1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include <android/content/pm/IPackageManagerNative.h>
17 #include <binder/ActivityManager.h>
18 #include <binder/BinderService.h>
19 #include <binder/IServiceManager.h>
20 #include <binder/PermissionCache.h>
21 #include <binder/PermissionController.h>
22 #include <cutils/ashmem.h>
23 #include <cutils/misc.h>
24 #include <cutils/properties.h>
25 #include <hardware/sensors.h>
26 #include <hardware_legacy/power.h>
27 #include <log/log.h>
28 #include <openssl/digest.h>
29 #include <openssl/hmac.h>
30 #include <openssl/rand.h>
31 #include <sensor/SensorEventQueue.h>
32 #include <sensorprivacy/SensorPrivacyManager.h>
33 #include <utils/SystemClock.h>
34
35 #include "BatteryService.h"
36 #include "CorrectedGyroSensor.h"
37 #include "GravitySensor.h"
38 #include "LinearAccelerationSensor.h"
39 #include "OrientationSensor.h"
40 #include "RotationVectorSensor.h"
41 #include "SensorFusion.h"
42 #include "SensorInterface.h"
43
44 #include "SensorService.h"
45 #include "SensorDirectConnection.h"
46 #include "SensorEventAckReceiver.h"
47 #include "SensorEventConnection.h"
48 #include "SensorRecord.h"
49 #include "SensorRegistrationInfo.h"
50
51 #include <ctime>
52 #include <inttypes.h>
53 #include <math.h>
54 #include <sched.h>
55 #include <stdint.h>
56 #include <sys/socket.h>
57 #include <sys/stat.h>
58 #include <sys/types.h>
59 #include <unistd.h>
60
61 #include <private/android_filesystem_config.h>
62
63 namespace android {
64 // ---------------------------------------------------------------------------
65
66 /*
67 * Notes:
68 *
69 * - what about a gyro-corrected magnetic-field sensor?
70 * - run mag sensor from time to time to force calibration
71 * - gravity sensor length is wrong (=> drift in linear-acc sensor)
72 *
73 */
74
75 const char* SensorService::WAKE_LOCK_NAME = "SensorService_wakelock";
76 uint8_t SensorService::sHmacGlobalKey[128] = {};
77 bool SensorService::sHmacGlobalKeyIsValid = false;
78 std::map<String16, int> SensorService::sPackageTargetVersion;
79 Mutex SensorService::sPackageTargetVersionLock;
80 AppOpsManager SensorService::sAppOpsManager;
81
82 #define SENSOR_SERVICE_DIR "/data/system/sensor_service"
83 #define SENSOR_SERVICE_HMAC_KEY_FILE SENSOR_SERVICE_DIR "/hmac_key"
84 #define SENSOR_SERVICE_SCHED_FIFO_PRIORITY 10
85
86 // Permissions.
87 static const String16 sDumpPermission("android.permission.DUMP");
88 static const String16 sLocationHardwarePermission("android.permission.LOCATION_HARDWARE");
89 static const String16 sManageSensorsPermission("android.permission.MANAGE_SENSORS");
90
SensorService()91 SensorService::SensorService()
92 : mInitCheck(NO_INIT), mSocketBufferSize(SOCKET_BUFFER_SIZE_NON_BATCHED),
93 mWakeLockAcquired(false) {
94 mUidPolicy = new UidPolicy(this);
95 mSensorPrivacyPolicy = new SensorPrivacyPolicy(this);
96 }
97
initializeHmacKey()98 bool SensorService::initializeHmacKey() {
99 int fd = open(SENSOR_SERVICE_HMAC_KEY_FILE, O_RDONLY|O_CLOEXEC);
100 if (fd != -1) {
101 int result = read(fd, sHmacGlobalKey, sizeof(sHmacGlobalKey));
102 close(fd);
103 if (result == sizeof(sHmacGlobalKey)) {
104 return true;
105 }
106 ALOGW("Unable to read HMAC key; generating new one.");
107 }
108
109 if (RAND_bytes(sHmacGlobalKey, sizeof(sHmacGlobalKey)) == -1) {
110 ALOGW("Can't generate HMAC key; dynamic sensor getId() will be wrong.");
111 return false;
112 }
113
114 // We need to make sure this is only readable to us.
115 bool wroteKey = false;
116 mkdir(SENSOR_SERVICE_DIR, S_IRWXU);
117 fd = open(SENSOR_SERVICE_HMAC_KEY_FILE, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC,
118 S_IRUSR|S_IWUSR);
119 if (fd != -1) {
120 int result = write(fd, sHmacGlobalKey, sizeof(sHmacGlobalKey));
121 close(fd);
122 wroteKey = (result == sizeof(sHmacGlobalKey));
123 }
124 if (wroteKey) {
125 ALOGI("Generated new HMAC key.");
126 } else {
127 ALOGW("Unable to write HMAC key; dynamic sensor getId() will change "
128 "after reboot.");
129 }
130 // Even if we failed to write the key we return true, because we did
131 // initialize the HMAC key.
132 return true;
133 }
134
135 // Set main thread to SCHED_FIFO to lower sensor event latency when system is under load
enableSchedFifoMode()136 void SensorService::enableSchedFifoMode() {
137 struct sched_param param = {0};
138 param.sched_priority = SENSOR_SERVICE_SCHED_FIFO_PRIORITY;
139 if (sched_setscheduler(getTid(), SCHED_FIFO | SCHED_RESET_ON_FORK, ¶m) != 0) {
140 ALOGE("Couldn't set SCHED_FIFO for SensorService thread");
141 }
142 }
143
onFirstRef()144 void SensorService::onFirstRef() {
145 ALOGD("nuSensorService starting...");
146 SensorDevice& dev(SensorDevice::getInstance());
147
148 sHmacGlobalKeyIsValid = initializeHmacKey();
149
150 if (dev.initCheck() == NO_ERROR) {
151 sensor_t const* list;
152 ssize_t count = dev.getSensorList(&list);
153 if (count > 0) {
154 ssize_t orientationIndex = -1;
155 bool hasGyro = false, hasAccel = false, hasMag = false;
156 uint32_t virtualSensorsNeeds =
157 (1<<SENSOR_TYPE_GRAVITY) |
158 (1<<SENSOR_TYPE_LINEAR_ACCELERATION) |
159 (1<<SENSOR_TYPE_ROTATION_VECTOR) |
160 (1<<SENSOR_TYPE_GEOMAGNETIC_ROTATION_VECTOR) |
161 (1<<SENSOR_TYPE_GAME_ROTATION_VECTOR);
162
163 for (ssize_t i=0 ; i<count ; i++) {
164 bool useThisSensor=true;
165
166 switch (list[i].type) {
167 case SENSOR_TYPE_ACCELEROMETER:
168 hasAccel = true;
169 break;
170 case SENSOR_TYPE_MAGNETIC_FIELD:
171 hasMag = true;
172 break;
173 case SENSOR_TYPE_ORIENTATION:
174 orientationIndex = i;
175 break;
176 case SENSOR_TYPE_GYROSCOPE:
177 case SENSOR_TYPE_GYROSCOPE_UNCALIBRATED:
178 hasGyro = true;
179 break;
180 case SENSOR_TYPE_GRAVITY:
181 case SENSOR_TYPE_LINEAR_ACCELERATION:
182 case SENSOR_TYPE_ROTATION_VECTOR:
183 case SENSOR_TYPE_GEOMAGNETIC_ROTATION_VECTOR:
184 case SENSOR_TYPE_GAME_ROTATION_VECTOR:
185 if (IGNORE_HARDWARE_FUSION) {
186 useThisSensor = false;
187 } else {
188 virtualSensorsNeeds &= ~(1<<list[i].type);
189 }
190 break;
191 }
192 if (useThisSensor) {
193 registerSensor( new HardwareSensor(list[i]) );
194 }
195 }
196
197 // it's safe to instantiate the SensorFusion object here
198 // (it wants to be instantiated after h/w sensors have been
199 // registered)
200 SensorFusion::getInstance();
201
202 if (hasGyro && hasAccel && hasMag) {
203 // Add Android virtual sensors if they're not already
204 // available in the HAL
205 bool needRotationVector =
206 (virtualSensorsNeeds & (1<<SENSOR_TYPE_ROTATION_VECTOR)) != 0;
207
208 registerSensor(new RotationVectorSensor(), !needRotationVector, true);
209 registerSensor(new OrientationSensor(), !needRotationVector, true);
210
211 // virtual debugging sensors are not for user
212 registerSensor( new CorrectedGyroSensor(list, count), true, true);
213 registerSensor( new GyroDriftSensor(), true, true);
214 }
215
216 if (hasAccel && hasGyro) {
217 bool needGravitySensor = (virtualSensorsNeeds & (1<<SENSOR_TYPE_GRAVITY)) != 0;
218 registerSensor(new GravitySensor(list, count), !needGravitySensor, true);
219
220 bool needLinearAcceleration =
221 (virtualSensorsNeeds & (1<<SENSOR_TYPE_LINEAR_ACCELERATION)) != 0;
222 registerSensor(new LinearAccelerationSensor(list, count),
223 !needLinearAcceleration, true);
224
225 bool needGameRotationVector =
226 (virtualSensorsNeeds & (1<<SENSOR_TYPE_GAME_ROTATION_VECTOR)) != 0;
227 registerSensor(new GameRotationVectorSensor(), !needGameRotationVector, true);
228 }
229
230 if (hasAccel && hasMag) {
231 bool needGeoMagRotationVector =
232 (virtualSensorsNeeds & (1<<SENSOR_TYPE_GEOMAGNETIC_ROTATION_VECTOR)) != 0;
233 registerSensor(new GeoMagRotationVectorSensor(), !needGeoMagRotationVector, true);
234 }
235
236 // Check if the device really supports batching by looking at the FIFO event
237 // counts for each sensor.
238 bool batchingSupported = false;
239 mSensors.forEachSensor(
240 [&batchingSupported] (const Sensor& s) -> bool {
241 if (s.getFifoMaxEventCount() > 0) {
242 batchingSupported = true;
243 }
244 return !batchingSupported;
245 });
246
247 if (batchingSupported) {
248 // Increase socket buffer size to a max of 100 KB for batching capabilities.
249 mSocketBufferSize = MAX_SOCKET_BUFFER_SIZE_BATCHED;
250 } else {
251 mSocketBufferSize = SOCKET_BUFFER_SIZE_NON_BATCHED;
252 }
253
254 // Compare the socketBufferSize value against the system limits and limit
255 // it to maxSystemSocketBufferSize if necessary.
