cpp
@@ -88,12 +88,13 @@
}
// Create the input tracing backend that writes to perfetto from a single thread.
-std::unique_ptr<trace::InputTracingBackendInterface> createInputTracingBackendIfEnabled() {
+std::unique_ptr<trace::InputTracingBackendInterface> createInputTracingBackendIfEnabled(
+ trace::impl::PerfettoBackend::GetPackageUid getPackageUid) {
if (!isInputTracingEnabled()) {
return nullptr;
}
return std::make_unique<trace::impl::ThreadedBackend<trace::impl::PerfettoBackend>>(
- trace::impl::PerfettoBackend());
+ trace::impl::PerfettoBackend(getPackageUid));
}
template <class Entry>
@@ -891,7 +892,9 @@
// --- InputDispatcher ---
InputDispatcher::InputDispatcher(InputDispatcherPolicyInterface& policy)
- : InputDispatcher(policy, createInputTracingBackendIfEnabled()) {}
+ : InputDispatcher(policy, createInputTracingBackendIfEnabled([&policy](std::string pkg) {
+ return policy.getPackageUid(pkg);
+ })) {}
InputDispatcher::InputDispatcher(InputDispatcherPolicyInterface& policy,
std::unique_ptr<trace::InputTracingBackendInterface> traceBackend)
diff --git a/services/inputflinger/dispatcher/include/InputDispatcherPolicyInterface.h b/services/inputflinger/dispatcher/include/InputDispatcherPolicyInterface.h
index 62c2b02..91a3e3f 100644
--- a/services/inputflinger/dispatcher/include/InputDispatcherPolicyInterface.h
+++ b/services/inputflinger/dispatcher/include/InputDispatcherPolicyInterface.h
@@ -163,6 +163,9 @@
virtual void notifyDeviceInteraction(DeviceId deviceId, nsecs_t timestamp,
const std::set<gui::Uid>& uids) = 0;
+ /* Get the UID associated with the given package. */
+ virtual gui::Uid getPackageUid(std::string package) = 0;
+
private:
// Additional key latency in case a connection is still processing some motion events.
// This will help with the case when a user touched a button that opens a new window,
diff --git a/services/inputflinger/dispatcher/trace/InputTracer.cpp b/services/inputflinger/dispatcher/trace/InputTracer.cpp
index d776249..55ed5c6 100644
--- a/services/inputflinger/dispatcher/trace/InputTracer.cpp
+++ b/services/inputflinger/dispatcher/trace/InputTracer.cpp
@@ -19,6 +19,7 @@
#include "InputTracer.h"
#include <android-base/logging.h>
+#include <private/android_filesystem_config.h>
namespace android::inputdispatcher::trace::impl {
@@ -71,6 +72,24 @@
return std::visit([](const auto& event) { return event.id; }, v);
}
+// Helper class to extract relevant information from InputTarget.
+struct InputTargetInfo {
+ gui::Uid uid;
+ bool isSecureWindow;
+};
+
+InputTargetInfo getTargetInfo(const InputTarget& target) {
+ if (target.windowHandle == nullptr) {
+ if (!target.connection->monitor) {
+ LOG(FATAL) << __func__ << ": Window is not set for non-monitor target";
+ }
+ // This is a global monitor, assume its target is the system.
+ return {.uid = gui::Uid{AID_SYSTEM}, .isSecureWindow = false};
+ }
+ return {target.windowHandle->getInfo()->ownerUid,
+ target.windowHandle->getInfo()->layoutParamsFlags.test(gui::WindowInfo::Flag::SECURE)};
+}
+
} // namespace
// --- InputTracer ---
@@ -104,19 +123,25 @@
void InputTracer::dispatchToTargetHint(const EventTrackerInterface& cookie,
const InputTarget& target) {
auto& eventState = getState(cookie);
+ const InputTargetInfo& targetInfo = getTargetInfo(target);
if (eventState->isEventProcessingComplete) {
- // TODO(b/210460522): Disallow adding new targets after eventProcessingComplete() is called.
