Cleaned up transaction sanitize calls
Exposed a way for a client to invoke sanitize with a uid and pid to
ensure we don't remove states when the process that added it was
privileged.
Added a helper function to get the permission ints based on the String
permission values so SF and clients can call the same API.
In SF, call sanitize as soon as setTransactionState is called since
that's the point where the Transaction has been passed over binder so we
can identify the calling uid. This allows us to remove the permission
values passed to applyTransactionState and unifies the places that were
calling sanitize.
Test: CredentialsTest
Bug: 267794530
Change-Id: I30c1800f0fee43df1cee82464139db7b56a7d911
diff --git a/libs/gui/SurfaceComposerClient.cpp b/libs/gui/SurfaceComposerClient.cpp
index eb5cc4f..1b13ec1 100644
--- a/libs/gui/SurfaceComposerClient.cpp
+++ b/libs/gui/SurfaceComposerClient.cpp
@@ -54,6 +54,7 @@
#include <ui/DynamicDisplayInfo.h>
#include <android-base/thread_annotations.h>
+#include <gui/LayerStatePermissions.h>
#include <private/gui/ComposerService.h>
#include <private/gui/ComposerServiceAIDL.h>
@@ -716,11 +717,16 @@
mListenerCallbacks = other.mListenerCallbacks;
}
-void SurfaceComposerClient::Transaction::sanitize() {
+void SurfaceComposerClient::Transaction::sanitize(int pid, int uid) {
+ uint32_t permissions = LayerStatePermissions::getTransactionPermissions(pid, uid);
for (auto & [handle, composerState] : mComposerStates) {
- composerState.state.sanitize(0 /* permissionMask */);
+ composerState.state.sanitize(permissions);
}
- mInputWindowCommands.clear();
+ if (!mInputWindowCommands.empty() &&
+ (permissions & layer_state_t::Permission::ACCESS_SURFACE_FLINGER) == 0) {
+ ALOGE("Only privileged callers are allowed to send input commands.");
+ mInputWindowCommands.clear();
+ }
}
std::unique_ptr<SurfaceComposerClient::Transaction>