InputTracer: Adjust traced event sensitivity based on allow-list An allow-list of packages will be defined in the perfetto config for input traces. We can only allow an event to traced completely (i.e. treated as a non-sensitive event) if _all_ of the UIDs that the event is targeting are allow-listed for the trace. In each trace instace, we maintain a cache of whether UIDs seen so far are allow-listed. Since the allow-list is specified through a list of package names, we must query PackageManager through the InputDispatcher policy to look up the packages that correspond to each UID that we see. Bug: 210460522 Test: manual with perfetto Change-Id: I9c19a5ed941ebc239dccc0363cc6553733e16afd

commit: bf3c8322208df04f04eca76e193760760e26e7e6 [log] [tgz]
author: Prabir Pradhan <prabirmsp@google.com> Fri Feb 23 02:38:36 2024 +0000
committer: Prabir Pradhan <prabirmsp@google.com> Tue Mar 19 18:43:14 2024 +0000
tree: 30b0320fd758a5c673bb0d9ed5175a39bd89725e
parent: b568238e53890fce51eeaab4325db1f627262461 [diff]
diff --git a/services/inputflinger/dispatcher/trace/InputTracer.cpp b/services/inputflinger/dispatcher/trace/InputTracer.cpp
index d776249..55ed5c6 100644
--- a/services/inputflinger/dispatcher/trace/InputTracer.cpp
+++ b/services/inputflinger/dispatcher/trace/InputTracer.cpp

@@ -19,6 +19,7 @@
 #include "InputTracer.h"
 
 #include <android-base/logging.h>
+#include <private/android_filesystem_config.h>
 
 namespace android::inputdispatcher::trace::impl {
 
@@ -71,6 +72,24 @@
     return std::visit([](const auto& event) { return event.id; }, v);
 }
 
+// Helper class to extract relevant information from InputTarget.
+struct InputTargetInfo {
+    gui::Uid uid;
+    bool isSecureWindow;
+};
+
+InputTargetInfo getTargetInfo(const InputTarget& target) {
+    if (target.windowHandle == nullptr) {
+        if (!target.connection->monitor) {
+            LOG(FATAL) << __func__ << ": Window is not set for non-monitor target";
+        }
+        // This is a global monitor, assume its target is the system.
+        return {.uid = gui::Uid{AID_SYSTEM}, .isSecureWindow = false};
+    }
+    return {target.windowHandle->getInfo()->ownerUid,
+            target.windowHandle->getInfo()->layoutParamsFlags.test(gui::WindowInfo::Flag::SECURE)};
+}
+
 } // namespace
 
 // --- InputTracer ---
@@ -104,19 +123,25 @@
 void InputTracer::dispatchToTargetHint(const EventTrackerInterface& cookie,
                                        const InputTarget& target) {
     auto& eventState = getState(cookie);
+    const InputTargetInfo& targetInfo = getTargetInfo(target);
     if (eventState->isEventProcessingComplete) {
-        // TODO(b/210460522): Disallow adding new targets after eventProcessingComplete() is called.
+        // Disallow adding new targets after eventProcessingComplete() is called.
+        if (eventState->targets.find(targetInfo.uid) == eventState->targets.end()) {
+            LOG(FATAL) << __func__ << ": Cannot add new target after eventProcessingComplete";
+        }
         return;
     }
     if (isDerivedCookie(cookie)) {
-        // TODO(b/210460522): Disallow adding new targets from a derived cookie.
+        // Disallow adding new targets from a derived cookie.
+        if (eventState->targets.find(targetInfo.uid) == eventState->targets.end()) {
+            LOG(FATAL) << __func__ << ": Cannot add new target from a derived cookie";
+        }
         return;
     }
-    if (target.windowHandle != nullptr) {
-        eventState->isSecure |= target.windowHandle->getInfo()->layoutParamsFlags.test(
-                gui::WindowInfo::Flag::SECURE);
-        // TODO(b/210460522): Set events as sensitive when the IME connection is active.
-    }
+
+    eventState->targets.emplace(targetInfo.uid);
+    eventState->isSecure |= targetInfo.isSecureWindow;
+    // TODO(b/210460522): Set events as sensitive when the IME connection is active.
 }
 