256 FILE *fp = fopen("/proc/sys/net/core/wmem_max", "r");
257 char line[128];
258 if (fp != nullptr && fgets(line, sizeof(line), fp) != nullptr) {
259 line[sizeof(line) - 1] = '\0';
260 size_t maxSystemSocketBufferSize;
261 sscanf(line, "%zu", &maxSystemSocketBufferSize);
262 if (mSocketBufferSize > maxSystemSocketBufferSize) {
263 mSocketBufferSize = maxSystemSocketBufferSize;
264 }
265 }
266 if (fp) {
267 fclose(fp);
268 }
269
270 mWakeLockAcquired = false;
271 mLooper = new Looper(false);
272 const size_t minBufferSize = SensorEventQueue::MAX_RECEIVE_BUFFER_EVENT_COUNT;
273 mSensorEventBuffer = new sensors_event_t[minBufferSize];
274 mSensorEventScratch = new sensors_event_t[minBufferSize];
275 mMapFlushEventsToConnections = new wp<const SensorEventConnection> [minBufferSize];
276 mCurrentOperatingMode = NORMAL;
277
278 mNextSensorRegIndex = 0;
279 for (int i = 0; i < SENSOR_REGISTRATIONS_BUF_SIZE; ++i) {
280 mLastNSensorRegistrations.push();
281 }
282
283 mInitCheck = NO_ERROR;
284 mAckReceiver = new SensorEventAckReceiver(this);
285 mAckReceiver->run("SensorEventAckReceiver", PRIORITY_URGENT_DISPLAY);
286 run("SensorService", PRIORITY_URGENT_DISPLAY);
287
288 // priority can only be changed after run
289 enableSchedFifoMode();
290
291 // Start watching UID changes to apply policy.
292 mUidPolicy->registerSelf();
293
294 // Start watching sensor privacy changes
295 mSensorPrivacyPolicy->registerSelf();
296 }
297 }
298 }
299
setSensorAccess(uid_t uid,bool hasAccess)300 void SensorService::setSensorAccess(uid_t uid, bool hasAccess) {
301 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
302 for (const sp<SensorEventConnection>& conn : connLock.getActiveConnections()) {
303 if (conn->getUid() == uid) {
304 conn->setSensorAccess(hasAccess);
305 }
306 }
307 }
308
registerSensor(SensorInterface * s,bool isDebug,bool isVirtual)309 const Sensor& SensorService::registerSensor(SensorInterface* s, bool isDebug, bool isVirtual) {
310 int handle = s->getSensor().getHandle();
311 int type = s->getSensor().getType();
312 if (mSensors.add(handle, s, isDebug, isVirtual)){
313 mRecentEvent.emplace(handle, new SensorServiceUtil::RecentEventLogger(type));
314 return s->getSensor();
315 } else {
316 return mSensors.getNonSensor();
317 }
318 }
319
registerDynamicSensorLocked(SensorInterface * s,bool isDebug)320 const Sensor& SensorService::registerDynamicSensorLocked(SensorInterface* s, bool isDebug) {
321 return registerSensor(s, isDebug);
322 }
323
unregisterDynamicSensorLocked(int handle)324 bool SensorService::unregisterDynamicSensorLocked(int handle) {
325 bool ret = mSensors.remove(handle);
326
327 const auto i = mRecentEvent.find(handle);
328 if (i != mRecentEvent.end()) {
329 delete i->second;
330 mRecentEvent.erase(i);
331 }
332 return ret;
333 }
334
registerVirtualSensor(SensorInterface * s,bool isDebug)335 const Sensor& SensorService::registerVirtualSensor(SensorInterface* s, bool isDebug) {
336 return registerSensor(s, isDebug, true);
337 }
338
~SensorService()339 SensorService::~SensorService() {
340 for (auto && entry : mRecentEvent) {
341 delete entry.second;
342 }
343 mUidPolicy->unregisterSelf();
344 mSensorPrivacyPolicy->unregisterSelf();
345 }
346
dump(int fd,const Vector<String16> & args)347 status_t SensorService::dump(int fd, const Vector<String16>& args) {
348 String8 result;
349 if (!PermissionCache::checkCallingPermission(sDumpPermission)) {
350 result.appendFormat("Permission Denial: can't dump SensorService from pid=%d, uid=%d\n",
351 IPCThreadState::self()->getCallingPid(),
352 IPCThreadState::self()->getCallingUid());
353 } else {
354 bool privileged = IPCThreadState::self()->getCallingUid() == 0;
355 if (args.size() > 2) {
356 return INVALID_OPERATION;
357 }
358 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
359 SensorDevice& dev(SensorDevice::getInstance());
360 if (args.size() == 2 && args[0] == String16("restrict")) {
361 // If already in restricted mode. Ignore.
362 if (mCurrentOperatingMode == RESTRICTED) {
363 return status_t(NO_ERROR);
364 }
365 // If in any mode other than normal, ignore.
366 if (mCurrentOperatingMode != NORMAL) {
367 return INVALID_OPERATION;
368 }
369
370 mCurrentOperatingMode = RESTRICTED;
371 // temporarily stop all sensor direct report and disable sensors
372 disableAllSensorsLocked(&connLock);
373 mWhiteListedPackage.setTo(String8(args[1]));
374 return status_t(NO_ERROR);
375 } else if (args.size() == 1 && args[0] == String16("enable")) {
376 // If currently in restricted mode, reset back to NORMAL mode else ignore.
377 if (mCurrentOperatingMode == RESTRICTED) {
378 mCurrentOperatingMode = NORMAL;
379 // enable sensors and recover all sensor direct report
380 enableAllSensorsLocked(&connLock);
381 }
382 if (mCurrentOperatingMode == DATA_INJECTION) {
383 resetToNormalModeLocked();
384 }
385 mWhiteListedPackage.clear();
386 return status_t(NO_ERROR);
387 } else if (args.size() == 2 && args[0] == String16("data_injection")) {
388 if (mCurrentOperatingMode == NORMAL) {
389 dev.disableAllSensors();
390 status_t err = dev.setMode(DATA_INJECTION);
391 if (err == NO_ERROR) {
392 mCurrentOperatingMode = DATA_INJECTION;
393 } else {
394 // Re-enable sensors.
395 dev.enableAllSensors();
396 }
397 mWhiteListedPackage.setTo(String8(args[1]));
398 return NO_ERROR;
399 } else if (mCurrentOperatingMode == DATA_INJECTION) {
400 // Already in DATA_INJECTION mode. Treat this as a no_op.
401 return NO_ERROR;
402 } else {
403 // Transition to data injection mode supported only from NORMAL mode.
404 return INVALID_OPERATION;
405 }
406 } else if (!mSensors.hasAnySensor()) {
407 result.append("No Sensors on the device\n");
408 result.appendFormat("devInitCheck : %d\n", SensorDevice::getInstance().initCheck());
409 } else {
410 // Default dump the sensor list and debugging information.
411 //
412 timespec curTime;
413 clock_gettime(CLOCK_REALTIME, &curTime);
414 struct tm* timeinfo = localtime(&(curTime.tv_sec));
415 result.appendFormat("Captured at: %02d:%02d:%02d.%03d\n", timeinfo->tm_hour,
416 timeinfo->tm_min, timeinfo->tm_sec, (int)ns2ms(curTime.tv_nsec));
417 result.append("Sensor Device:\n");
418 result.append(SensorDevice::getInstance().dump().c_str());
419
420 result.append("Sensor List:\n");
421 result.append(mSensors.dump().c_str());
422
423 result.append("Fusion States:\n");
424 SensorFusion::getInstance().dump(result);
425
426 result.append("Recent Sensor events:\n");
427 for (auto&& i : mRecentEvent) {
428 sp<SensorInterface> s = mSensors.getInterface(i.first);
429 if (!i.second->isEmpty()) {
430 if (privileged || s->getSensor().getRequiredPermission().isEmpty()) {
431 i.second->setFormat("normal");
432 } else {
433 i.second->setFormat("mask_data");
434 }
435 // if there is events and sensor does not need special permission.
436 result.appendFormat("%s: ", s->getSensor().getName().string());
437 result.append(i.second->dump().c_str());
438 }
439 }
440
441 result.append("Active sensors:\n");
442 SensorDevice& dev = SensorDevice::getInstance();
443 for (size_t i=0 ; i<mActiveSensors.size() ; i++) {
444 int handle = mActiveSensors.keyAt(i);
445 if (dev.isSensorActive(handle)) {
446 result.appendFormat("%s (handle=0x%08x, connections=%zu)\n",
447 getSensorName(handle).string(),
448 handle,
449 mActiveSensors.valueAt(i)->getNumConnections());
450 }
451 }
452
453 result.appendFormat("Socket Buffer size = %zd events\n",
454 mSocketBufferSize/sizeof(sensors_event_t));
455 result.appendFormat("WakeLock Status: %s \n", mWakeLockAcquired ? "acquired" :
456 "not held");
457 result.appendFormat("Mode :");
458 switch(mCurrentOperatingMode) {
459 case NORMAL:
460 result.appendFormat(" NORMAL\n");
461 break;
462 case RESTRICTED:
463 result.appendFormat(" RESTRICTED : %s\n", mWhiteListedPackage.string());
464 break;
465 case DATA_INJECTION:
466 result.appendFormat(" DATA_INJECTION : %s\n", mWhiteListedPackage.string());
467 }
468 result.appendFormat("Sensor Privacy: %s\n",
469 mSensorPrivacyPolicy->isSensorPrivacyEnabled() ? "enabled" : "disabled");
470
471 const auto& activeConnections = connLock.getActiveConnections();
472 result.appendFormat("%zd active connections\n", activeConnections.size());
473 for (size_t i=0 ; i < activeConnections.size() ; i++) {
474 result.appendFormat("Connection Number: %zu \n", i);
475 activeConnections[i]->dump(result);
476 }
477
478 const auto& directConnections = connLock.getDirectConnections();
479 result.appendFormat("%zd direct connections\n", directConnections.size());
480 for (size_t i = 0 ; i < directConnections.size() ; i++) {
481 result.appendFormat("Direct connection %zu:\n", i);
482 directConnections[i]->dump(result);
483 }
484
485 result.appendFormat("Previous Registrations:\n");
486 // Log in the reverse chronological order.
487 int currentIndex = (mNextSensorRegIndex - 1 + SENSOR_REGISTRATIONS_BUF_SIZE) %
488 SENSOR_REGISTRATIONS_BUF_SIZE;
489 const int startIndex = currentIndex;
490 do {
491 const SensorRegistrationInfo& reg_info = mLastNSensorRegistrations[currentIndex];
492 if (SensorRegistrationInfo::isSentinel(reg_info)) {
493 // Ignore sentinel, proceed to next item.
