From ddea19d996fbfff3a23b264725c65222907ccaab Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Wed, 21 May 2025 01:49:29 +0000 Subject: [SP 2025-09-01] cleanup: Fix permission protection of setObservedMotionEventSources The previous permission protection was done inside a Binder clear identity call, meaning that it used the permissions of system_server instead of the permissions of the calling AccessibilityService. Bug: 419110583 Test: atest AccessibilityServiceInfoTest Flag: EXEMPT security bugfix Change-Id: If64838388fa31bdc9abb0896d4011bfef8501a7c --- .../AbstractAccessibilityServiceConnection.java | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java b/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java index aae8879e9199..4e0db2282ffd 100644 --- a/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java +++ b/services/accessibility/java/com/android/server/accessibility/AbstractAccessibilityServiceConnection.java @@ -16,6 +16,7 @@ package com.android.server.accessibility; +import static android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING; import static android.accessibilityservice.AccessibilityService.ACCESSIBILITY_TAKE_SCREENSHOT_REQUEST_INTERVAL_TIMES_MS; import static android.accessibilityservice.AccessibilityService.KEY_ACCESSIBILITY_SCREENSHOT_COLORSPACE; import static android.accessibilityservice.AccessibilityService.KEY_ACCESSIBILITY_SCREENSHOT_HARDWAREBUFFER; @@ -420,19 +421,7 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ mNotificationTimeout = info.notificationTimeout; mIsDefault = (info.flags & DEFAULT) != 0; mGenericMotionEventSources = info.getMotionEventSources(); - if (android.view.accessibility.Flags.motionEventObserving()) { - if (mContext.checkCallingOrSelfPermission( - android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING) - == PackageManager.PERMISSION_GRANTED) { - mObservedMotionEventSources = info.getObservedMotionEventSources(); - } else { - Slog.e( - LOG_TAG, - "Observing motion events requires" - + " android.Manifest.permission.ACCESSIBILITY_MOTION_EVENT_OBSERVING."); - mObservedMotionEventSources = 0; - } - } + mObservedMotionEventSources = info.getObservedMotionEventSources(); if (supportsFlagForNotImportantViews(info)) { if ((info.flags & AccessibilityServiceInfo.FLAG_INCLUDE_NOT_IMPORTANT_VIEWS) != 0) { @@ -531,6 +520,13 @@ abstract class AbstractAccessibilityServiceConnection extends IAccessibilityServ throw new IllegalStateException( "Cannot update service info: size is larger than safe parcelable limits."); } + if (info.getObservedMotionEventSources() != 0 + && mContext.checkCallingPermission(ACCESSIBILITY_MOTION_EVENT_OBSERVING) + != PackageManager.PERMISSION_GRANTED) { + Slog.e(LOG_TAG, "Observing motion events requires permission " + + ACCESSIBILITY_MOTION_EVENT_OBSERVING); + info.setObservedMotionEventSources(0); + } final long identity = Binder.clearCallingIdentity(); try { synchronized (mLock) { -- cgit v1.2.3-59-g8ed1b