 void InputTracer::eventProcessingComplete(const EventTrackerInterface& cookie) {
@@ -152,8 +177,9 @@
         // is dispatched, such as in the case of key fallback events. To account for these cases,
         // derived events can be traced after the processing is complete for the original event.
         const auto& event = eventState->events.back();
-        const TracedEventArgs traceArgs{.isSecure = eventState->isSecure};
-        writeEventToBackend(event, traceArgs, *mBackend);
+        const TracedEventArgs traceArgs{.isSecure = eventState->isSecure,
+                                        .targets = eventState->targets};
+        writeEventToBackend(event, std::move(traceArgs), *mBackend);
     }
     return std::make_unique<EventTrackerImpl>(std::move(eventState), /*isDerived=*/true);
 }
@@ -180,6 +206,10 @@
                 << ": Failed to find a previously traced event that matches the dispatched event";
     }
 
+    if (eventState->targets.count(dispatchEntry.targetUid) == 0) {
+        LOG(FATAL) << __func__ << ": Event is being dispatched to UID that it is not targeting";
+    }
+
     // The vsyncId only has meaning if the event is targeting a window.
     const int32_t windowId = dispatchEntry.windowId.value_or(0);
     const int32_t vsyncId = dispatchEntry.windowId.has_value() ? dispatchEntry.vsyncId : 0;
@@ -196,8 +226,9 @@
                                                 /*hmac=*/{},
                                                 resolvedKeyRepeatCount};
     if (eventState->isEventProcessingComplete) {
-        mBackend->traceWindowDispatch(std::move(windowDispatchArgs),
-                                      TracedEventArgs{.isSecure = eventState->isSecure});
+        const TracedEventArgs traceArgs{.isSecure = eventState->isSecure,
+                                        .targets = eventState->targets};
+        mBackend->traceWindowDispatch(std::move(windowDispatchArgs), std::move(traceArgs));
     } else {
         eventState->pendingDispatchArgs.emplace_back(std::move(windowDispatchArgs));
     }
@@ -217,7 +248,7 @@
 void InputTracer::EventState::onEventProcessingComplete() {
     // Write all of the events known so far to the trace.
     for (const auto& event : events) {
-        const TracedEventArgs traceArgs{.isSecure = isSecure};
+        const TracedEventArgs traceArgs{.isSecure = isSecure, .targets = targets};
         writeEventToBackend(event, traceArgs, *tracer.mBackend);
     }
     // Write all pending dispatch args to the trace.
@@ -232,8 +263,8 @@
                        << ": Failed to find a previously traced event that matches the dispatched "
                           "event";
         }
-        const TracedEventArgs traceArgs{.isSecure = isSecure};
-        tracer.mBackend->traceWindowDispatch(windowDispatchArgs, traceArgs);
+        const TracedEventArgs traceArgs{.isSecure = isSecure, .targets = targets};
+        tracer.mBackend->traceWindowDispatch(windowDispatchArgs, std::move(traceArgs));
     }
     pendingDispatchArgs.clear();
 

diff --git a/services/inputflinger/dispatcher/trace/InputTracer.h b/services/inputflinger/dispatcher/trace/InputTracer.h
index 4ef6ca6..717bc1f 100644
--- a/services/inputflinger/dispatcher/trace/InputTracer.h
+++ b/services/inputflinger/dispatcher/trace/InputTracer.h

@@ -66,6 +66,8 @@
         std::vector<const WindowDispatchArgs> pendingDispatchArgs;
         // True if the event is targeting at least one secure window;
         bool isSecure{false};
+        // The list of all possible UIDs that this event could be targeting.
+        std::set<gui::Uid> targets;
     };
 
     // Get the event state associated with a tracking cookie.