494 currentIndex = (currentIndex - 1 + SENSOR_REGISTRATIONS_BUF_SIZE) %
495 SENSOR_REGISTRATIONS_BUF_SIZE;
496 continue;
497 }
498 result.appendFormat("%s\n", reg_info.dump().c_str());
499 currentIndex = (currentIndex - 1 + SENSOR_REGISTRATIONS_BUF_SIZE) %
500 SENSOR_REGISTRATIONS_BUF_SIZE;
501 } while(startIndex != currentIndex);
502 }
503 }
504 write(fd, result.string(), result.size());
505 return NO_ERROR;
506 }
507
disableAllSensors()508 void SensorService::disableAllSensors() {
509 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
510 disableAllSensorsLocked(&connLock);
511 }
512
disableAllSensorsLocked(ConnectionSafeAutolock * connLock)513 void SensorService::disableAllSensorsLocked(ConnectionSafeAutolock* connLock) {
514 SensorDevice& dev(SensorDevice::getInstance());
515 for (const sp<SensorDirectConnection>& connection : connLock->getDirectConnections()) {
516 connection->stopAll(true /* backupRecord */);
517 }
518 dev.disableAllSensors();
519 // Clear all pending flush connections for all active sensors. If one of the active
520 // connections has called flush() and the underlying sensor has been disabled before a
521 // flush complete event is returned, we need to remove the connection from this queue.
522 for (size_t i=0 ; i< mActiveSensors.size(); ++i) {
523 mActiveSensors.valueAt(i)->clearAllPendingFlushConnections();
524 }
525 }
526
enableAllSensors()527 void SensorService::enableAllSensors() {
528 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
529 enableAllSensorsLocked(&connLock);
530 }
531
enableAllSensorsLocked(ConnectionSafeAutolock * connLock)532 void SensorService::enableAllSensorsLocked(ConnectionSafeAutolock* connLock) {
533 // sensors should only be enabled if the operating state is not restricted and sensor
534 // privacy is not enabled.
535 if (mCurrentOperatingMode == RESTRICTED || mSensorPrivacyPolicy->isSensorPrivacyEnabled()) {
536 ALOGW("Sensors cannot be enabled: mCurrentOperatingMode = %d, sensor privacy = %s",
537 mCurrentOperatingMode,
538 mSensorPrivacyPolicy->isSensorPrivacyEnabled() ? "enabled" : "disabled");
539 return;
540 }
541 SensorDevice& dev(SensorDevice::getInstance());
542 dev.enableAllSensors();
543 for (const sp<SensorDirectConnection>& connection : connLock->getDirectConnections()) {
544 connection->recoverAll();
545 }
546 }
547
548
549 // NOTE: This is a remote API - make sure all args are validated
shellCommand(int in,int out,int err,Vector<String16> & args)550 status_t SensorService::shellCommand(int in, int out, int err, Vector<String16>& args) {
551 if (!checkCallingPermission(sManageSensorsPermission, nullptr, nullptr)) {
552 return PERMISSION_DENIED;
553 }
554 if (in == BAD_TYPE || out == BAD_TYPE || err == BAD_TYPE) {
555 return BAD_VALUE;
556 }
557 if (args[0] == String16("set-uid-state")) {
558 return handleSetUidState(args, err);
559 } else if (args[0] == String16("reset-uid-state")) {
560 return handleResetUidState(args, err);
561 } else if (args[0] == String16("get-uid-state")) {
562 return handleGetUidState(args, out, err);
563 } else if (args.size() == 1 && args[0] == String16("help")) {
564 printHelp(out);
565 return NO_ERROR;
566 }
567 printHelp(err);
568 return BAD_VALUE;
569 }
570
getUidForPackage(String16 packageName,int userId,uid_t & uid,int err)571 static status_t getUidForPackage(String16 packageName, int userId, /*inout*/uid_t& uid, int err) {
572 PermissionController pc;
573 uid = pc.getPackageUid(packageName, 0);
574 if (uid <= 0) {
575 ALOGE("Unknown package: '%s'", String8(packageName).string());
576 dprintf(err, "Unknown package: '%s'\n", String8(packageName).string());
577 return BAD_VALUE;
578 }
579
580 if (userId < 0) {
581 ALOGE("Invalid user: %d", userId);
582 dprintf(err, "Invalid user: %d\n", userId);
583 return BAD_VALUE;
584 }
585
586 uid = multiuser_get_uid(userId, uid);
587 return NO_ERROR;
588 }
589
handleSetUidState(Vector<String16> & args,int err)590 status_t SensorService::handleSetUidState(Vector<String16>& args, int err) {
591 // Valid arg.size() is 3 or 5, args.size() is 5 with --user option.
592 if (!(args.size() == 3 || args.size() == 5)) {
593 printHelp(err);
594 return BAD_VALUE;
595 }
596
597 bool active = false;
598 if (args[2] == String16("active")) {
599 active = true;
600 } else if ((args[2] != String16("idle"))) {
601 ALOGE("Expected active or idle but got: '%s'", String8(args[2]).string());
602 return BAD_VALUE;
603 }
604
605 int userId = 0;
606 if (args.size() == 5 && args[3] == String16("--user")) {
607 userId = atoi(String8(args[4]));
608 }
609
610 uid_t uid;
611 if (getUidForPackage(args[1], userId, uid, err) != NO_ERROR) {
612 return BAD_VALUE;
613 }
614
615 mUidPolicy->addOverrideUid(uid, active);
616 return NO_ERROR;
617 }
618
handleResetUidState(Vector<String16> & args,int err)619 status_t SensorService::handleResetUidState(Vector<String16>& args, int err) {
620 // Valid arg.size() is 2 or 4, args.size() is 4 with --user option.
621 if (!(args.size() == 2 || args.size() == 4)) {
622 printHelp(err);
623 return BAD_VALUE;
624 }
625
626 int userId = 0;
627 if (args.size() == 4 && args[2] == String16("--user")) {
628 userId = atoi(String8(args[3]));
629 }
630
631 uid_t uid;
632 if (getUidForPackage(args[1], userId, uid, err) == BAD_VALUE) {
633 return BAD_VALUE;
634 }
635
636 mUidPolicy->removeOverrideUid(uid);
637 return NO_ERROR;
638 }
639
handleGetUidState(Vector<String16> & args,int out,int err)640 status_t SensorService::handleGetUidState(Vector<String16>& args, int out, int err) {
641 // Valid arg.size() is 2 or 4, args.size() is 4 with --user option.
642 if (!(args.size() == 2 || args.size() == 4)) {
643 printHelp(err);
644 return BAD_VALUE;
645 }
646
647 int userId = 0;
648 if (args.size() == 4 && args[2] == String16("--user")) {
649 userId = atoi(String8(args[3]));
650 }
651
652 uid_t uid;
653 if (getUidForPackage(args[1], userId, uid, err) == BAD_VALUE) {
654 return BAD_VALUE;
655 }
656
657 if (mUidPolicy->isUidActive(uid)) {
658 return dprintf(out, "active\n");
659 } else {
660 return dprintf(out, "idle\n");
661 }
662 }
663
printHelp(int out)664 status_t SensorService::printHelp(int out) {
665 return dprintf(out, "Sensor service commands:\n"
666 " get-uid-state <PACKAGE> [--user USER_ID] gets the uid state\n"
667 " set-uid-state <PACKAGE> <active|idle> [--user USER_ID] overrides the uid state\n"
668 " reset-uid-state <PACKAGE> [--user USER_ID] clears the uid state override\n"
669 " help print this message\n");
670 }
671
672 //TODO: move to SensorEventConnection later
cleanupAutoDisabledSensorLocked(const sp<SensorEventConnection> & connection,sensors_event_t const * buffer,const int count)673 void SensorService::cleanupAutoDisabledSensorLocked(const sp<SensorEventConnection>& connection,
674 sensors_event_t const* buffer, const int count) {
675 for (int i=0 ; i<count ; i++) {
676 int handle = buffer[i].sensor;
677 if (buffer[i].type == SENSOR_TYPE_META_DATA) {
678 handle = buffer[i].meta_data.sensor;
679 }
680 if (connection->hasSensor(handle)) {
681 sp<SensorInterface> si = getSensorInterfaceFromHandle(handle);
682 // If this buffer has an event from a one_shot sensor and this connection is registered
683 // for this particular one_shot sensor, try cleaning up the connection.
684 if (si != nullptr &&
685 si->getSensor().getReportingMode() == AREPORTING_MODE_ONE_SHOT) {
686 si->autoDisable(connection.get(), handle);
687 cleanupWithoutDisableLocked(connection, handle);
688 }
689
690 }
691 }
692 }
693
threadLoop()694 bool SensorService::threadLoop() {
695 ALOGD("nuSensorService thread starting...");
696
697 // each virtual sensor could generate an event per "real" event, that's why we need to size
698 // numEventMax much smaller than MAX_RECEIVE_BUFFER_EVENT_COUNT. in practice, this is too
699 // aggressive, but guaranteed to be enough.
700 const size_t vcount = mSensors.getVirtualSensors().size();
701 const size_t minBufferSize = SensorEventQueue::MAX_RECEIVE_BUFFER_EVENT_COUNT;
702 const size_t numEventMax = minBufferSize / (1 + vcount);
703
704 SensorDevice& device(SensorDevice::getInstance());
705
706 const int halVersion = device.getHalDeviceVersion();
707 do {
708 ssize_t count = device.poll(mSensorEventBuffer, numEventMax);
709 if (count < 0) {
710 if(count == DEAD_OBJECT && device.isReconnecting()) {
711 device.reconnect();
712 continue;
713 } else {
714 ALOGE("sensor poll failed (%s)", strerror(-count));
715 break;
716 }
717 }
718
719 // Reset sensors_event_t.flags to zero for all events in the buffer.
720 for (int i = 0; i < count; i++) {
721 mSensorEventBuffer[i].flags = 0;
722 }
723 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
724
725 // Poll has returned. Hold a wakelock if one of the events is from a wake up sensor. The
726 // rest of this loop is under a critical section protected by mLock. Acquiring a wakeLock,
727 // sending events to clients (incrementing SensorEventConnection::mWakeLockRefCount) should
728 // not be interleaved with decrementing SensorEventConnection::mWakeLockRefCount and
729 // releasing the wakelock.
