Skip to content

Commit 8bf4362

Browse files
bryceleeAndroid Build Coastguard Worker
brycelee
authored and
Android Build Coastguard Worker
committed
Clear Binder identity on calls into DreamService.
There are multiple entry points where DreamService is accessed by the either the System or SystemUI. In these cases, the Binder identity should be cleared to prevent the DreamService implementation from running in an elevated state. Test: atest DreamServiceTest Fixed: 406895224 Flag: EXEMPT bugfix (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c027f365a60228be94ed1323641752ef11566e64) Merged-In: I8e76f590d6f65ae689f5220b233b7197f2e731b4 Change-Id: I8e76f590d6f65ae689f5220b233b7197f2e731b4
1 parent 4e4f936 commit 8bf4362

File tree

1 file changed

+40
-9
lines changed

1 file changed

+40
-9
lines changed

core/java/android/service/dreams/DreamService.java

Lines changed: 40 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1211,13 +1211,23 @@ public void onCreate() {
12111211
mOverlayCallback = new IDreamOverlayCallback.Stub() {
12121212
@Override
12131213
public void onExitRequested() {
1214-
// Simply finish dream when exit is requested.
1215-
mHandler.post(() -> finishInternal());
1214+
final long token = Binder.clearCallingIdentity();
1215+
try {
1216+
// Simply finish dream when exit is requested.
1217+
mHandler.post(() -> finishInternal());
1218+
} finally {
1219+
Binder.restoreCallingIdentity(token);
1220+
}
12161221
}
12171222

12181223
@Override
12191224
public void onRedirectWake(boolean redirect) {
1220-
mRedirectWake = redirect;
1225+
final long token = Binder.clearCallingIdentity();
1226+
try {
1227+
mRedirectWake = redirect;
1228+
} finally {
1229+
Binder.restoreCallingIdentity(token);
1230+
}
12211231
}
12221232
};
12231233

@@ -1883,25 +1893,46 @@ private void post(Consumer<DreamService> consumer) {
18831893
@Override
18841894
public void attach(final IBinder dreamToken, final boolean canDoze,
18851895
final boolean isPreviewMode, IRemoteCallback started) {
1886-
post(dreamService -> dreamService.attach(dreamToken, canDoze, isPreviewMode, started));
1896+
final long token = Binder.clearCallingIdentity();
1897+
try {
1898+
post(dreamService -> dreamService.attach(dreamToken, canDoze, isPreviewMode,
1899+
started));
1900+
} finally {
1901+
Binder.restoreCallingIdentity(token);
1902+
}
18871903
}
18881904

18891905
@Override
18901906
public void detach() {
1891-
post(DreamService::detach);
1907+
final long token = Binder.clearCallingIdentity();
1908+
try {
1909+
post(DreamService::detach);
1910+
} finally {
1911+
Binder.restoreCallingIdentity(token);
1912+
}
18921913
}
18931914

18941915
@Override
18951916
public void wakeUp() {
1896-
post(dreamService -> dreamService.wakeUp(true /*fromSystem*/));
1917+
final long token = Binder.clearCallingIdentity();
1918+
try {
1919+
post(dreamService -> dreamService.wakeUp(true /*fromSystem*/));
1920+
} finally {
1921+
Binder.restoreCallingIdentity(token);
1922+
}
18971923
}
18981924

18991925
@Override
19001926
public void comeToFront() {
1901-
if (!dreamHandlesBeingObscured()) {
1902-
return;
1927+
final long token = Binder.clearCallingIdentity();
1928+
try {
1929+
if (!dreamHandlesBeingObscured()) {
1930+
return;
1931+
}
1932+
post(DreamService::comeToFront);
1933+
} finally {
1934+
Binder.restoreCallingIdentity(token);
19031935
}
1904-
post(DreamService::comeToFront);
19051936
}
19061937
}
19071938

0 commit comments

Comments
 (0)