From 2945b46dd7e8346fa6228067683ac57a2a338e86 Mon Sep 17 00:00:00 2001
From: Daniel Norman <danielnorman@google.com>
Date: Fri, 14 Jul 2023 15:23:38 -0700
Subject: Stop non-tool A11yServices from injecting gestures onto sensitive
 views.

Sensitive views should continue responding to gestures injected by
Accessibility Tools.

Bug: 284180538
Flag: android.view.accessibility.prevent_a11y_nontool_from_injecting_into_sensitive_views
Test: atest AccessibilityEndToEndTest (CTS)
Test: atest MotionEventInjectorTest
Test: atest AccessibilityServiceConnectionTest
Test: Manual: Create a test service with isAccessibilityTool=true;
              dispatch a swipe gesture on the Settings >
	      Security & Privacy page; observe swipe is successful.
	      Repeat the above with isAccessibilityTool=false;
	      observe swipe is ignored.
Change-Id: I4298bb86062e25fa6c9e7f077a3016991d8cb91a
---
 .../accessibility/AccessibilityInputFilter.java    |  5 ++-
 .../AccessibilityServiceConnection.java            |  3 +-
 .../server/accessibility/MotionEventInjector.java  | 51 ++++++++++++++++------
 3 files changed, 42 insertions(+), 17 deletions(-)

(limited to 'services/accessibility/java')

diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityInputFilter.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityInputFilter.java
index 79888b051c54..ef01c4a3f515 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityInputFilter.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityInputFilter.java
@@ -33,6 +33,7 @@ import android.os.Looper;
 import android.os.PowerManager;
 import android.os.SystemClock;
 import android.provider.Settings;
+import android.util.Log;
 import android.util.Slog;
 import android.util.SparseArray;
 import android.util.SparseBooleanArray;
@@ -74,9 +75,9 @@ import java.util.StringJoiner;
  */
 class AccessibilityInputFilter extends InputFilter implements EventStreamTransformation {
 
-    private static final String TAG = AccessibilityInputFilter.class.getSimpleName();
+    private static final String TAG = "A11yInputFilter";
 
-    private static final boolean DEBUG = false;
+    private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
 
     /**
      * Flag for enabling the screen magnification feature.
diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java
index a3fe9ec5ea22..6cba3633b940 100644
--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java
+++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityServiceConnection.java
@@ -554,7 +554,8 @@ class AccessibilityServiceConnection extends AbstractAccessibilityServiceConnect
                     if (motionEventInjector != null
                             && mWindowManagerService.isTouchOrFaketouchDevice()) {
                         motionEventInjector.injectEvents(
-                                gestureSteps.getList(), mClient, sequence, displayId);
+                                gestureSteps.getList(), mClient, sequence, displayId,
+                                mAccessibilityServiceInfo.isAccessibilityTool());
                     } else {
                         try {
                             if (svcClientTracingEnabled()) {
diff --git a/services/accessibility/java/com/android/server/accessibility/MotionEventInjector.java b/services/accessibility/java/com/android/server/accessibility/MotionEventInjector.java
index 5cbd1a208ce1..b2169535d0de 100644
--- a/services/accessibility/java/com/android/server/accessibility/MotionEventInjector.java
+++ b/services/accessibility/java/com/android/server/accessibility/MotionEventInjector.java
@@ -105,12 +105,14 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
      * either complete or cancelled.
      */
     public void injectEvents(List<GestureStep> gestureSteps,
-            IAccessibilityServiceClient serviceInterface, int sequence, int displayId) {
+            IAccessibilityServiceClient serviceInterface, int sequence, int displayId,
+            boolean fromAccessibilityTool) {
         SomeArgs args = SomeArgs.obtain();
         args.arg1 = gestureSteps;
         args.arg2 = serviceInterface;
         args.argi1 = sequence;
         args.argi2 = displayId;
+        args.argi3 = fromAccessibilityTool ? 1 : 0;
         mHandler.sendMessage(mHandler.obtainMessage(MESSAGE_INJECT_EVENTS, args));
     }
 
@@ -132,9 +134,11 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
             return;
         }
         cancelAnyPendingInjectedEvents();
-        // Indicate that the input event is injected from accessibility, to let applications
-        // distinguish it from events injected by other means.
-        policyFlags |= WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY;
+        if (!android.view.accessibility.Flags.preventA11yNontoolFromInjectingIntoSensitiveViews()) {
+            // Indicate that the input event is injected from accessibility, to let applications
+            // distinguish it from events injected by other means.
+            policyFlags |= WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY;
+        }
         sendMotionEventToNext(event, rawEvent, policyFlags);
     }
 