730 uint32_t wakeEvents = 0;
731 for (int i = 0; i < count; i++) {
732 if (isWakeUpSensorEvent(mSensorEventBuffer[i])) {
733 wakeEvents++;
734 }
735 }
736
737 if (wakeEvents > 0) {
738 if (!mWakeLockAcquired) {
739 setWakeLockAcquiredLocked(true);
740 }
741 device.writeWakeLockHandled(wakeEvents);
742 }
743 recordLastValueLocked(mSensorEventBuffer, count);
744
745 // handle virtual sensors
746 if (count && vcount) {
747 sensors_event_t const * const event = mSensorEventBuffer;
748 if (!mActiveVirtualSensors.empty()) {
749 size_t k = 0;
750 SensorFusion& fusion(SensorFusion::getInstance());
751 if (fusion.isEnabled()) {
752 for (size_t i=0 ; i<size_t(count) ; i++) {
753 fusion.process(event[i]);
754 }
755 }
756 for (size_t i=0 ; i<size_t(count) && k<minBufferSize ; i++) {
757 for (int handle : mActiveVirtualSensors) {
758 if (count + k >= minBufferSize) {
759 ALOGE("buffer too small to hold all events: "
760 "count=%zd, k=%zu, size=%zu",
761 count, k, minBufferSize);
762 break;
763 }
764 sensors_event_t out;
765 sp<SensorInterface> si = mSensors.getInterface(handle);
766 if (si == nullptr) {
767 ALOGE("handle %d is not an valid virtual sensor", handle);
768 continue;
769 }
770
771 if (si->process(&out, event[i])) {
772 mSensorEventBuffer[count + k] = out;
773 k++;
774 }
775 }
776 }
777 if (k) {
778 // record the last synthesized values
779 recordLastValueLocked(&mSensorEventBuffer[count], k);
780 count += k;
781 // sort the buffer by time-stamps
782 sortEventBuffer(mSensorEventBuffer, count);
783 }
784 }
785 }
786
787 // handle backward compatibility for RotationVector sensor
788 if (halVersion < SENSORS_DEVICE_API_VERSION_1_0) {
789 for (int i = 0; i < count; i++) {
790 if (mSensorEventBuffer[i].type == SENSOR_TYPE_ROTATION_VECTOR) {
791 // All the 4 components of the quaternion should be available
792 // No heading accuracy. Set it to -1
793 mSensorEventBuffer[i].data[4] = -1;
794 }
795 }
796 }
797
798 // Cache the list of active connections, since we use it in multiple places below but won't
799 // modify it here
800 const std::vector<sp<SensorEventConnection>> activeConnections = connLock.getActiveConnections();
801
802 for (int i = 0; i < count; ++i) {
803 // Map flush_complete_events in the buffer to SensorEventConnections which called flush
804 // on the hardware sensor. mapFlushEventsToConnections[i] will be the
805 // SensorEventConnection mapped to the corresponding flush_complete_event in
806 // mSensorEventBuffer[i] if such a mapping exists (NULL otherwise).
807 mMapFlushEventsToConnections[i] = nullptr;
808 if (mSensorEventBuffer[i].type == SENSOR_TYPE_META_DATA) {
809 const int sensor_handle = mSensorEventBuffer[i].meta_data.sensor;
810 SensorRecord* rec = mActiveSensors.valueFor(sensor_handle);
811 if (rec != nullptr) {
812 mMapFlushEventsToConnections[i] = rec->getFirstPendingFlushConnection();
813 rec->removeFirstPendingFlushConnection();
814 }
815 }
816
817 // handle dynamic sensor meta events, process registration and unregistration of dynamic
818 // sensor based on content of event.
819 if (mSensorEventBuffer[i].type == SENSOR_TYPE_DYNAMIC_SENSOR_META) {
820 if (mSensorEventBuffer[i].dynamic_sensor_meta.connected) {
821 int handle = mSensorEventBuffer[i].dynamic_sensor_meta.handle;
822 const sensor_t& dynamicSensor =
823 *(mSensorEventBuffer[i].dynamic_sensor_meta.sensor);
824 ALOGI("Dynamic sensor handle 0x%x connected, type %d, name %s",
825 handle, dynamicSensor.type, dynamicSensor.name);
826
827 if (mSensors.isNewHandle(handle)) {
828 const auto& uuid = mSensorEventBuffer[i].dynamic_sensor_meta.uuid;
829 sensor_t s = dynamicSensor;
830 // make sure the dynamic sensor flag is set
831 s.flags |= DYNAMIC_SENSOR_MASK;
832 // force the handle to be consistent
833 s.handle = handle;
834
835 SensorInterface *si = new HardwareSensor(s, uuid);
836
837 // This will release hold on dynamic sensor meta, so it should be called
838 // after Sensor object is created.
839 device.handleDynamicSensorConnection(handle, true /*connected*/);
840 registerDynamicSensorLocked(si);
841 } else {
842 ALOGE("Handle %d has been used, cannot use again before reboot.", handle);
843 }
844 } else {
845 int handle = mSensorEventBuffer[i].dynamic_sensor_meta.handle;
846 ALOGI("Dynamic sensor handle 0x%x disconnected", handle);
847
848 device.handleDynamicSensorConnection(handle, false /*connected*/);
849 if (!unregisterDynamicSensorLocked(handle)) {
850 ALOGE("Dynamic sensor release error.");
851 }
852
853 for (const sp<SensorEventConnection>& connection : activeConnections) {
854 connection->removeSensor(handle);
855 }
856 }
857 }
858 }
859
860 // Send our events to clients. Check the state of wake lock for each client and release the
861 // lock if none of the clients need it.
862 bool needsWakeLock = false;
863 for (const sp<SensorEventConnection>& connection : activeConnections) {
864 connection->sendEvents(mSensorEventBuffer, count, mSensorEventScratch,
865 mMapFlushEventsToConnections);
866 needsWakeLock |= connection->needsWakeLock();
867 // If the connection has one-shot sensors, it may be cleaned up after first trigger.
868 // Early check for one-shot sensors.
869 if (connection->hasOneShotSensors()) {
870 cleanupAutoDisabledSensorLocked(connection, mSensorEventBuffer, count);
871 }
872 }
873
874 if (mWakeLockAcquired && !needsWakeLock) {
875 setWakeLockAcquiredLocked(false);
876 }
877 } while (!Thread::exitPending());
878
879 ALOGW("Exiting SensorService::threadLoop => aborting...");
880 abort();
881 return false;
882 }
883
getLooper() const884 sp<Looper> SensorService::getLooper() const {
885 return mLooper;
886 }
887
resetAllWakeLockRefCounts()888 void SensorService::resetAllWakeLockRefCounts() {
889 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
890 for (const sp<SensorEventConnection>& connection : connLock.getActiveConnections()) {
891 connection->resetWakeLockRefCount();
892 }
893 setWakeLockAcquiredLocked(false);
894 }
895
setWakeLockAcquiredLocked(bool acquire)896 void SensorService::setWakeLockAcquiredLocked(bool acquire) {
897 if (acquire) {
898 if (!mWakeLockAcquired) {
899 acquire_wake_lock(PARTIAL_WAKE_LOCK, WAKE_LOCK_NAME);
900 mWakeLockAcquired = true;
901 }
902 mLooper->wake();
903 } else {
904 if (mWakeLockAcquired) {
905 release_wake_lock(WAKE_LOCK_NAME);
906 mWakeLockAcquired = false;
907 }
908 }
909 }
910
isWakeLockAcquired()911 bool SensorService::isWakeLockAcquired() {
912 Mutex::Autolock _l(mLock);
913 return mWakeLockAcquired;
914 }
915
threadLoop()916 bool SensorService::SensorEventAckReceiver::threadLoop() {
917 ALOGD("new thread SensorEventAckReceiver");
918 sp<Looper> looper = mService->getLooper();
919 do {
920 bool wakeLockAcquired = mService->isWakeLockAcquired();
921 int timeout = -1;
922 if (wakeLockAcquired) timeout = 5000;
923 int ret = looper->pollOnce(timeout);
924 if (ret == ALOOPER_POLL_TIMEOUT) {
925 mService->resetAllWakeLockRefCounts();
926 }
927 } while(!Thread::exitPending());
928 return false;
929 }
930
recordLastValueLocked(const sensors_event_t * buffer,size_t count)931 void SensorService::recordLastValueLocked(
932 const sensors_event_t* buffer, size_t count) {
933 for (size_t i = 0; i < count; i++) {
934 if (buffer[i].type == SENSOR_TYPE_META_DATA ||
935 buffer[i].type == SENSOR_TYPE_DYNAMIC_SENSOR_META ||
936 buffer[i].type == SENSOR_TYPE_ADDITIONAL_INFO) {
937 continue;
938 }
939
940 auto logger = mRecentEvent.find(buffer[i].sensor);
941 if (logger != mRecentEvent.end()) {
942 logger->second->addEvent(buffer[i]);
943 }
944 }
945 }
946
sortEventBuffer(sensors_event_t * buffer,size_t count)947 void SensorService::sortEventBuffer(sensors_event_t* buffer, size_t count) {
948 struct compar {
949 static int cmp(void const* lhs, void const* rhs) {
950 sensors_event_t const* l = static_cast<sensors_event_t const*>(lhs);
951 sensors_event_t const* r = static_cast<sensors_event_t const*>(rhs);
952 return l->timestamp - r->timestamp;
953 }
954 };
955 qsort(buffer, count, sizeof(sensors_event_t), compar::cmp);
956 }
957
getSensorName(int handle) const958 String8 SensorService::getSensorName(int handle) const {
959 return mSensors.getName(handle);
960 }
961
isVirtualSensor(int handle) const962 bool SensorService::isVirtualSensor(int handle) const {
963 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
964 return sensor != nullptr && sensor->isVirtual();
965 }
966
isWakeUpSensorEvent(const sensors_event_t & event) const967 bool SensorService::isWakeUpSensorEvent(const sensors_event_t& event) const {
968 int handle = event.sensor;
969 if (event.type == SENSOR_TYPE_META_DATA) {
970 handle = event.meta_data.sensor;
971 }
972 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
973 return sensor != nullptr && sensor->getSensor().isWakeUpSensor();
974 }
975
getIdFromUuid(const Sensor::uuid_t & uuid) const976 int32_t SensorService::getIdFromUuid(const Sensor::uuid_t &uuid) const {
977 if ((uuid.i64[0] == 0) && (uuid.i64[1] == 0)) {
978 // UUID is not supported for this device.
979 return 0;
980 }
981 if ((uuid.i64[0] == INT64_C(~0)) && (uuid.i64[1] == INT64_C(~0))) {
982 // This sensor can be uniquely identified in the system by
983 // the combination of its type and name.
984 return -1;
985 }
986
987 // We have a dynamic sensor.
988
989 if (!sHmacGlobalKeyIsValid) {
990 // Rather than risk exposing UUIDs, we cripple dynamic sensors.
