DO NOT MERGE: SurfaceControlViewHost: Restrict disclosure of input token

Currently we send the input (channel) token from the embedded view hierarchy to the remote embedding process via SurfacePackage. This is used to call grantEmbeddedWindowFocus. However this could also allow the host process to invoke updateInputChannel, which is not desirable. To fix this we rework updateInputChannel to work in terms of a focusGrantToken, which only carries this 1 capability. SurfacePackage is modified to not include the input token, but rather include this focus grant token. Bug: 215912712 Test: SurfaceControlViewHostTests Change-Id: Ie278f678f12f50c32f142a4260ff7d1c2a9ca57c (cherry picked from commit 501ee91b957eab6feb05832168573f51573efced)
author: Robert Carr <racarr@google.com> 2022-01-26 10:49:18 -0800
committer: Rob Carr <racarr@google.com> 2022-04-05 19:21:55 +0000
commit: 0cfda55b95e842d7a90548de80292576bf5a0bd9 (patch)
tree: 3df0bd0e667c673d4af1f3409d48e4bc9bcad22f /core/java
parent: 8c10a6aa0dd91e4f899469648398e8a3d86edca7 (diff)
3 files changed, 11 insertions, 5 deletions
diff --git a/core/java/android/view/IWindowSession.aidl b/core/java/android/view/IWindowSession.aidl
index 9da50889e43f..46ee0f839fa9 100644
--- a/core/java/android/view/IWindowSession.aidl
+++ b/core/java/android/view/IWindowSession.aidl
@@ -306,7 +306,7 @@ interface IWindowSession {
     */
     void grantInputChannel(int displayId, in SurfaceControl surface, in IWindow window,
             in IBinder hostInputToken, int flags, int privateFlags, int type,
-            out InputChannel outInputChannel);
+            in IBinder focusGrantToken, out InputChannel outInputChannel);
 
     /**
      * Update the flags on an input channel associated with a particular surface.
diff --git a/core/java/android/view/SurfaceControlViewHost.java b/core/java/android/view/SurfaceControlViewHost.java
index a6c5042db275..a312939e6522 100644
--- a/core/java/android/view/SurfaceControlViewHost.java
+++ b/core/java/android/view/SurfaceControlViewHost.java
@@ -231,7 +231,7 @@ public class SurfaceControlViewHost {
     public @Nullable SurfacePackage getSurfacePackage() {
         if (mSurfaceControl != null && mAccessibilityEmbeddedConnection != null) {
             return new SurfacePackage(mSurfaceControl, mAccessibilityEmbeddedConnection,
-                    mViewRoot.getInputToken());
+                    mWm.getFocusGrantToken());
         } else {
             return null;
         }
diff --git a/core/java/android/view/WindowlessWindowManager.java b/core/java/android/view/WindowlessWindowManager.java
index ffb7efa67243..d5cf1a360b0f 100644
--- a/core/java/android/view/WindowlessWindowManager.java
+++ b/core/java/android/view/WindowlessWindowManager.java
@@ -22,6 +22,7 @@ import android.graphics.PixelFormat;
 import android.graphics.Point;
 import android.graphics.Rect;
 import android.graphics.Region;
+import android.os.Binder;
 import android.os.IBinder;
 import android.os.RemoteCallback;
 import android.os.RemoteException;
@@ -75,6 +76,7 @@ public class WindowlessWindowManager implements IWindowSession {
     private final Configuration mConfiguration;
     private final IWindowSession mRealWm;
     private final IBinder mHostInputToken;
+    private final IBinder mFocusGrantToken = new Binder();
 
     private int mForceHeight = -1;
     private int mForceWidth = -1;
@@ -91,6 +93,10 @@ public class WindowlessWindowManager implements IWindowSession {
         mConfiguration.setTo(configuration);
     }
 
+    IBinder getFocusGrantToken() {
+        return mFocusGrantToken;
+    }
+
     /**
      * Utility API.
      */
@@ -153,10 +159,10 @@ public class WindowlessWindowManager implements IWindowSession {
                     mRealWm.grantInputChannel(displayId,
                         new SurfaceControl(sc, "WindowlessWindowManager.addToDisplay"),
                         window, mHostInputToken, attrs.flags, attrs.privateFlags, attrs.type,
-                        outInputChannel);
+                        mFocusGrantToken, outInputChannel);
                 } else {
                     mRealWm.grantInputChannel(displayId, sc, window, mHostInputToken, attrs.flags,
-                        attrs.privateFlags, attrs.type, outInputChannel);
+                        attrs.privateFlags, attrs.type, mFocusGrantToken, outInputChannel);
                 }
             } catch (RemoteException e) {
                 Log.e(TAG, "Failed to grant input to surface: ", e);
@@ -464,7 +470,7 @@ public class WindowlessWindowManager implements IWindowSession {
 
     @Override
     public void grantInputChannel(int displayId, SurfaceControl surface, IWindow window,
-            IBinder hostInputToken, int flags, int privateFlags, int type,
+            IBinder hostInputToken, int flags, int privateFlags, int type, IBinder focusGrantToken,
             InputChannel outInputChannel) {
     }
author	Robert Carr <racarr@google.com>	2022-01-26 10:49:18 -0800
committer	Rob Carr <racarr@google.com>	2022-04-05 19:21:55 +0000
commit	0cfda55b95e842d7a90548de80292576bf5a0bd9 (patch)
tree	3df0bd0e667c673d4af1f3409d48e4bc9bcad22f /core/java
parent	8c10a6aa0dd91e4f899469648398e8a3d86edca7 (diff)