Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / ea97d18b244d01edff2098848022d125af350140^! / . / include / input / InputWindow.h
commitea97d18b244d01edff2098848022d125af350140[log] [tgz]
authorBernardo Rufino <brufino@google.com>Wed Aug 19 14:43:14 2020 +0100
committerBernardo Rufino <brufino@google.com>Mon Oct 05 16:37:03 2020 +0000
treec48327588557a89afb670636aa690c6dd6fe8348
parent21b0037dac3486703303c72ba92ff4ac364c6ebb [diff] [blame]
Block untrusted touches in InputDispatcher

With topic CL InputDispatcher now has the effect of each window for
cross-UID touch occlusion rules: ALLOW, USE_OPACITY or BLOCK_UNTRUSTED.
Check topic CL for exact meaning of each. USE_OPACITY is only used by
SAWs for now.

In this CL, InputDispatcher make use of that information for the stack
of windows above the touch-consuming window to block a touch or not.

The summary of the rules are:
* If there is any visible untrusted window from a different UID (than
the touch-consuming window UID) that has state BLOCK_UNTRUSTED, the
touch is blocked.
* Else, if there is any visible untrusted window from a different UID
that has state USE_OPACITY, we compute the composed obscuring opacity
by each stack of USE_OPACITY windows per UID of occluding window.
We take maximum of those and compare with secure setting
"maximum_obscuring_opacity_for_touch", if it's greater than the
setting the touch is blocked. This means the remaining visibility on the
touch-consuming window is not high enough to let the touch happen.
* Else we don't block the touch.

More details on go/cross-uid-touches. This doesn't interfere with
existing flags FLAG_WINDOW_IS_OBSCURED and
FLAG_WINDOW_IS_PARTIALLY_OBSCURED.

To compute the opacity we also propagate the alpha of each window from
SurfaceFlinger to InputDispatcher.

Test: atest WindowUntrustedTouchTest
Test: atest inputflinger_tests inputflinger_benchmarks libinput_tests
Test: go/try-cross-uid-touches for manual testing
Bug: 158002302
Change-Id: I673d7a5f16b19952311e8cb44a48af4349a4bd40

diff --git a/include/input/InputWindow.h b/include/input/InputWindow.h
index 7372022..36097d6 100644
--- a/include/input/InputWindow.h
+++ b/include/input/InputWindow.h

@@ -17,6 +17,7 @@
 #ifndef _UI_INPUT_WINDOW_H
 #define _UI_INPUT_WINDOW_H
 
+#include <android/os/TouchOcclusionMode.h>
 #include <binder/Parcel.h>
 #include <binder/Parcelable.h>
 #include <input/Flags.h>
@@ -30,6 +31,8 @@
 
 #include "InputApplication.h"
 
+using android::os::TouchOcclusionMode;
+
 namespace android {
 
 /*
@@ -158,6 +161,10 @@
     // in scaling of the TOUCH_MAJOR/TOUCH_MINOR axis.
     float globalScaleFactor = 1.0f;
 
+    // The opacity of this window, from 0.0 to 1.0 (inclusive).
+    // An alpha of 1.0 means fully opaque and 0.0 means fully transparent.
+    float alpha;
+
     // Transform applied to individual windows.
     ui::Transform transform;
 
@@ -176,8 +183,10 @@
      * motion events to be delivered to them with AMOTION_EVENT_FLAG_WINDOW_IS_OBSCURED.
      */
     bool trustedOverlay = false;
+    TouchOcclusionMode touchOcclusionMode = TouchOcclusionMode::BLOCK_UNTRUSTED;
     int32_t ownerPid = -1;
     int32_t ownerUid = -1;
+    std::string packageName;
     Flags<Feature> inputFeatures;
     int32_t displayId = ADISPLAY_ID_NONE;
     int32_t portalToDisplayId = ADISPLAY_ID_NONE;