991 ALOGW("HMAC key failure; dynamic sensor getId() will be wrong.");
992 return 0;
993 }
994
995 // We want each app author/publisher to get a different ID, so that the
996 // same dynamic sensor cannot be tracked across apps by multiple
997 // authors/publishers. So we use both our UUID and our User ID.
998 // Note potential confusion:
999 // UUID => Universally Unique Identifier.
1000 // UID => User Identifier.
1001 // We refrain from using "uid" except as needed by API to try to
1002 // keep this distinction clear.
1003
1004 auto appUserId = IPCThreadState::self()->getCallingUid();
1005 uint8_t uuidAndApp[sizeof(uuid) + sizeof(appUserId)];
1006 memcpy(uuidAndApp, &uuid, sizeof(uuid));
1007 memcpy(uuidAndApp + sizeof(uuid), &appUserId, sizeof(appUserId));
1008
1009 // Now we use our key on our UUID/app combo to get the hash.
1010 uint8_t hash[EVP_MAX_MD_SIZE];
1011 unsigned int hashLen;
1012 if (HMAC(EVP_sha256(),
1013 sHmacGlobalKey, sizeof(sHmacGlobalKey),
1014 uuidAndApp, sizeof(uuidAndApp),
1015 hash, &hashLen) == nullptr) {
1016 // Rather than risk exposing UUIDs, we cripple dynamic sensors.
1017 ALOGW("HMAC failure; dynamic sensor getId() will be wrong.");
1018 return 0;
1019 }
1020
1021 int32_t id = 0;
1022 if (hashLen < sizeof(id)) {
1023 // We never expect this case, but out of paranoia, we handle it.
1024 // Our 'id' length is already quite small, we don't want the
1025 // effective length of it to be even smaller.
1026 // Rather than risk exposing UUIDs, we cripple dynamic sensors.
1027 ALOGW("HMAC insufficient; dynamic sensor getId() will be wrong.");
1028 return 0;
1029 }
1030
1031 // This is almost certainly less than all of 'hash', but it's as secure
1032 // as we can be with our current 'id' length.
1033 memcpy(&id, hash, sizeof(id));
1034
1035 // Note at the beginning of the function that we return the values of
1036 // 0 and -1 to represent special cases. As a result, we can't return
1037 // those as dynamic sensor IDs. If we happened to hash to one of those
1038 // values, we change 'id' so we report as a dynamic sensor, and not as
1039 // one of those special cases.
1040 if (id == -1) {
1041 id = -2;
1042 } else if (id == 0) {
1043 id = 1;
1044 }
1045 return id;
1046 }
1047
makeUuidsIntoIdsForSensorList(Vector<Sensor> & sensorList) const1048 void SensorService::makeUuidsIntoIdsForSensorList(Vector<Sensor> &sensorList) const {
1049 for (auto &sensor : sensorList) {
1050 int32_t id = getIdFromUuid(sensor.getUuid());
1051 sensor.setId(id);
1052 }
1053 }
1054
getSensorList(const String16 &)1055 Vector<Sensor> SensorService::getSensorList(const String16& /* opPackageName */) {
1056 char value[PROPERTY_VALUE_MAX];
1057 property_get("debug.sensors", value, "0");
1058 const Vector<Sensor>& initialSensorList = (atoi(value)) ?
1059 mSensors.getUserDebugSensors() : mSensors.getUserSensors();
1060 Vector<Sensor> accessibleSensorList;
1061 for (size_t i = 0; i < initialSensorList.size(); i++) {
1062 Sensor sensor = initialSensorList[i];
1063 accessibleSensorList.add(sensor);
1064 }
1065 makeUuidsIntoIdsForSensorList(accessibleSensorList);
1066 return accessibleSensorList;
1067 }
1068
getDynamicSensorList(const String16 & opPackageName)1069 Vector<Sensor> SensorService::getDynamicSensorList(const String16& opPackageName) {
1070 Vector<Sensor> accessibleSensorList;
1071 mSensors.forEachSensor(
1072 [&opPackageName, &accessibleSensorList] (const Sensor& sensor) -> bool {
1073 if (sensor.isDynamicSensor()) {
1074 if (canAccessSensor(sensor, "getDynamicSensorList", opPackageName)) {
1075 accessibleSensorList.add(sensor);
1076 } else {
1077 ALOGI("Skipped sensor %s because it requires permission %s and app op %" PRId32,
1078 sensor.getName().string(),
1079 sensor.getRequiredPermission().string(),
1080 sensor.getRequiredAppOp());
1081 }
1082 }
1083 return true;
1084 });
1085 makeUuidsIntoIdsForSensorList(accessibleSensorList);
1086 return accessibleSensorList;
1087 }
1088
createSensorEventConnection(const String8 & packageName,int requestedMode,const String16 & opPackageName)1089 sp<ISensorEventConnection> SensorService::createSensorEventConnection(const String8& packageName,
1090 int requestedMode, const String16& opPackageName) {
1091 // Only 2 modes supported for a SensorEventConnection ... NORMAL and DATA_INJECTION.
1092 if (requestedMode != NORMAL && requestedMode != DATA_INJECTION) {
1093 return nullptr;
1094 }
1095
1096 Mutex::Autolock _l(mLock);
1097 // To create a client in DATA_INJECTION mode to inject data, SensorService should already be
1098 // operating in DI mode.
1099 if (requestedMode == DATA_INJECTION) {
1100 if (mCurrentOperatingMode != DATA_INJECTION) return nullptr;
1101 if (!isWhiteListedPackage(packageName)) return nullptr;
1102 }
1103
1104 uid_t uid = IPCThreadState::self()->getCallingUid();
1105 pid_t pid = IPCThreadState::self()->getCallingPid();
1106
1107 String8 connPackageName =
1108 (packageName == "") ? String8::format("unknown_package_pid_%d", pid) : packageName;
1109 String16 connOpPackageName =
1110 (opPackageName == String16("")) ? String16(connPackageName) : opPackageName;
1111 bool hasSensorAccess = mUidPolicy->isUidActive(uid);
1112 sp<SensorEventConnection> result(new SensorEventConnection(this, uid, connPackageName,
1113 requestedMode == DATA_INJECTION, connOpPackageName, hasSensorAccess));
1114 if (requestedMode == DATA_INJECTION) {
1115 mConnectionHolder.addEventConnectionIfNotPresent(result);
1116 // Add the associated file descriptor to the Looper for polling whenever there is data to
1117 // be injected.
1118 result->updateLooperRegistration(mLooper);
1119 }
1120 return result;
1121 }
1122
isDataInjectionEnabled()1123 int SensorService::isDataInjectionEnabled() {
1124 Mutex::Autolock _l(mLock);
1125 return (mCurrentOperatingMode == DATA_INJECTION);
1126 }
1127
createSensorDirectConnection(const String16 & opPackageName,uint32_t size,int32_t type,int32_t format,const native_handle * resource)1128 sp<ISensorEventConnection> SensorService::createSensorDirectConnection(
1129 const String16& opPackageName, uint32_t size, int32_t type, int32_t format,
1130 const native_handle *resource) {
1131 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1132
1133 // No new direct connections are allowed when sensor privacy is enabled
1134 if (mSensorPrivacyPolicy->isSensorPrivacyEnabled()) {
1135 ALOGE("Cannot create new direct connections when sensor privacy is enabled");
1136 return nullptr;
1137 }
1138
1139 struct sensors_direct_mem_t mem = {
1140 .type = type,
1141 .format = format,
1142 .size = size,
1143 .handle = resource,
1144 };
1145 uid_t uid = IPCThreadState::self()->getCallingUid();
1146
1147 if (mem.handle == nullptr) {
1148 ALOGE("Failed to clone resource handle");
1149 return nullptr;
1150 }
1151
1152 // check format
1153 if (format != SENSOR_DIRECT_FMT_SENSORS_EVENT) {
1154 ALOGE("Direct channel format %d is unsupported!", format);
1155 return nullptr;
1156 }
1157
1158 // check for duplication
1159 for (const sp<SensorDirectConnection>& connection : connLock.getDirectConnections()) {
1160 if (connection->isEquivalent(&mem)) {
1161 ALOGE("Duplicate create channel request for the same share memory");
1162 return nullptr;
1163 }
1164 }
1165
1166 // check specific to memory type
1167 switch(type) {
1168 case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem
1169 if (resource->numFds < 1) {
1170 ALOGE("Ashmem direct channel requires a memory region to be supplied");
1171 android_errorWriteLog(0x534e4554, "70986337"); // SafetyNet
1172 return nullptr;
1173 }
1174 int fd = resource->data[0];
1175 int size2 = ashmem_get_size_region(fd);
1176 // check size consistency
1177 if (size2 < static_cast<int64_t>(size)) {
1178 ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d",
1179 size, size2);
1180 return nullptr;
1181 }
1182 break;
1183 }
1184 case SENSOR_DIRECT_MEM_TYPE_GRALLOC:
1185 // no specific checks for gralloc
1186 break;
1187 default:
1188 ALOGE("Unknown direct connection memory type %d", type);
1189 return nullptr;
1190 }
1191
1192 native_handle_t *clone = native_handle_clone(resource);
1193 if (!clone) {
1194 return nullptr;
1195 }
1196
1197 sp<SensorDirectConnection> conn;
1198 SensorDevice& dev(SensorDevice::getInstance());
1199 int channelHandle = dev.registerDirectChannel(&mem);
1200
1201 if (channelHandle <= 0) {
1202 ALOGE("SensorDevice::registerDirectChannel returns %d", channelHandle);
1203 } else {
1204 mem.handle = clone;
1205 conn = new SensorDirectConnection(this, uid, &mem, channelHandle, opPackageName);
1206 }
1207
1208 if (conn == nullptr) {
1209 native_handle_close(clone);
1210 native_handle_delete(clone);
1211 } else {
1212 // add to list of direct connections
1213 // sensor service should never hold pointer or sp of SensorDirectConnection object.