diff --git a/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h b/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h
index 4bb5799..3ff7fab 100644
--- a/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h
+++ b/services/inputflinger/dispatcher/trace/InputTracingBackendInterface.h

@@ -21,6 +21,7 @@
 #include <ui/Transform.h>
 
 #include <array>
+#include <set>
 #include <variant>
 #include <vector>
 
@@ -94,6 +95,8 @@
 struct TracedEventArgs {
     // True if the event is targeting at least one secure window.
     bool isSecure;
+    // The list of possible UIDs that this event could be targeting.
+    std::set<gui::Uid> targets;
 };
 
 /** Additional information about an input event being dispatched to a window. */

diff --git a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp
index bed753c..b76bec3 100644
--- a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp
+++ b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.cpp

@@ -22,6 +22,7 @@
 
 #include <android-base/logging.h>
 #include <perfetto/trace/android/android_input_event.pbzero.h>
+#include <private/android_filesystem_config.h>
 
 namespace android::inputdispatcher::trace::impl {
 
@@ -29,6 +30,17 @@
 
 constexpr auto INPUT_EVENT_TRACE_DATA_SOURCE_NAME = "android.input.inputevent";
 
+bool isPermanentlyAllowed(gui::Uid uid) {
+    switch (uid.val()) {
+        case AID_SYSTEM:
+        case AID_SHELL:
+        case AID_ROOT:
+            return true;
+        default:
+            return false;
+    }
+}
+
 } // namespace
 
 // --- PerfettoBackend::InputEventDataSource ---
@@ -55,6 +67,22 @@
     InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) { ctx.Flush(); });
 }
 
+void PerfettoBackend::InputEventDataSource::initializeUidMap(GetPackageUid getPackageUid) {
+    if (mUidMap.has_value()) {
+        return;
+    }
+
+    mUidMap = {{}};
+    for (const auto& rule : mConfig.rules) {
+        for (const auto& package : rule.matchAllPackages) {
+            mUidMap->emplace(package, getPackageUid(package));
+        }
+        for (const auto& package : rule.matchAnyPackages) {
+            mUidMap->emplace(package, getPackageUid(package));
+        }
+    }
+}
+
 bool PerfettoBackend::InputEventDataSource::shouldIgnoreTracedInputEvent(
         const EventType& type) const {
     if (!getFlags().test(TraceFlag::TRACE_DISPATCHER_INPUT_EVENTS)) {
@@ -77,7 +105,6 @@
             return rule.level;
         }
     }
-
     // The event is not traced if it matched zero rules.
     return TraceLevel::TRACE_LEVEL_NONE;
 }
@@ -86,10 +113,31 @@
                                                         const TracedEventArgs& args) const {
     // By default, a rule will match all events. Return early if the rule does not match.
 
+    // Match the event if it is directed to a secure window.
     if (rule.matchSecure.has_value() && *rule.matchSecure != args.isSecure) {
         return false;
     }
 
+    // Match the event if all of its target packages are explicitly allowed in the "match all" list.
+    if (!rule.matchAllPackages.empty() &&
+        !std::all_of(args.targets.begin(), args.targets.end(), [&](const auto& uid) {
+            return isPermanentlyAllowed(uid) ||
+                    std::any_of(rule.matchAllPackages.begin(), rule.matchAllPackages.end(),
+                                [&](const auto& pkg) { return uid == mUidMap->at(pkg); });
+        })) {
+        return false;
+    }
+
+    // Match the event if any of its target packages are allowed in the "match any" list.
+    if (!rule.matchAnyPackages.empty() &&
+        !std::any_of(args.targets.begin(), args.targets.end(), [&](const auto& uid) {
+            return std::any_of(rule.matchAnyPackages.begin(), rule.matchAnyPackages.end(),
+                               [&](const auto& pkg) { return uid == mUidMap->at(pkg); });
+        })) {
+        return false;
+    }
+
+    // The event matches all matchers specified in the rule.
     return true;
 }
 
