BufferQueueProducer: use the correct IPCThreadState.

The system variant of libgui maybe be double loaded. Also
IGraphicBufferProducer functions may be called from hwbinder threads due
to the presence of TWGraphicBufferProducer wrappers (hybrid interfaces).
Therefore, we should use the correct IPCThreadState/ hardware::IPCThreadState to query
callingPids. This also avoids access to /dev/binder in vendor processes,
in case the system variant of the library is loaded, for eg: in
libmediandk.

Bug: 124128212

Test: Selinux denials realted to/dev/binder acccess are not present when AImageReader from
      libmediandk is used in a vendor process.

Test: Play Youtube movies on Chrome, use camera to take pictures/ record
      videos (sanity).

Change-Id: I27d78e30e16b7df5e3dfbb130121f3d7078671a3
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
diff --git a/libs/gui/BufferQueueConsumer.cpp b/libs/gui/BufferQueueConsumer.cpp
index 3837c3e..f2d5c8e 100644
--- a/libs/gui/BufferQueueConsumer.cpp
+++ b/libs/gui/BufferQueueConsumer.cpp
@@ -34,9 +34,10 @@
 #include <gui/IConsumerListener.h>
 #include <gui/IProducerListener.h>
 
-#include <binder/IPCThreadState.h>
+#include <private/gui/BufferQueueThreadState.h>
 #ifndef __ANDROID_VNDK__
 #include <binder/PermissionCache.h>
+#include <vndksupport/linker.h>
 #endif
 
 #include <system/window.h>
@@ -758,19 +759,29 @@
         return savedErrno ? -savedErrno : UNKNOWN_ERROR;
     }
 
-    const IPCThreadState* ipc = IPCThreadState::self();
-    const uid_t uid = ipc->getCallingUid();
+    bool denied = false;
+    const uid_t uid = BufferQueueThreadState::getCallingUid();
 #ifndef __ANDROID_VNDK__
     // permission check can't be done for vendors as vendors have no access to
-    // the PermissionController
-    const pid_t pid = ipc->getCallingPid();
-    if ((uid != shellUid) &&
-        !PermissionCache::checkPermission(String16("android.permission.DUMP"), pid, uid)) {
-        outResult->appendFormat("Permission Denial: can't dump BufferQueueConsumer "
-                "from pid=%d, uid=%d\n", pid, uid);
+    // the PermissionController. We need to do a runtime check as well, since
+    // the system variant of libgui can be loaded in a vendor process. For eg:
+    // if a HAL uses an llndk library that depends on libgui (libmediandk etc).
+    if (!android_is_in_vendor_process()) {
+        const pid_t pid = BufferQueueThreadState::getCallingPid();
+        if ((uid != shellUid) &&
+            !PermissionCache::checkPermission(String16("android.permission.DUMP"), pid, uid)) {
+            outResult->appendFormat("Permission Denial: can't dump BufferQueueConsumer "
+                                    "from pid=%d, uid=%d\n",
+                                    pid, uid);
+            denied = true;
+        }
+    }
 #else
     if (uid != shellUid) {
+        denied = true;
+    }
 #endif
+    if (denied) {
         android_errorWriteWithInfoLog(0x534e4554, "27046057",
                 static_cast<int32_t>(uid), nullptr, 0);
         return PERMISSION_DENIED;