1214 mConnectionHolder.addDirectConnection(conn);
1215 }
1216 return conn;
1217 }
1218
setOperationParameter(int32_t handle,int32_t type,const Vector<float> & floats,const Vector<int32_t> & ints)1219 int SensorService::setOperationParameter(
1220 int32_t handle, int32_t type,
1221 const Vector<float> &floats, const Vector<int32_t> &ints) {
1222 Mutex::Autolock _l(mLock);
1223
1224 if (!checkCallingPermission(sLocationHardwarePermission, nullptr, nullptr)) {
1225 return PERMISSION_DENIED;
1226 }
1227
1228 bool isFloat = true;
1229 bool isCustom = false;
1230 size_t expectSize = INT32_MAX;
1231 switch (type) {
1232 case AINFO_LOCAL_GEOMAGNETIC_FIELD:
1233 isFloat = true;
1234 expectSize = 3;
1235 break;
1236 case AINFO_LOCAL_GRAVITY:
1237 isFloat = true;
1238 expectSize = 1;
1239 break;
1240 case AINFO_DOCK_STATE:
1241 case AINFO_HIGH_PERFORMANCE_MODE:
1242 case AINFO_MAGNETIC_FIELD_CALIBRATION:
1243 isFloat = false;
1244 expectSize = 1;
1245 break;
1246 default:
1247 // CUSTOM events must only contain float data; it may have variable size
1248 if (type < AINFO_CUSTOM_START || type >= AINFO_DEBUGGING_START ||
1249 ints.size() ||
1250 sizeof(additional_info_event_t::data_float)/sizeof(float) < floats.size() ||
1251 handle < 0) {
1252 return BAD_VALUE;
1253 }
1254 isFloat = true;
1255 isCustom = true;
1256 expectSize = floats.size();
1257 break;
1258 }
1259
1260 if (!isCustom && handle != -1) {
1261 return BAD_VALUE;
1262 }
1263
1264 // three events: first one is begin tag, last one is end tag, the one in the middle
1265 // is the payload.
1266 sensors_event_t event[3];
1267 int64_t timestamp = elapsedRealtimeNano();
1268 for (sensors_event_t* i = event; i < event + 3; i++) {
1269 *i = (sensors_event_t) {
1270 .version = sizeof(sensors_event_t),
1271 .sensor = handle,
1272 .type = SENSOR_TYPE_ADDITIONAL_INFO,
1273 .timestamp = timestamp++,
1274 .additional_info = (additional_info_event_t) {
1275 .serial = 0
1276 }
1277 };
1278 }
1279
1280 event[0].additional_info.type = AINFO_BEGIN;
1281 event[1].additional_info.type = type;
1282 event[2].additional_info.type = AINFO_END;
1283
1284 if (isFloat) {
1285 if (floats.size() != expectSize) {
1286 return BAD_VALUE;
1287 }
1288 for (size_t i = 0; i < expectSize; ++i) {
1289 event[1].additional_info.data_float[i] = floats[i];
1290 }
1291 } else {
1292 if (ints.size() != expectSize) {
1293 return BAD_VALUE;
1294 }
1295 for (size_t i = 0; i < expectSize; ++i) {
1296 event[1].additional_info.data_int32[i] = ints[i];
1297 }
1298 }
1299
1300 SensorDevice& dev(SensorDevice::getInstance());
1301 for (sensors_event_t* i = event; i < event + 3; i++) {
1302 int ret = dev.injectSensorData(i);
1303 if (ret != NO_ERROR) {
1304 return ret;
1305 }
1306 }
1307 return NO_ERROR;
1308 }
1309
resetToNormalMode()1310 status_t SensorService::resetToNormalMode() {
1311 Mutex::Autolock _l(mLock);
1312 return resetToNormalModeLocked();
1313 }
1314
resetToNormalModeLocked()1315 status_t SensorService::resetToNormalModeLocked() {
1316 SensorDevice& dev(SensorDevice::getInstance());
1317 status_t err = dev.setMode(NORMAL);
1318 if (err == NO_ERROR) {
1319 mCurrentOperatingMode = NORMAL;
1320 dev.enableAllSensors();
1321 }
1322 return err;
1323 }
1324
cleanupConnection(SensorEventConnection * c)1325 void SensorService::cleanupConnection(SensorEventConnection* c) {
1326 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1327 const wp<SensorEventConnection> connection(c);
1328 size_t size = mActiveSensors.size();
1329 ALOGD_IF(DEBUG_CONNECTIONS, "%zu active sensors", size);
1330 for (size_t i=0 ; i<size ; ) {
1331 int handle = mActiveSensors.keyAt(i);
1332 if (c->hasSensor(handle)) {
1333 ALOGD_IF(DEBUG_CONNECTIONS, "%zu: disabling handle=0x%08x", i, handle);
1334 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1335 if (sensor != nullptr) {
1336 sensor->activate(c, false);
1337 } else {
1338 ALOGE("sensor interface of handle=0x%08x is null!", handle);
1339 }
1340 c->removeSensor(handle);
1341 }
1342 SensorRecord* rec = mActiveSensors.valueAt(i);
1343 ALOGE_IF(!rec, "mActiveSensors[%zu] is null (handle=0x%08x)!", i, handle);
1344 ALOGD_IF(DEBUG_CONNECTIONS,
1345 "removing connection %p for sensor[%zu].handle=0x%08x",
1346 c, i, handle);
1347
1348 if (rec && rec->removeConnection(connection)) {
1349 ALOGD_IF(DEBUG_CONNECTIONS, "... and it was the last connection");
1350 mActiveSensors.removeItemsAt(i, 1);
1351 mActiveVirtualSensors.erase(handle);
1352 delete rec;
1353 size--;
1354 } else {
1355 i++;
1356 }
1357 }
1358 c->updateLooperRegistration(mLooper);
1359 mConnectionHolder.removeEventConnection(connection);
1360 BatteryService::cleanup(c->getUid());
1361 if (c->needsWakeLock()) {
1362 checkWakeLockStateLocked(&connLock);
1363 }
1364
1365 {
1366 Mutex::Autolock packageLock(sPackageTargetVersionLock);
1367 auto iter = sPackageTargetVersion.find(c->mOpPackageName);
1368 if (iter != sPackageTargetVersion.end()) {
1369 sPackageTargetVersion.erase(iter);
1370 }
1371 }
1372
1373 SensorDevice& dev(SensorDevice::getInstance());
1374 dev.notifyConnectionDestroyed(c);
1375 }
1376
cleanupConnection(SensorDirectConnection * c)1377 void SensorService::cleanupConnection(SensorDirectConnection* c) {
1378 Mutex::Autolock _l(mLock);
1379
1380 SensorDevice& dev(SensorDevice::getInstance());
1381 dev.unregisterDirectChannel(c->getHalChannelHandle());
1382 mConnectionHolder.removeDirectConnection(c);
1383 }
1384
getSensorInterfaceFromHandle(int handle) const1385 sp<SensorInterface> SensorService::getSensorInterfaceFromHandle(int handle) const {
1386 return mSensors.getInterface(handle);
1387 }
1388
enable(const sp<SensorEventConnection> & connection,int handle,nsecs_t samplingPeriodNs,nsecs_t maxBatchReportLatencyNs,int reservedFlags,const String16 & opPackageName)1389 status_t SensorService::enable(const sp<SensorEventConnection>& connection,
1390 int handle, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags,
1391 const String16& opPackageName) {
1392 if (mInitCheck != NO_ERROR)
1393 return mInitCheck;
1394
1395 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1396 if (sensor == nullptr ||
1397 !canAccessSensor(sensor->getSensor(), "Tried enabling", opPackageName)) {
1398 return BAD_VALUE;
1399 }
1400
1401 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1402 if (mCurrentOperatingMode != NORMAL
1403 && !isWhiteListedPackage(connection->getPackageName())) {
1404 return INVALID_OPERATION;
1405 }
1406
1407 SensorRecord* rec = mActiveSensors.valueFor(handle);
1408 if (rec == nullptr) {
1409 rec = new SensorRecord(connection);
1410 mActiveSensors.add(handle, rec);
1411 if (sensor->isVirtual()) {
1412 mActiveVirtualSensors.emplace(handle);
1413 }
1414
1415 // There was no SensorRecord for this sensor which means it was previously disabled. Mark
1416 // the recent event as stale to ensure that the previous event is not sent to a client. This
1417 // ensures on-change events that were generated during a previous sensor activation are not
1418 // erroneously sent to newly connected clients, especially if a second client registers for
1419 // an on-change sensor before the first client receives the updated event. Once an updated
1420 // event is received, the recent events will be marked as current, and any new clients will
1421 // immediately receive the most recent event.
1422 if (sensor->getSensor().getReportingMode() == AREPORTING_MODE_ON_CHANGE) {
1423 auto logger = mRecentEvent.find(handle);
1424 if (logger != mRecentEvent.end()) {
1425 logger->second->setLastEventStale();
1426 }
1427 }
1428 } else {
1429 if (rec->addConnection(connection)) {
1430 // this sensor is already activated, but we are adding a connection that uses it.
1431 // Immediately send down the last known value of the requested sensor if it's not a
1432 // "continuous" sensor.
1433 if (sensor->getSensor().getReportingMode() == AREPORTING_MODE_ON_CHANGE) {
1434 // NOTE: The wake_up flag of this event may get set to
1435 // WAKE_UP_SENSOR_EVENT_NEEDS_ACK if this is a wake_up event.
1436
1437 auto logger = mRecentEvent.find(handle);
1438 if (logger != mRecentEvent.end()) {
1439 sensors_event_t event;
1440 // Verify that the last sensor event was generated from the current activation
1441 // of the sensor. If not, it is possible for an on-change sensor to receive a
1442 // sensor event that is stale if two clients re-activate the sensor
1443 // simultaneously.
1444 if(logger->second->populateLastEventIfCurrent(&event)) {
1445 event.sensor = handle;
1446 if (event.version == sizeof(sensors_event_t)) {
1447 if (isWakeUpSensorEvent(event) && !mWakeLockAcquired) {
1448 setWakeLockAcquiredLocked(true);
1449 }
1450 connection->sendEvents(&event, 1, nullptr);
1451 if (!connection->needsWakeLock() && mWakeLockAcquired) {
1452 checkWakeLockStateLocked(&connLock);
1453 }
1454 }
1455 }
1456 }
1457 }
1458 }
1459 }
1460
1461 if (connection->addSensor(handle)) {
1462 BatteryService::enableSensor(connection->getUid(), handle);
1463 // the sensor was added (which means it wasn't already there)
1464 // so, see if this connection becomes active
1465 mConnectionHolder.addEventConnectionIfNotPresent(connection);
1466 } else {
1467 ALOGW("sensor %08x already enabled in connection %p (ignoring)",
1468 handle, connection.get());
1469 }
1470
1471 // Check maximum delay for the sensor.
