[SP 2025-09-01] cleanup: Fix permission protection of setObservedMotionEventSourcesbanksia-dev

The previous permission protection was done inside a Binder clear identity call, meaning that it used the permissions of system_server instead of the permissions of the calling AccessibilityService. Bug: 419110583 Test: atest AccessibilityServiceInfoTest Flag: EXEMPT security bugfix Change-Id: If64838388fa31bdc9abb0896d4011bfef8501a7c
author: Daniel Norman <danielnorman@google.com> 2025-05-21 01:49:29 +0000
committer: Kampalus <kampalus@protonmail.ch> 2025-09-18 11:45:27 +0200
commit: ddea19d996fbfff3a23b264725c65222907ccaab (patch)
tree: e1ca9ff35ecb615dc5b791630ed26c32eb4144b6 /services
parent: 84851775404819f621db56bee4c0b75e2868d5c0 (diff)
1 files changed, 9 insertions, 13 deletions
diff --git a/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java b/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java
index aae8879e9199..4e0db2282ffd 100644
--- a/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java
+++ b/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java
@@ -16,6 +16,7 @@
 
 package com.android.server.accessibility;
 
+import static android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING;
 import static android.accessibilityservice.AccessibilityService.ACCESSIBILITY_TAKE_SCREENSHOT_REQUEST_INTERVAL_TIMES_MS;
 import static android.accessibilityservice.AccessibilityService.KEY_ACCESSIBILITY_SCREENSHOT_COLORSPACE;
 import static android.accessibilityservice.AccessibilityService.KEY_ACCESSIBILITY_SCREENSHOT_HARDWAREBUFFER;
@@ -420,19 +421,7 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ
         mNotificationTimeout = info.notificationTimeout;
         mIsDefault = (info.flags & DEFAULT) != 0;
         mGenericMotionEventSources = info.getMotionEventSources();
-        if (android.view.accessibility.Flags.motionEventObserving()) {
-            if (mContext.checkCallingOrSelfPermission(
-                            android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING)
-                    == PackageManager.PERMISSION_GRANTED) {
-                mObservedMotionEventSources = info.getObservedMotionEventSources();
-            } else {
-                Slog.e(
-                        LOG_TAG,
-                        "Observing motion events requires"
-                            + " android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING.");
-                mObservedMotionEventSources = 0;
-            }
-        }
+        mObservedMotionEventSources = info.getObservedMotionEventSources();
 
         if (supportsFlagForNotImportantViews(info)) {
             if ((info.flags & AccessibilityServiceInfo.FLAG_INCLUDE_NOT_IMPORTANT_VIEWS) != 0) {
@@ -531,6 +520,13 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ
             throw new IllegalStateException(
                     "Cannot update service info: size is larger than safe parcelable limits.");
         }
+        if (info.getObservedMotionEventSources() != 0
+                && mContext.checkCallingPermission(ACCESSIBILITY_MOTION_EVENT_OBSERVING)
+                != PackageManager.PERMISSION_GRANTED) {
+            Slog.e(LOG_TAG, "Observing motion events requires permission "
+                    + ACCESSIBILITY_MOTION_EVENT_OBSERVING);
+            info.setObservedMotionEventSources(0);
+        }
         final long identity = Binder.clearCallingIdentity();
         try {
             synchronized (mLock) {
author	Daniel Norman <danielnorman@google.com>	2025-05-21 01:49:29 +0000
committer	Kampalus <kampalus@protonmail.ch>	2025-09-18 11:45:27 +0200
commit	ddea19d996fbfff3a23b264725c65222907ccaab (patch)
tree	e1ca9ff35ecb615dc5b791630ed26c32eb4144b6 /services
parent	84851775404819f621db56bee4c0b75e2868d5c0 (diff)