Lock down IInputMethodManager#shellCommand() based on caller UID

This is part of our on-going effort to review caller verifications in
InputMethodManagerService (IMMS).

In Android P, IMMS started relying on IBinder#shellCommand() to
implement 'adb shell ime' command [1].  When handling incoming
request, following caller verifications are used depending on the
command type.

  * IMMS#calledFromValidUserLocked()
    * This can be bypassed with INTERACT_ACROSS_USERS_FULL permission
  * WRITE_SECURE_SETTINGS permission

From the viewpoint of caller verification, this is basically the same
as how commands like 'adb shell ime' were handled before
IBinder#shellCommand().

What this CL aims to do is adding one more foolproof to this protocol.

Given that all commands exposed via IInputMethodManager#shellCommand()
are intended to be used only from "shell" environment, it is most
likely safe to reject any request from non-shell users.  With this
additional restriction, even if some caller verification was
accidentally missed in those shell commands such a security hole would
not be exposed to random applications.

 [1]: I9a2dbbf1d4494addbe22c82e2c416eedc4d585f2
      926488d70d09baefee0489537b2915602deaeebf

Bug: 34886274
Fix: 121989657
Test: Following commands still work, before/after "adb shell root"
  * adb shell ime
  * adb shell ime list
  * adb shell ime set com.android.inputmethod.latin/.LatinIME
  * adb shell cmd input_method
  * adb shell cmd input_method refresh_debug_properties
  * adb shell dumpsys input_method
Test: atest CtsInputMethodTestCases CtsInputMethodServiceHostTestCases
Change-Id: If87189563ccaacd4f9c666bab4f9ad08a9343084

0 files changed, 0 insertions, 0 deletions