1472 nsecs_t maxDelayNs = sensor->getSensor().getMaxDelay() * 1000LL;
1473 if (maxDelayNs > 0 && (samplingPeriodNs > maxDelayNs)) {
1474 samplingPeriodNs = maxDelayNs;
1475 }
1476
1477 nsecs_t minDelayNs = sensor->getSensor().getMinDelayNs();
1478 if (samplingPeriodNs < minDelayNs) {
1479 samplingPeriodNs = minDelayNs;
1480 }
1481
1482 ALOGD_IF(DEBUG_CONNECTIONS, "Calling batch handle==%d flags=%d"
1483 "rate=%" PRId64 " timeout== %" PRId64"",
1484 handle, reservedFlags, samplingPeriodNs, maxBatchReportLatencyNs);
1485
1486 status_t err = sensor->batch(connection.get(), handle, 0, samplingPeriodNs,
1487 maxBatchReportLatencyNs);
1488
1489 // Call flush() before calling activate() on the sensor. Wait for a first
1490 // flush complete event before sending events on this connection. Ignore
1491 // one-shot sensors which don't support flush(). Ignore on-change sensors
1492 // to maintain the on-change logic (any on-change events except the initial
1493 // one should be trigger by a change in value). Also if this sensor isn't
1494 // already active, don't call flush().
1495 if (err == NO_ERROR &&
1496 sensor->getSensor().getReportingMode() == AREPORTING_MODE_CONTINUOUS &&
1497 rec->getNumConnections() > 1) {
1498 connection->setFirstFlushPending(handle, true);
1499 status_t err_flush = sensor->flush(connection.get(), handle);
1500 // Flush may return error if the underlying h/w sensor uses an older HAL.
1501 if (err_flush == NO_ERROR) {
1502 rec->addPendingFlushConnection(connection.get());
1503 } else {
1504 connection->setFirstFlushPending(handle, false);
1505 }
1506 }
1507
1508 if (err == NO_ERROR) {
1509 ALOGD_IF(DEBUG_CONNECTIONS, "Calling activate on %d", handle);
1510 err = sensor->activate(connection.get(), true);
1511 }
1512
1513 if (err == NO_ERROR) {
1514 connection->updateLooperRegistration(mLooper);
1515
1516 if (sensor->getSensor().getRequiredPermission().size() > 0 &&
1517 sensor->getSensor().getRequiredAppOp() >= 0) {
1518 connection->mHandleToAppOp[handle] = sensor->getSensor().getRequiredAppOp();
1519 }
1520
1521 mLastNSensorRegistrations.editItemAt(mNextSensorRegIndex) =
1522 SensorRegistrationInfo(handle, connection->getPackageName(),
1523 samplingPeriodNs, maxBatchReportLatencyNs, true);
1524 mNextSensorRegIndex = (mNextSensorRegIndex + 1) % SENSOR_REGISTRATIONS_BUF_SIZE;
1525 }
1526
1527 if (err != NO_ERROR) {
1528 // batch/activate has failed, reset our state.
1529 cleanupWithoutDisableLocked(connection, handle);
1530 }
1531 return err;
1532 }
1533
disable(const sp<SensorEventConnection> & connection,int handle)1534 status_t SensorService::disable(const sp<SensorEventConnection>& connection, int handle) {
1535 if (mInitCheck != NO_ERROR)
1536 return mInitCheck;
1537
1538 Mutex::Autolock _l(mLock);
1539 status_t err = cleanupWithoutDisableLocked(connection, handle);
1540 if (err == NO_ERROR) {
1541 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1542 err = sensor != nullptr ? sensor->activate(connection.get(), false) : status_t(BAD_VALUE);
1543
1544 }
1545 if (err == NO_ERROR) {
1546 mLastNSensorRegistrations.editItemAt(mNextSensorRegIndex) =
1547 SensorRegistrationInfo(handle, connection->getPackageName(), 0, 0, false);
1548 mNextSensorRegIndex = (mNextSensorRegIndex + 1) % SENSOR_REGISTRATIONS_BUF_SIZE;
1549 }
1550 return err;
1551 }
1552
cleanupWithoutDisable(const sp<SensorEventConnection> & connection,int handle)1553 status_t SensorService::cleanupWithoutDisable(
1554 const sp<SensorEventConnection>& connection, int handle) {
1555 Mutex::Autolock _l(mLock);
1556 return cleanupWithoutDisableLocked(connection, handle);
1557 }
1558
cleanupWithoutDisableLocked(const sp<SensorEventConnection> & connection,int handle)1559 status_t SensorService::cleanupWithoutDisableLocked(
1560 const sp<SensorEventConnection>& connection, int handle) {
1561 SensorRecord* rec = mActiveSensors.valueFor(handle);
1562 if (rec) {
1563 // see if this connection becomes inactive
1564 if (connection->removeSensor(handle)) {
1565 BatteryService::disableSensor(connection->getUid(), handle);
1566 }
1567 if (connection->hasAnySensor() == false) {
1568 connection->updateLooperRegistration(mLooper);
1569 mConnectionHolder.removeEventConnection(connection);
1570 }
1571 // see if this sensor becomes inactive
1572 if (rec->removeConnection(connection)) {
1573 mActiveSensors.removeItem(handle);
1574 mActiveVirtualSensors.erase(handle);
1575 delete rec;
1576 }
1577 return NO_ERROR;
1578 }
1579 return BAD_VALUE;
1580 }
1581
setEventRate(const sp<SensorEventConnection> & connection,int handle,nsecs_t ns,const String16 & opPackageName)1582 status_t SensorService::setEventRate(const sp<SensorEventConnection>& connection,
1583 int handle, nsecs_t ns, const String16& opPackageName) {
1584 if (mInitCheck != NO_ERROR)
1585 return mInitCheck;
1586
1587 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1588 if (sensor == nullptr ||
1589 !canAccessSensor(sensor->getSensor(), "Tried configuring", opPackageName)) {
1590 return BAD_VALUE;
1591 }
1592
1593 if (ns < 0)
1594 return BAD_VALUE;
1595
1596 nsecs_t minDelayNs = sensor->getSensor().getMinDelayNs();
1597 if (ns < minDelayNs) {
1598 ns = minDelayNs;
1599 }
1600
1601 return sensor->setDelay(connection.get(), handle, ns);
1602 }
1603
flushSensor(const sp<SensorEventConnection> & connection,const String16 & opPackageName)1604 status_t SensorService::flushSensor(const sp<SensorEventConnection>& connection,
1605 const String16& opPackageName) {
1606 if (mInitCheck != NO_ERROR) return mInitCheck;
1607 SensorDevice& dev(SensorDevice::getInstance());
1608 const int halVersion = dev.getHalDeviceVersion();
1609 status_t err(NO_ERROR);
1610 Mutex::Autolock _l(mLock);
1611 // Loop through all sensors for this connection and call flush on each of them.
1612 for (size_t i = 0; i < connection->mSensorInfo.size(); ++i) {
1613 const int handle = connection->mSensorInfo.keyAt(i);
1614 sp<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1615 if (sensor == nullptr) {
1616 continue;
1617 }
1618 if (sensor->getSensor().getReportingMode() == AREPORTING_MODE_ONE_SHOT) {
1619 ALOGE("flush called on a one-shot sensor");
1620 err = INVALID_OPERATION;
1621 continue;
1622 }
1623 if (halVersion <= SENSORS_DEVICE_API_VERSION_1_0 || isVirtualSensor(handle)) {
1624 // For older devices just increment pending flush count which will send a trivial
1625 // flush complete event.
1626 connection->incrementPendingFlushCount(handle);
1627 } else {
1628 if (!canAccessSensor(sensor->getSensor(), "Tried flushing", opPackageName)) {
1629 err = INVALID_OPERATION;
1630 continue;
1631 }
1632 status_t err_flush = sensor->flush(connection.get(), handle);
1633 if (err_flush == NO_ERROR) {
1634 SensorRecord* rec = mActiveSensors.valueFor(handle);
1635 if (rec != nullptr) rec->addPendingFlushConnection(connection);
1636 }
1637 err = (err_flush != NO_ERROR) ? err_flush : err;
1638 }
1639 }
1640 return err;
1641 }
1642
canAccessSensor(const Sensor & sensor,const char * operation,const String16 & opPackageName)1643 bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
1644 const String16& opPackageName) {
1645 // Check if a permission is required for this sensor
1646 if (sensor.getRequiredPermission().length() <= 0) {
1647 return true;
1648 }
1649
1650 const int32_t opCode = sensor.getRequiredAppOp();
1651 const int32_t appOpMode = sAppOpsManager.checkOp(opCode,
1652 IPCThreadState::self()->getCallingUid(), opPackageName);
1653 bool appOpAllowed = appOpMode == AppOpsManager::MODE_ALLOWED;
1654
1655 bool canAccess = false;
1656 if (hasPermissionForSensor(sensor)) {
1657 // Ensure that the AppOp is allowed, or that there is no necessary app op for the sensor
1658 if (opCode < 0 || appOpAllowed) {
1659 canAccess = true;
1660 }
1661 } else if (sensor.getType() == SENSOR_TYPE_STEP_COUNTER ||
1662 sensor.getType() == SENSOR_TYPE_STEP_DETECTOR) {
1663 int targetSdkVersion = getTargetSdkVersion(opPackageName);
1664 // Allow access to the sensor if the application targets pre-Q, which is before the
1665 // requirement to hold the AR permission to access Step Counter and Step Detector events
1666 // was introduced, and the user hasn't revoked the app op.
1667 //
1668 // Verifying the app op is required to ensure that the user hasn't revoked the necessary
1669 // permissions to access the Step Detector and Step Counter when the application targets
1670 // pre-Q. Without this check, if the user revokes the pre-Q install-time GMS Core AR
1671 // permission, the app would still be able to receive Step Counter and Step Detector events.
1672 if (appOpAllowed &&
1673 targetSdkVersion > 0 &&
1674 targetSdkVersion <= __ANDROID_API_P__) {
1675 canAccess = true;
1676 }
1677 }
1678
1679 if (canAccess) {
1680 sAppOpsManager.noteOp(opCode, IPCThreadState::self()->getCallingUid(), opPackageName);
1681 } else {
1682 ALOGE("%s a sensor (%s) without holding its required permission: %s",
1683 operation, sensor.getName().string(), sensor.getRequiredPermission().string());
1684 }
1685
1686 return canAccess;
1687 }
1688
hasPermissionForSensor(const Sensor & sensor)1689 bool SensorService::hasPermissionForSensor(const Sensor& sensor) {
1690 bool hasPermission = false;
1691 const String8& requiredPermission = sensor.getRequiredPermission();
1692
1693 // Runtime permissions can't use the cache as they may change.
