From 52c2856394ac8010ff3eba09ee385709d510953b Mon Sep 17 00:00:00 2001 From: Yohei Yukawa Date: Sat, 19 Jan 2019 11:49:37 -0800 Subject: [PATCH] DO NOT MERGE back porting for fixing sysui direct reply Root cause: systemui run as user 0 service to handle all of users' notifications. And, the users can user the copy/cut/paste functionality. Solution: To crate @hide API in TextView let SystemUI to mark the TextView instance should check if the power of INTERACT_ACROSS_USER_FULL is needed to be restricted. e.x. Keyguard password textview/Notificaiton entries Bug: 123232892 Test: manual test Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139 Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393 Reference: I975baa748c821538e5a733bb98a33ac609bf40a7 Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139 Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937 Merged-In: I6d11e4d6a84570bc2991a8552349e8b216b0d139 (cherry picked from commit 08aae90860c4ece4d3448b32a31e5417c8490b47) --- core/java/android/widget/TextView.java | 53 ++++++++++++++++++++++ .../com/android/keyguard/KeyguardPasswordView.java | 2 + .../systemui/statusbar/policy/RemoteInputView.java | 1 + 3 files changed, 56 insertions(+) diff --git a/core/java/android/widget/TextView.java b/core/java/android/widget/TextView.java index 9826fa0b94a1..d892307f62b9 100644 --- a/core/java/android/widget/TextView.java +++ b/core/java/android/widget/TextView.java @@ -16,6 +16,7 @@ package android.widget; +import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL; import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_ARG_LENGTH; import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_ARG_START_INDEX; import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_KEY; @@ -28,11 +29,13 @@ import android.annotation.FloatRange; import android.annotation.IntDef; import android.annotation.NonNull; import android.annotation.Nullable; +import android.annotation.RequiresPermission; import android.annotation.Size; import android.annotation.StringRes; import android.annotation.StyleRes; import android.annotation.XmlRes; import android.app.Activity; +import android.app.ActivityManager; import android.app.assist.AssistStructure; import android.content.ClipData; import android.content.ClipDescription; @@ -66,6 +69,7 @@ import android.os.Parcel; import android.os.Parcelable; import android.os.ParcelableParcel; import android.os.SystemClock; +import android.os.UserHandle; import android.provider.Settings; import android.text.BoringLayout; import android.text.DynamicLayout; @@ -686,6 +690,19 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener private InputFilter[] mFilters = NO_FILTERS; + /** + * To keep the information to indicate if there is necessary to restrict the power of + * INTERACT_ACROSS_USERS_FULL. + *

+ * SystemUI always run as user 0 to process all of direct reply. SystemUI has the poer of + * INTERACT_ACROSS_USERS_FULL. However, all of the notifications not only belong to user 0 but + * also to the other users in multiple user environment. + *

+ * + * @see #setRestrictedAcrossUser(boolean) + */ + private boolean mIsRestrictedAcrossUser; + private volatile Locale mCurrentSpellCheckerLocaleCache; // It is possible to have a selection even when mEditor is null (programmatically set, like when @@ -10041,6 +10058,24 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener } /** + * To notify the TextView to restricted the power of the app granted INTERACT_ACROSS_USERS_FULL + * permission. + *

+ * Most of applications should not granted the INTERACT_ACROSS_USERS_FULL permssion. + * SystemUI is the special one that run in user 0 process to handle multiple user notification. + * Unforunately, the power of INTERACT_ACROSS_USERS_FULL should be limited or restricted for + * preventing from information leak.

+ *

This function call is called for SystemUI Keyguard and Notification.

+ * + * @param isRestricted is true if the power of INTERACT_ACROSS_USERS_FULL should be limited. + * @hide + */ + @RequiresPermission(INTERACT_ACROSS_USERS_FULL) + public final void setRestrictedAcrossUser(boolean isRestricted) { + mIsRestrictedAcrossUser = isRestricted; + } + + /** * This is a temporary method. Future versions may support multi-locale text. * Caveat: This method may not return the latest text services locale, but this should be * acceptable and it's more important to make this method asynchronous. @@ -11073,6 +11108,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener } boolean canCut() { + if (mIsRestrictedAcrossUser + && UserHandle.myUserId() != ActivityManager.getCurrentUser()) { + // When it's restricted, and the curren user is not the process user. It can't cut + // because it may cut the text of the user 10 into the clipboard of user 0. + return false; + } if (hasPasswordTransformationMethod()) { return false; } @@ -11086,6 +11127,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener } boolean canCopy() { + if (mIsRestrictedAcrossUser + && UserHandle.myUserId() != ActivityManager.getCurrentUser()) { + // When it's restricted, and the curren user is not the process user. It can't copy + // because it may copy the text of the user 10 to the clipboard of user 0. + return false; + } if (hasPasswordTransformationMethod()) { return false; } @@ -11115,6 +11162,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener } boolean canPaste() { + if (mIsRestrictedAcrossUser + && UserHandle.myUserId() != ActivityManager.getCurrentUser()) { + // When it's restricted, and the curren user is not the process user. It can't paste + // because it may copy the text from the user 0 clipboard in current user is 10. + return false; + } return (mText instanceof Editable && mEditor != null && mEditor.mKeyListener != null && getSelectionStart() >= 0 diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java index b6184a883210..4f6d15165fcd 100644 --- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java +++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java @@ -79,6 +79,7 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView @Override protected void resetState() { + mPasswordEntry.setRestrictedAcrossUser(true); mSecurityMessageDisplay.setMessage(""); final boolean wasDisabled = mPasswordEntry.isEnabled(); setPasswordEntryEnabled(true); @@ -175,6 +176,7 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView Context.INPUT_METHOD_SERVICE); mPasswordEntry = findViewById(getPasswordTextViewId()); + mPasswordEntry.setRestrictedAcrossUser(true); mPasswordEntryDisabler = new TextViewInputDisabler(mPasswordEntry); mPasswordEntry.setKeyListener(TextKeyListener.getInstance()); mPasswordEntry.setInputType(InputType.TYPE_CLASS_TEXT diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java b/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java index ad78b3a01662..da384ec359f4 100644 --- a/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java +++ b/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java @@ -179,6 +179,7 @@ public class RemoteInputView extends LinearLayout implements View.OnClickListene LayoutInflater.from(context).inflate(R.layout.remote_input, root, false); v.mController = controller; v.mEntry = entry; + v.mEditText.setRestrictedAcrossUser(true); v.setTag(VIEW_TAG); return v; -- 2.11.0