DO NOT MERGE back porting for fixing sysui direct reply

Root cause: systemui run as user 0 service to handle all of users' notifications. And, the users can user the copy/cut/paste functionality. Solution: To crate @hide API in TextView let SystemUI to mark the TextView instance should check if the power of INTERACT_ACROSS_USER_FULL is needed to be restricted. e.x. Keyguard password textview/Notificaiton entries Bug: 123232892 Test: manual test Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139 Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393 Reference: I975baa748c821538e5a733bb98a33ac609bf40a7 Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139 Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937 Merged-In: I6d11e4d6a84570bc2991a8552349e8b216b0d139
2019-01-19 11:49:37 -08:00
parent 88c651eab1
commit 08aae90860
3 changed files with 56 additions and 0 deletions
--- a/core/java/android/widget/TextView.java
+++ b/core/java/android/widget/TextView.java
@@ -16,6 +16,7 @@

 package android.widget;

+import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;
 import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_ARG_LENGTH;
 import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_ARG_START_INDEX;
 import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_KEY;
@@ -28,11 +29,13 @@ import android.annotation.FloatRange;
 import android.annotation.IntDef;
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.RequiresPermission;
 import android.annotation.Size;
 import android.annotation.StringRes;
 import android.annotation.StyleRes;
 import android.annotation.XmlRes;
 import android.app.Activity;
+import android.app.ActivityManager;
 import android.app.assist.AssistStructure;
 import android.content.ClipData;
 import android.content.ClipDescription;
@@ -66,6 +69,7 @@ import android.os.Parcel;
 import android.os.Parcelable;
 import android.os.ParcelableParcel;
 import android.os.SystemClock;
+import android.os.UserHandle;
 import android.provider.Settings;
 import android.text.BoringLayout;
 import android.text.DynamicLayout;
@@ -684,6 +688,19 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener

    private InputFilter[] mFilters = NO_FILTERS;

+    /**
+     * To keep the information to indicate if there is necessary to restrict the power of
+     * INTERACT_ACROSS_USERS_FULL.
+     * <p>
+     * SystemUI always run as user 0 to process all of direct reply. SystemUI has the poer of
+     * INTERACT_ACROSS_USERS_FULL. However, all of the notifications not only belong to user 0 but
+     * also to the other users in multiple user environment.
+     * </p>
+     *
+     * @see #setRestrictedAcrossUser(boolean)
+     */
+    private boolean mIsRestrictedAcrossUser;
+
    private volatile Locale mCurrentSpellCheckerLocaleCache;

    // It is possible to have a selection even when mEditor is null (programmatically set, like when
@@ -10035,6 +10052,24 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
                : mCurrentSpellCheckerLocaleCache;
    }

+    /**
+     * To notify the TextView to restricted the power of the app granted INTERACT_ACROSS_USERS_FULL
+     * permission.
+     * <p>
+     * Most of applications should not granted the INTERACT_ACROSS_USERS_FULL permssion.
+     * SystemUI is the special one that run in user 0 process to handle multiple user notification.
+     * Unforunately, the power of INTERACT_ACROSS_USERS_FULL should be limited or restricted for
+     * preventing from information leak.</p>
+     * <p>This function call is called for SystemUI Keyguard and Notification.</p>
+     *
+     * @param isRestricted is true if the power of INTERACT_ACROSS_USERS_FULL should be limited.
+     * @hide
+     */
+    @RequiresPermission(INTERACT_ACROSS_USERS_FULL)
+    public final void setRestrictedAcrossUser(boolean isRestricted) {
+        mIsRestrictedAcrossUser = isRestricted;
+    }
+
    /**
     * This is a temporary method. Future versions may support multi-locale text.
     * Caveat: This method may not return the latest text services locale, but this should be
@@ -11055,6 +11090,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
    }

    boolean canCut() {
+        if (mIsRestrictedAcrossUser
+                && UserHandle.myUserId() != ActivityManager.getCurrentUser()) {
+            // When it's restricted, and the curren user is not the process user. It can't cut
+            // because it may cut the text of the user 10 into the clipboard of user 0.
+            return false;
+        }
        if (hasPasswordTransformationMethod()) {
            return false;
        }
@@ -11068,6 +11109,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
    }

    boolean canCopy() {
+        if (mIsRestrictedAcrossUser
+                && UserHandle.myUserId() != ActivityManager.getCurrentUser()) {
+            // When it's restricted, and the curren user is not the process user. It can't copy
+            // because it may copy the text of the user 10 to the clipboard of user 0.
+            return false;
+        }
        if (hasPasswordTransformationMethod()) {
            return false;
        }
@@ -11097,6 +11144,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
    }

    boolean canPaste() {
+        if (mIsRestrictedAcrossUser
+                && UserHandle.myUserId() != ActivityManager.getCurrentUser()) {
+            // When it's restricted, and the curren user is not the process user. It can't paste
+            // because it may copy the text from the user 0 clipboard in current user is 10.
+            return false;
+        }
        return (mText instanceof Editable
                && mEditor != null && mEditor.mKeyListener != null
                && getSelectionStart() >= 0
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
@@ -79,6 +79,7 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView

    @Override
    protected void resetState() {
+        mPasswordEntry.setRestrictedAcrossUser(true);
        mSecurityMessageDisplay.setMessage("");
        final boolean wasDisabled = mPasswordEntry.isEnabled();
        setPasswordEntryEnabled(true);
@@ -175,6 +176,7 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView
                Context.INPUT_METHOD_SERVICE);

        mPasswordEntry = findViewById(getPasswordTextViewId());
+        mPasswordEntry.setRestrictedAcrossUser(true);
        mPasswordEntryDisabler = new TextViewInputDisabler(mPasswordEntry);
        mPasswordEntry.setKeyListener(TextKeyListener.getInstance());
        mPasswordEntry.setInputType(InputType.TYPE_CLASS_TEXT
--- a/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java
@@ -176,6 +176,7 @@ public class RemoteInputView extends LinearLayout implements View.OnClickListene
                LayoutInflater.from(context).inflate(R.layout.remote_input, root, false);
        v.mController = controller;
        v.mEntry = entry;
+        v.mEditText.setRestrictedAcrossUser(true);
        v.setTag(VIEW_TAG);

        return v;