+ // Disallow adding new targets after eventProcessingComplete() is called.
+ if (eventState->targets.find(targetInfo.uid) == eventState->targets.end()) {
+ LOG(FATAL) << __func__ << ": Cannot add new target after eventProcessingComplete";
+ }
return;
}
if (isDerivedCookie(cookie)) {
- // TODO(b/210460522): Disallow adding new targets from a derived cookie.
+ // Disallow adding new targets from a derived cookie.
+ if (eventState->targets.find(targetInfo.uid) == eventState->targets.end()) {
+ LOG(FATAL) << __func__ << ": Cannot add new target from a derived cookie";
+ }
return;
}
- if (target.windowHandle != nullptr) {
- eventState->isSecure |= target.windowHandle->getInfo()->layoutParamsFlags.test(
- gui::WindowInfo::Flag::SECURE);
- // TODO(b/210460522): Set events as sensitive when the IME connection is active.
- }
+
+ eventState->targets.emplace(targetInfo.uid);
+ eventState->isSecure |= targetInfo.isSecureWindow;
+ // TODO(b/210460522): Set events as sensitive when the IME connection is active.
}
void InputTracer::eventProcessingComplete(const EventTrackerInterface& cookie) {
@@ -152,8 +177,9 @@
// is dispatched, such as in the case of key fallback events. To account for these cases,
// derived events can be traced after the processing is complete for the original event.
const auto& event = eventState->events.back();
- const TracedEventArgs traceArgs{.isSecure = eventState->isSecure};
- writeEventToBackend(event, traceArgs, *mBackend);
+ const TracedEventArgs traceArgs{.isSecure = eventState->isSecure,
+ .targets = eventState->targets};
+ writeEventToBackend(event, std::move(traceArgs), *mBackend);
}
return std::make_unique<EventTrackerImpl>(std::move(eventState), /*isDerived=*/true);
}
@@ -180,6 +206,10 @@
<< ": Failed to find a previously traced event that matches the dispatched event";
}
+ if (eventState->targets.count(dispatchEntry.targetUid) == 0) {
+ LOG(FATAL) << __func__ << ": Event is being dispatched to UID that it is not targeting";
+ }
+
// The vsyncId only has meaning if the event is targeting a window.
const int32_t windowId = dispatchEntry.windowId.value_or(0);
const int32_t vsyncId = dispatchEntry.windowId.has_value() ? dispatchEntry.vsyncId : 0;
@@ -196,8 +226,9 @@
/*hmac=*/{},
resolvedKeyRepeatCount};
if (eventState->isEventProcessingComplete) {
- mBackend->traceWindowDispatch(std::move(windowDispatchArgs),
- TracedEventArgs{.isSecure = eventState->isSecure});
+ const TracedEventArgs traceArgs{.isSecure = eventState->isSecure,
+ .targets = eventState->targets};
+ mBackend->traceWindowDispatch(std::move(windowDispatchArgs), std::move(traceArgs));
} else {
eventState->pendingDispatchArgs.emplace_back(std::move(windowDispatchArgs));
}
@@ -217,7 +248,7 @@
void InputTracer::EventState::onEventProcessingComplete() {
// Write all of the events known so far to the trace.
for (const auto& event : events) {
- const TracedEventArgs traceArgs{.isSecure = isSecure};
+ const TracedEventArgs traceArgs{.isSecure = isSecure, .targets = targets};
writeEventToBackend(event, traceArgs, *tracer.mBackend);
}
// Write all pending dispatch args to the trace.
