summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Carr <racarr@google.com>2019-02-15 23:48:11 (GMT)
committerandroid-build-team Robot <android-build-team-robot@google.com>2019-05-15 05:32:40 (GMT)
commit5fc1b18b7fcc8c556f745ce1858a4cb9e99a1888 (patch)
treed0275775c59ff48f0c0b9c01dc996c91ecc8b628
parent42dd8b626b9547fc145306d1aabe035e58341662 (diff)
downloadframeworks_base-5fc1b18b7fcc8c556f745ce1858a4cb9e99a1888.zip
frameworks_base-5fc1b18b7fcc8c556f745ce1858a4cb9e99a1888.tar.gz
frameworks_base-5fc1b18b7fcc8c556f745ce1858a4cb9e99a1888.tar.bz2
[RESTRICT AUTOMERGE]: Exclude secure layers from most screenshots taken by the system server.
In pre-P versions of Android, it was allowed to screenshot secure layers if the buffer queue producer which was the target of the screenshot was owned by the system (in this case SurfaceFlinger). This really was a synonym for: The screen rotation animation was allowed to capture secure layers, but the other code paths weren't. In O we mistakenly changed this check to always allow the system server to capture secure layers via the captureScreen path (the captureLayers path used for TaskSnapshots was unaffected). This can result in data leakage in cases where the system server takes screenshots on behalf of other parts of the system (e.g. for the assistant). To mitigate this we provide an explicit switch for the system server to specify whether it wishes to capture Secure layers. While this is dangerous, I think it is less dangerous than the previous implicit switch of capturing secure layers based on which type of BufferQueue was passed in. The flag defaults to not capturing secure layers and we set it to true in the one place we need it (for the screen rotation animation). Non privileged clients can still not capture secure layers at all directly. Test: TransactionTest.cpp#SetFlagsSecureEUidSystem Bug: 120610669 Change-Id: I9d32c5ac2b005059be9f464859a415167d9ddbd4 (cherry picked from commit dc49e0088a05108a0616704ca5565136f89c0a1f)
-rw-r--r--core/java/android/view/SurfaceControl.java26
-rw-r--r--core/jni/android_view_SurfaceControl.cpp6
-rw-r--r--services/core/java/com/android/server/wm/ScreenRotationAnimation.java20
3 files changed, 43 insertions, 9 deletions
diff --git a/core/java/android/view/SurfaceControl.java b/core/java/android/view/SurfaceControl.java
index ed8b005..eec34cd 100644
--- a/core/java/android/view/SurfaceControl.java
+++ b/core/java/android/view/SurfaceControl.java
@@ -74,7 +74,8 @@ public class SurfaceControl implements Parcelable {
boolean allLayers, boolean useIdentityTransform, int rotation);
private static native GraphicBuffer nativeScreenshotToBuffer(IBinder displayToken,
Rect sourceCrop, int width, int height, int minLayer, int maxLayer,
- boolean allLayers, boolean useIdentityTransform, int rotation);
+ boolean allLayers, boolean useIdentityTransform, int rotation,
+ boolean captureSecureLayers);
private static native void nativeScreenshot(IBinder displayToken, Surface consumer,
Rect sourceCrop, int width, int height, int minLayer, int maxLayer,
boolean allLayers, boolean useIdentityTransform);
@@ -1249,7 +1250,28 @@ public class SurfaceControl implements Parcelable {
IBinder displayToken = SurfaceControl.getBuiltInDisplay(
SurfaceControl.BUILT_IN_DISPLAY_ID_MAIN);
return nativeScreenshotToBuffer(displayToken, sourceCrop, width, height,
- minLayer, maxLayer, false, useIdentityTransform, rotation);
+ minLayer, maxLayer, false, useIdentityTransform, rotation,
+ false /* captureSecureLayers */);
+ }
+
+ /**
+ * Like screenshotToBuffer, but if the caller is AID_SYSTEM, allows
+ * for the capture of secure layers. This is used for the screen rotation
+ * animation where the system server takes screenshots but does
+ * not persist them or allow them to leave the server. However in other
+ * cases in the system server, we mostly want to omit secure layers
+ * like when we take a screenshot on behalf of the assistant.
