Clear Binder identity on calls into DreamService.

There are multiple entry points where DreamService is accessed
by the either the System or SystemUI. In these cases, the
Binder identity should be cleared to prevent the DreamService
implementation from running in an elevated state.

Test: atest DreamServiceTest
Fixed: 406895224
Flag: EXEMPT bugfix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c027f365a60228be94ed1323641752ef11566e64)
Merged-In: I8e76f590d6f65ae689f5220b233b7197f2e731b4
Change-Id: I8e76f590d6f65ae689f5220b233b7197f2e731b4

1 files changed, 40 insertions, 9 deletions

diff --git a/core/java/android/service/dreams/DreamService.java b/core/java/android/service/dreams/DreamService.java
index df3b8baa40c8..50a646284a8e 100644
--- a/core/java/android/service/dreams/DreamService.java
+++ b/core/java/android/service/dreams/DreamService.java
@@ -1211,13 +1211,23 @@ public class DreamService extends Service implements Window.Callback {
         mOverlayCallback = new IDreamOverlayCallback.Stub() {
             @Override
             public void onExitRequested() {
-                // Simply finish dream when exit is requested.
-                mHandler.post(() -> finishInternal());
+                final long token = Binder.clearCallingIdentity();
+                try {
+                    // Simply finish dream when exit is requested.
+                    mHandler.post(() -> finishInternal());
+                } finally {
+                    Binder.restoreCallingIdentity(token);
+                }
             }
 
             @Override
             public void onRedirectWake(boolean redirect) {
-                mRedirectWake = redirect;
+                final long token = Binder.clearCallingIdentity();
+                try {
+                    mRedirectWake = redirect;
+                } finally {
+                    Binder.restoreCallingIdentity(token);
+                }
             }
         };
 
@@ -1883,25 +1893,46 @@ public class DreamService extends Service implements Window.Callback {
         @Override
         public void attach(final IBinder dreamToken, final boolean canDoze,
                 final boolean isPreviewMode, IRemoteCallback started) {
-            post(dreamService -> dreamService.attach(dreamToken, canDoze, isPreviewMode, started));
+            final long token = Binder.clearCallingIdentity();
+            try {
+                post(dreamService -> dreamService.attach(dreamToken, canDoze, isPreviewMode,
+                        started));
+            } finally {
+                Binder.restoreCallingIdentity(token);
+            }
         }
 
         @Override
         public void detach() {
-            post(DreamService::detach);
+            final long token = Binder.clearCallingIdentity();
+            try {
+                post(DreamService::detach);
+            } finally {
+                Binder.restoreCallingIdentity(token);
+            }
         }
 
         @Override
         public void wakeUp() {
-            post(dreamService -> dreamService.wakeUp(true /*fromSystem*/));
+            final long token = Binder.clearCallingIdentity();
+            try {
+                post(dreamService -> dreamService.wakeUp(true /*fromSystem*/));
+            } finally {
+                Binder.restoreCallingIdentity(token);
+            }
         }
 
         @Override
         public void comeToFront() {
-            if (!dreamHandlesBeingObscured()) {
-                return;
+            final long token = Binder.clearCallingIdentity();
+            try {
+                if (!dreamHandlesBeingObscured()) {
+                    return;
+                }
+                post(DreamService::comeToFront);
+            } finally {
+                Binder.restoreCallingIdentity(token);
             }
-            post(DreamService::comeToFront);
         }
     }