@@ -99,7 +147,8 @@
 
 std::atomic<int32_t> PerfettoBackend::sNextInstanceId{1};
 
-PerfettoBackend::PerfettoBackend() {
+PerfettoBackend::PerfettoBackend(GetPackageUid getPackagesForUid)
+      : mGetPackageUid(getPackagesForUid) {
     // Use a once-flag to ensure that the data source is only registered once per boot, since
     // we never unregister the InputEventDataSource.
     std::call_once(sDataSourceRegistrationFlag, []() {
@@ -120,6 +169,7 @@
                                        const TracedEventArgs& args) {
     InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) {
         auto dataSource = ctx.GetDataSourceLocked();
+        dataSource->initializeUidMap(mGetPackageUid);
         if (dataSource->shouldIgnoreTracedInputEvent(event.eventType)) {
             return;
         }
@@ -139,6 +189,7 @@
 void PerfettoBackend::traceKeyEvent(const TracedKeyEvent& event, const TracedEventArgs& args) {
     InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) {
         auto dataSource = ctx.GetDataSourceLocked();
+        dataSource->initializeUidMap(mGetPackageUid);
         if (dataSource->shouldIgnoreTracedInputEvent(event.eventType)) {
             return;
         }
@@ -159,6 +210,7 @@
                                           const TracedEventArgs& args) {
     InputEventDataSource::Trace([&](InputEventDataSource::TraceContext ctx) {
         auto dataSource = ctx.GetDataSourceLocked();
+        dataSource->initializeUidMap(mGetPackageUid);
         if (!dataSource->getFlags().test(TraceFlag::TRACE_DISPATCHER_WINDOW_DISPATCH)) {
             return;
         }

diff --git a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h
index c4f80c3..af1c6b7 100644
--- a/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h
+++ b/services/inputflinger/dispatcher/trace/InputTracingPerfettoBackend.h

@@ -23,6 +23,7 @@
 #include <ftl/flags.h>
 #include <perfetto/tracing.h>
 #include <mutex>
+#include <set>
 
 namespace android::inputdispatcher::trace::impl {
 
@@ -48,7 +49,9 @@
  */
 class PerfettoBackend : public InputTracingBackendInterface {
 public:
-    PerfettoBackend();
+    using GetPackageUid = std::function<gui::Uid(std::string)>;
+
+    explicit PerfettoBackend(GetPackageUid);
     ~PerfettoBackend() override = default;
 
     void traceKeyEvent(const TracedKeyEvent&, const TracedEventArgs&) override;
@@ -66,6 +69,7 @@
         void OnStart(const StartArgs&) override;
         void OnStop(const StopArgs&) override;
 
+        void initializeUidMap(GetPackageUid);
         bool shouldIgnoreTracedInputEvent(const EventType&) const;
         inline ftl::Flags<TraceFlag> getFlags() const { return mConfig.flags; }
         TraceLevel resolveTraceLevel(const TracedEventArgs&) const;
@@ -75,8 +79,14 @@
         TraceConfig mConfig;
 
         bool ruleMatches(const TraceRule&, const TracedEventArgs&) const;
+
+        std::optional<std::map<std::string, gui::Uid>> mUidMap;
     };
 
+    // TODO(b/330360505): Query the native package manager directly from the data source,
+    //   and remove this.
+    GetPackageUid mGetPackageUid;
+
     static std::once_flag sDataSourceRegistrationFlag;
     static std::atomic<int32_t> sNextInstanceId;
 };
commit	bf3c8322208df04f04eca76e193760760e26e7e6	[log] [tgz]
author	Prabir Pradhan <prabirmsp@google.com>	Fri Feb 23 02:38:36 2024 +0000
committer	Prabir Pradhan <prabirmsp@google.com>	Tue Mar 19 18:43:14 2024 +0000
tree	30b0320fd758a5c673bb0d9ed5175a39bd89725e
parent	b568238e53890fce51eeaab4325db1f627262461 [diff]