@@ -232,8 +263,8 @@
<< ": Failed to find a previously traced event that matches the dispatched "
"event";
}
- const TracedEventArgs traceArgs{.isSecure = isSecure};
- tracer.mBackend->traceWindowDispatch(windowDispatchArgs, traceArgs);
+ const TracedEventArgs traceArgs{.isSecure = isSecure, .targets = targets};
+ tracer.mBackend->traceWindowDispatch(windowDispatchArgs, std::move(traceArgs));
}
pendingDispatchArgs.clear();
diff --git a/services/inputflinger/dispatcher/trace/InputTracer.h b/services/inputflinger/dispatcher/trace/InputTracer.h
index 4ef6ca6..717bc1f 100644
--- a/services/inputflinger/dispatcher/trace/InputTracer.h
+++ b/services/inputflinger/dispatcher/trace/InputTracer.h
@@ -66,6 +66,8 @@
std::vector<const WindowDispatchArgs> pendingDispatchArgs;
// True if the event is targeting at least one secure window;
bool isSecure{false};
+ // The list of all possible UIDs that this event could be targeting.
+ std::set<gui::Uid> targets;
};
// Get the event state associated with a tracking cookie.
diff --git a/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h b/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h
index 4bb5799..3ff7fab 100644
--- a/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h
+++ b/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h
@@ -21,6 +21,7 @@
#include <ui/Transform.h>
#include <array>
+#include <set>
#include <variant>
#include <vector>
@@ -94,6 +95,8 @@
struct TracedEventArgs {
// True if the event is targeting at least one secure window.
bool isSecure;
+ // The list of possible UIDs that this event could be targeting.
+ std::set<gui::Uid> targets;
};
/** Additional information about an input event being dispatched to a window. */
diff --git a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp
index bed753c..b76bec3 100644
--- a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp
+++ b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp
@@ -22,6 +22,7 @@
#include <android-base/logging.h>
#include <perfetto/trace/android/android_input_event.pbzero.h>
+#include <private/android_filesystem_config.h>
namespace android::inputdispatcher::trace::impl {
@@ -29,6 +30,17 @@
constexpr auto INPUT_EVENT_TRACE_DATA_SOURCE_NAME = "android.input.inputevent";
+bool isPermanentlyAllowed(gui::Uid uid) {
+ switch (uid.val()) {
+ case AID_SYSTEM:
+ case AID_SHELL:
+ case AID_ROOT:
+ return true;
+ default:
+ return false;
+ }
+}
+
} // namespace
// --- PerfettoBackend::InputEventDataSource ---
@@ -55,6 +67,22 @@
InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) { ctx.Flush(); });
}
+void PerfettoBackend::InputEventDataSource::initializeUidMap(GetPackageUid getPackageUid) {
+ if (mUidMap.has_value()) {
+ return;
+ }
+
+ mUidMap = {{}};
+ for (const auto& rule : mConfig.rules) {
+ for (const auto& package : rule.matchAllPackages) {
+ mUidMap->emplace(package, getPackageUid(package));
+ }
+ for (const auto& package : rule.matchAnyPackages) {
+ mUidMap->emplace(package, getPackageUid(package));
+ }
+ }
+}
+
bool PerfettoBackend::InputEventDataSource::shouldIgnoreTracedInputEvent(
const EventType& type) const {
if (!getFlags().test(TraceFlag::TRACE_DISPATCHER_INPUT_EVENTS)) {
@@ -77,7 +105,6 @@
return rule.level;
}
}
-
// The event is not traced if it matched zero rules.
return TraceLevel::TRACE_LEVEL_NONE;
}
@@ -86,10 +113,31 @@
const TracedEventArgs& args) const {
// By default, a rule will match all events. Return early if the rule does not match.
+ // Match the event if it is directed to a secure window.
if (rule.matchSecure.has_value() && *rule.matchSecure != args.isSecure) {
return false;
}
+ // Match the event if all of its target packages are explicitly allowed in the "match all" list.