@@ -159,8 +163,12 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
     public boolean handleMessage(Message message) {
         if (message.what == MESSAGE_INJECT_EVENTS) {
             SomeArgs args = (SomeArgs) message.obj;
-            injectEventsMainThread((List<GestureStep>) args.arg1,
-                    (IAccessibilityServiceClient) args.arg2, args.argi1, args.argi2);
+            injectEventsMainThread(
+                    /*gestureSteps=*/(List<GestureStep>) args.arg1,
+                    /*serviceInterface=*/(IAccessibilityServiceClient) args.arg2,
+                    /*sequence=*/args.argi1,
+                    /*displayId=*/args.argi2,
+                    /*fromAccessibilityTool=*/args.argi3 == 1);
             args.recycle();
             return true;
         }
@@ -169,9 +177,15 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
             return false;
         }
         MotionEvent motionEvent = (MotionEvent) message.obj;
-        sendMotionEventToNext(motionEvent, motionEvent,
-                WindowManagerPolicyConstants.FLAG_PASS_TO_USER
-                | WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY);
+        int policyFlags = WindowManagerPolicyConstants.FLAG_PASS_TO_USER
+                | WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY;
+        if (android.view.accessibility.Flags.preventA11yNontoolFromInjectingIntoSensitiveViews()) {
+            boolean fromAccessibilityTool = message.arg2 == 1;
+            if (fromAccessibilityTool) {
+                policyFlags |= WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY_TOOL;
+            }
+        }
+        sendMotionEventToNext(motionEvent, motionEvent, policyFlags);
         boolean isEndOfSequence = message.arg1 != 0;
         if (isEndOfSequence) {
             notifyService(mServiceInterfaceForCurrentGesture, mSequencesInProgress.get(0), true);
@@ -181,7 +195,8 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
     }
 
     private void injectEventsMainThread(List<GestureStep> gestureSteps,
-            IAccessibilityServiceClient serviceInterface, int sequence, int displayId) {
+            IAccessibilityServiceClient serviceInterface, int sequence, int displayId,
+            boolean fromAccessibilityTool) {
         if (mIsDestroyed) {
             try {
                 serviceInterface.onPerformGestureResult(sequence, false);
@@ -228,7 +243,8 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
             event.setDisplayId(displayId);
             int isEndOfSequence = (i == events.size() - 1) ? 1 : 0;
             Message message = mHandler.obtainMessage(
-                    MESSAGE_SEND_MOTION_EVENT, isEndOfSequence, 0, event);
+                    MESSAGE_SEND_MOTION_EVENT, isEndOfSequence,
+                    fromAccessibilityTool ? 1 : 0, event);
             mLastScheduledEventTime = event.getEventTime();
             mHandler.sendMessageDelayed(message, Math.max(0, event.getEventTime() - currentTime));
         }
@@ -322,9 +338,16 @@ public class MotionEventInjector extends BaseEventStreamTransformation implement
             long now = SystemClock.uptimeMillis();
             MotionEvent cancelEvent =
                     obtainMotionEvent(now, now, MotionEvent.ACTION_CANCEL, getLastTouchPoints(), 1);
-            sendMotionEventToNext(cancelEvent, cancelEvent,
-                    WindowManagerPolicyConstants.FLAG_PASS_TO_USER
-                    | WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY);
+            int policyFlags = WindowManagerPolicyConstants.FLAG_PASS_TO_USER
+                    | WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY;
+            if (android.view.accessibility.Flags
+                    .preventA11yNontoolFromInjectingIntoSensitiveViews()) {
+                // ACTION_CANCEL events are internal system details for event stream state
+                // management and not used for performing new actions, so always treat them as
+                // originating from an accessibility tool.
+                policyFlags |= WindowManagerPolicyConstants.FLAG_INJECTED_FROM_ACCESSIBILITY_TOOL;
+            }
+            sendMotionEventToNext(cancelEvent, cancelEvent, policyFlags);
             mOpenGesturesInProgress.put(source, false);
         }
     }
-- 
cgit v1.2.3-59-g8ed1b