+ *
+ * @hide
+ */
+ public static GraphicBuffer screenshotToBufferWithSecureLayersUnsafe(Rect sourceCrop,
+ int width, int height, int minLayer, int maxLayer, boolean useIdentityTransform,
+ int rotation) {
+ IBinder displayToken = SurfaceControl.getBuiltInDisplay(
+ SurfaceControl.BUILT_IN_DISPLAY_ID_MAIN);
+ return nativeScreenshotToBuffer(displayToken, sourceCrop, width, height,
+ minLayer, maxLayer, false, useIdentityTransform, rotation,
+ true /* captureSecureLayers */);
}
/**
diff --git a/core/jni/android_view_SurfaceControl.cpp b/core/jni/android_view_SurfaceControl.cpp
index 5b4b5f2..1529a6b 100644
--- a/core/jni/android_view_SurfaceControl.cpp
+++ b/core/jni/android_view_SurfaceControl.cpp
@@ -160,7 +160,7 @@ static Rect rectFromObj(JNIEnv* env, jobject rectObj) {
static jobject nativeScreenshotToBuffer(JNIEnv* env, jclass clazz,
jobject displayTokenObj, jobject sourceCropObj, jint width, jint height,
jint minLayer, jint maxLayer, bool allLayers, bool useIdentityTransform,
- int rotation) {
+ int rotation, bool captureSecureLayers) {
sp<IBinder> displayToken = ibinderForJavaObject(env, displayTokenObj);
if (displayToken == NULL) {
return NULL;
@@ -173,7 +173,7 @@ static jobject nativeScreenshotToBuffer(JNIEnv* env, jclass clazz,
sp<GraphicBuffer> buffer;
status_t res = ScreenshotClient::capture(displayToken,
sourceCrop, width, height, minLayer, maxLayer, useIdentityTransform,
- rotation, &buffer);
+ rotation, captureSecureLayers, &buffer);
if (res != NO_ERROR) {
return NULL;
}
@@ -1026,7 +1026,7 @@ static const JNINativeMethod sSurfaceControlMethods[] = {
{"nativeGetHandle", "(J)Landroid/os/IBinder;",
(void*)nativeGetHandle },
{"nativeScreenshotToBuffer",
- "(Landroid/os/IBinder;Landroid/graphics/Rect;IIIIZZI)Landroid/graphics/GraphicBuffer;",
+ "(Landroid/os/IBinder;Landroid/graphics/Rect;IIIIZZIZ)Landroid/graphics/GraphicBuffer;",
(void*)nativeScreenshotToBuffer },
{"nativeCaptureLayers", "(Landroid/os/IBinder;Landroid/graphics/Rect;F)Landroid/graphics/GraphicBuffer;",
(void*)nativeCaptureLayers },
diff --git a/services/core/java/com/android/server/wm/ScreenRotationAnimation.java b/services/core/java/com/android/server/wm/ScreenRotationAnimation.java
index 755a571..498cda1 100644
--- a/services/core/java/com/android/server/wm/ScreenRotationAnimation.java
+++ b/services/core/java/com/android/server/wm/ScreenRotationAnimation.java
@@ -27,6 +27,7 @@ import static com.android.server.wm.ScreenRotationAnimationProto.ANIMATION_RUNNI
import static com.android.server.wm.ScreenRotationAnimationProto.STARTED;
import android.content.Context;
+import android.graphics.GraphicBuffer;
import android.graphics.Matrix;
import android.graphics.Rect;
import android.os.IBinder;
@@ -285,10 +286,21 @@ class ScreenRotationAnimation {
if (displayHandle != null) {
Surface sur = new Surface();
sur.copyFrom(mSurfaceControl);
- SurfaceControl.screenshot(displayHandle, sur);
- t.setLayer(mSurfaceControl, SCREEN_FREEZE_LAYER_SCREENSHOT);
- t.setAlpha(mSurfaceControl, 0);
- t.show(mSurfaceControl);
+ GraphicBuffer gb = SurfaceControl.screenshotToBufferWithSecureLayersUnsafe(
+ new Rect(), 0 /* width */, 0 /* height */, 0 /* minLayer */,
+ 0 /* maxLayer */, false /* useIdentityTransform */, 0 /* rotation */);
+ if (gb != null) {
+ try {
+ sur.attachAndQueueBuffer(gb);
+ } catch (RuntimeException e) {
+ Slog.w(TAG, "Failed to attach screenshot - " + e.getMessage());
+ }
+ t.setLayer(mSurfaceControl, SCREEN_FREEZE_LAYER_SCREENSHOT);
+ t.setAlpha(mSurfaceControl, 0);
+ t.show(mSurfaceControl);
+ } else {
+ Slog.w(TAG, "Unable to take screenshot of display " + displayId);
+ }
sur.destroy();
} else {
Slog.w(TAG, "Built-in display " + displayId + " is null.");