+ if (!rule.matchAllPackages.empty() &&
+ !std::all_of(args.targets.begin(), args.targets.end(), [&](const auto& uid) {
+ return isPermanentlyAllowed(uid) ||
+ std::any_of(rule.matchAllPackages.begin(), rule.matchAllPackages.end(),
+ [&](const auto& pkg) { return uid == mUidMap->at(pkg); });
+ })) {
+ return false;
+ }
+
+ // Match the event if any of its target packages are allowed in the "match any" list.
+ if (!rule.matchAnyPackages.empty() &&
+ !std::any_of(args.targets.begin(), args.targets.end(), [&](const auto& uid) {
+ return std::any_of(rule.matchAnyPackages.begin(), rule.matchAnyPackages.end(),
+ [&](const auto& pkg) { return uid == mUidMap->at(pkg); });
+ })) {
+ return false;
+ }
+
+ // The event matches all matchers specified in the rule.
return true;
}
@@ -99,7 +147,8 @@
std::atomic<int32_t> PerfettoBackend::sNextInstanceId{1};
-PerfettoBackend::PerfettoBackend() {
+PerfettoBackend::PerfettoBackend(GetPackageUid getPackagesForUid)
+ : mGetPackageUid(getPackagesForUid) {
// Use a once-flag to ensure that the data source is only registered once per boot, since
// we never unregister the InputEventDataSource.
std::call_once(sDataSourceRegistrationFlag, []() {
@@ -120,6 +169,7 @@
const TracedEventArgs& args) {
InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) {
auto dataSource = ctx.GetDataSourceLocked();
+ dataSource->initializeUidMap(mGetPackageUid);
if (dataSource->shouldIgnoreTracedInputEvent(event.eventType)) {
return;
}
@@ -139,6 +189,7 @@
void PerfettoBackend::traceKeyEvent(const TracedKeyEvent& event, const TracedEventArgs& args) {
InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) {
auto dataSource = ctx.GetDataSourceLocked();
+ dataSource->initializeUidMap(mGetPackageUid);
if (dataSource->shouldIgnoreTracedInputEvent(event.eventType)) {
return;
}
@@ -159,6 +210,7 @@
const TracedEventArgs& args) {
InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) {
auto dataSource = ctx.GetDataSourceLocked();
+ dataSource->initializeUidMap(mGetPackageUid);
if (!dataSource->getFlags().test(TraceFlag::TRACE_DISPATCHER_WINDOW_DISPATCH)) {
return;
}
diff --git a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h
index c4f80c3..af1c6b7 100644
--- a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h
+++ b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h
@@ -23,6 +23,7 @@
#include <ftl/flags.h>
#include <perfetto/tracing.h>
#include <mutex>
+#include <set>
namespace android::inputdispatcher::trace::impl {
@@ -48,7 +49,9 @@
*/
class PerfettoBackend : public InputTracingBackendInterface {
public:
- PerfettoBackend();
+ using GetPackageUid = std::function<gui::Uid(std::string)>;
+
+ explicit PerfettoBackend(GetPackageUid);
~PerfettoBackend() override = default;
void traceKeyEvent(const TracedKeyEvent&, const TracedEventArgs&) override;
@@ -66,6 +69,7 @@
void OnStart(const StartArgs&) override;
void OnStop(const StopArgs&) override;
+ void initializeUidMap(GetPackageUid);
bool shouldIgnoreTracedInputEvent(const EventType&) const;
inline ftl::Flags<TraceFlag> getFlags() const { return mConfig.flags; }
TraceLevel resolveTraceLevel(const TracedEventArgs&) const;
@@ -75,8 +79,14 @@
TraceConfig mConfig;
bool ruleMatches(const TraceRule&, const TracedEventArgs&) const;
+
+ std::optional<std::map<std::string, gui::Uid>> mUidMap;
};
+ // TODO(b/330360505): Query the native package manager directly from the data source,
+ // and remove this.
+ GetPackageUid mGetPackageUid;
+
static std::once_flag sDataSourceRegistrationFlag;
static std::atomic<int32_t> sNextInstanceId;
};