1694 if (sensor.isRequiredPermissionRuntime()) {
1695 hasPermission = checkPermission(String16(requiredPermission),
1696 IPCThreadState::self()->getCallingPid(), IPCThreadState::self()->getCallingUid());
1697 } else {
1698 hasPermission = PermissionCache::checkCallingPermission(String16(requiredPermission));
1699 }
1700 return hasPermission;
1701 }
1702
getTargetSdkVersion(const String16 & opPackageName)1703 int SensorService::getTargetSdkVersion(const String16& opPackageName) {
1704 Mutex::Autolock packageLock(sPackageTargetVersionLock);
1705 int targetSdkVersion = -1;
1706 auto entry = sPackageTargetVersion.find(opPackageName);
1707 if (entry != sPackageTargetVersion.end()) {
1708 targetSdkVersion = entry->second;
1709 } else {
1710 sp<IBinder> binder = defaultServiceManager()->getService(String16("package_native"));
1711 if (binder != nullptr) {
1712 sp<content::pm::IPackageManagerNative> packageManager =
1713 interface_cast<content::pm::IPackageManagerNative>(binder);
1714 if (packageManager != nullptr) {
1715 binder::Status status = packageManager->getTargetSdkVersionForPackage(
1716 opPackageName, &targetSdkVersion);
1717 if (!status.isOk()) {
1718 targetSdkVersion = -1;
1719 }
1720 }
1721 }
1722 sPackageTargetVersion[opPackageName] = targetSdkVersion;
1723 }
1724 return targetSdkVersion;
1725 }
1726
checkWakeLockState()1727 void SensorService::checkWakeLockState() {
1728 ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1729 checkWakeLockStateLocked(&connLock);
1730 }
1731
checkWakeLockStateLocked(ConnectionSafeAutolock * connLock)1732 void SensorService::checkWakeLockStateLocked(ConnectionSafeAutolock* connLock) {
1733 if (!mWakeLockAcquired) {
1734 return;
1735 }
1736 bool releaseLock = true;
1737 for (const sp<SensorEventConnection>& connection : connLock->getActiveConnections()) {
1738 if (connection->needsWakeLock()) {
1739 releaseLock = false;
1740 break;
1741 }
1742 }
1743 if (releaseLock) {
1744 setWakeLockAcquiredLocked(false);
1745 }
1746 }
1747
sendEventsFromCache(const sp<SensorEventConnection> & connection)1748 void SensorService::sendEventsFromCache(const sp<SensorEventConnection>& connection) {
1749 Mutex::Autolock _l(mLock);
1750 connection->writeToSocketFromCache();
1751 if (connection->needsWakeLock()) {
1752 setWakeLockAcquiredLocked(true);
1753 }
1754 }
1755
isWhiteListedPackage(const String8 & packageName)1756 bool SensorService::isWhiteListedPackage(const String8& packageName) {
1757 return (packageName.contains(mWhiteListedPackage.string()));
1758 }
1759
isOperationPermitted(const String16 & opPackageName)1760 bool SensorService::isOperationPermitted(const String16& opPackageName) {
1761 Mutex::Autolock _l(mLock);
1762 if (mCurrentOperatingMode == RESTRICTED) {
1763 String8 package(opPackageName);
1764 return isWhiteListedPackage(package);
1765 }
1766 return true;
1767 }
1768
registerSelf()1769 void SensorService::UidPolicy::registerSelf() {
1770 ActivityManager am;
1771 am.registerUidObserver(this, ActivityManager::UID_OBSERVER_GONE
1772 | ActivityManager::UID_OBSERVER_IDLE
1773 | ActivityManager::UID_OBSERVER_ACTIVE,
1774 ActivityManager::PROCESS_STATE_UNKNOWN,
1775 String16("android"));
1776 }
1777
unregisterSelf()1778 void SensorService::UidPolicy::unregisterSelf() {
1779 ActivityManager am;
1780 am.unregisterUidObserver(this);
1781 }
1782
onUidGone(__unused uid_t uid,__unused bool disabled)1783 void SensorService::UidPolicy::onUidGone(__unused uid_t uid, __unused bool disabled) {
1784 onUidIdle(uid, disabled);
1785 }
1786
onUidActive(uid_t uid)1787 void SensorService::UidPolicy::onUidActive(uid_t uid) {
1788 {
1789 Mutex::Autolock _l(mUidLock);
1790 mActiveUids.insert(uid);
1791 }
1792 sp<SensorService> service = mService.promote();
1793 if (service != nullptr) {
1794 service->setSensorAccess(uid, true);
1795 }
1796 }
1797
onUidIdle(uid_t uid,__unused bool disabled)1798 void SensorService::UidPolicy::onUidIdle(uid_t uid, __unused bool disabled) {
1799 bool deleted = false;
1800 {
1801 Mutex::Autolock _l(mUidLock);
1802 if (mActiveUids.erase(uid) > 0) {
1803 deleted = true;
1804 }
1805 }
1806 if (deleted) {
1807 sp<SensorService> service = mService.promote();
1808 if (service != nullptr) {
1809 service->setSensorAccess(uid, false);
1810 }
1811 }
1812 }
1813
addOverrideUid(uid_t uid,bool active)1814 void SensorService::UidPolicy::addOverrideUid(uid_t uid, bool active) {
1815 updateOverrideUid(uid, active, true);
1816 }
1817
removeOverrideUid(uid_t uid)1818 void SensorService::UidPolicy::removeOverrideUid(uid_t uid) {
1819 updateOverrideUid(uid, false, false);
1820 }
1821
updateOverrideUid(uid_t uid,bool active,bool insert)1822 void SensorService::UidPolicy::updateOverrideUid(uid_t uid, bool active, bool insert) {
1823 bool wasActive = false;
1824 bool isActive = false;
1825 {
1826 Mutex::Autolock _l(mUidLock);
1827 wasActive = isUidActiveLocked(uid);
1828 mOverrideUids.erase(uid);
1829 if (insert) {
1830 mOverrideUids.insert(std::pair<uid_t, bool>(uid, active));
1831 }
1832 isActive = isUidActiveLocked(uid);
1833 }
1834 if (wasActive != isActive) {
1835 sp<SensorService> service = mService.promote();
1836 if (service != nullptr) {
1837 service->setSensorAccess(uid, isActive);
1838 }
1839 }
1840 }
1841
isUidActive(uid_t uid)1842 bool SensorService::UidPolicy::isUidActive(uid_t uid) {
1843 // Non-app UIDs are considered always active
1844 if (uid < FIRST_APPLICATION_UID) {
1845 return true;
1846 }
1847 Mutex::Autolock _l(mUidLock);
1848 return isUidActiveLocked(uid);
1849 }
1850
isUidActiveLocked(uid_t uid)1851 bool SensorService::UidPolicy::isUidActiveLocked(uid_t uid) {
1852 // Non-app UIDs are considered always active
1853 if (uid < FIRST_APPLICATION_UID) {
1854 return true;
1855 }
1856 auto it = mOverrideUids.find(uid);
1857 if (it != mOverrideUids.end()) {
1858 return it->second;
1859 }
1860 return mActiveUids.find(uid) != mActiveUids.end();
1861 }
1862
registerSelf()1863 void SensorService::SensorPrivacyPolicy::registerSelf() {
1864 SensorPrivacyManager spm;
1865 mSensorPrivacyEnabled = spm.isSensorPrivacyEnabled();
1866 spm.addSensorPrivacyListener(this);
1867 }
1868
unregisterSelf()1869 void SensorService::SensorPrivacyPolicy::unregisterSelf() {
1870 SensorPrivacyManager spm;
1871 spm.removeSensorPrivacyListener(this);
1872 }
1873
isSensorPrivacyEnabled()1874 bool SensorService::SensorPrivacyPolicy::isSensorPrivacyEnabled() {
1875 return mSensorPrivacyEnabled;
1876 }
1877
onSensorPrivacyChanged(bool enabled)1878 binder::Status SensorService::SensorPrivacyPolicy::onSensorPrivacyChanged(bool enabled) {
1879 mSensorPrivacyEnabled = enabled;
1880 sp<SensorService> service = mService.promote();
1881 if (service != nullptr) {
1882 if (enabled) {
1883 service->disableAllSensors();
1884 } else {
1885 service->enableAllSensors();
1886 }
1887 }
1888 return binder::Status::ok();
1889 }
1890
ConnectionSafeAutolock(SensorService::SensorConnectionHolder & holder,Mutex & mutex)1891 SensorService::ConnectionSafeAutolock::ConnectionSafeAutolock(
1892 SensorService::SensorConnectionHolder& holder, Mutex& mutex)
1893 : mConnectionHolder(holder), mAutolock(mutex) {}
1894
1895 template<typename ConnectionType>
getConnectionsHelper(const SortedVector<wp<ConnectionType>> & connectionList,std::vector<std::vector<sp<ConnectionType>>> * referenceHolder)1896 const std::vector<sp<ConnectionType>>& SensorService::ConnectionSafeAutolock::getConnectionsHelper(
1897 const SortedVector<wp<ConnectionType>>& connectionList,
1898 std::vector<std::vector<sp<ConnectionType>>>* referenceHolder) {
1899 referenceHolder->emplace_back();
1900 std::vector<sp<ConnectionType>>& connections = referenceHolder->back();
1901 for (const wp<ConnectionType>& weakConnection : connectionList){
1902 sp<ConnectionType> connection = weakConnection.promote();
1903 if (connection != nullptr) {
1904 connections.push_back(std::move(connection));
1905 }
1906 }
1907 return connections;
1908 }
1909
1910 const std::vector<sp<SensorService::SensorEventConnection>>&
getActiveConnections()1911 SensorService::ConnectionSafeAutolock::getActiveConnections() {
1912 return getConnectionsHelper(mConnectionHolder.mActiveConnections,
1913 &mReferencedActiveConnections);
1914 }
1915
1916 const std::vector<sp<SensorService::SensorDirectConnection>>&
getDirectConnections()1917 SensorService::ConnectionSafeAutolock::getDirectConnections() {
1918 return getConnectionsHelper(mConnectionHolder.mDirectConnections,
1919 &mReferencedDirectConnections);
1920 }
1921
addEventConnectionIfNotPresent(const sp<SensorService::SensorEventConnection> & connection)1922 void SensorService::SensorConnectionHolder::addEventConnectionIfNotPresent(
1923 const sp<SensorService::SensorEventConnection>& connection) {
1924 if (mActiveConnections.indexOf(connection) < 0) {
1925 mActiveConnections.add(connection);
1926 }
1927 }
1928
removeEventConnection(const wp<SensorService::SensorEventConnection> & connection)1929 void SensorService::SensorConnectionHolder::removeEventConnection(
1930 const wp<SensorService::SensorEventConnection>& connection) {
1931 mActiveConnections.remove(connection);
1932 }
1933
addDirectConnection(const sp<SensorService::SensorDirectConnection> & connection)1934 void SensorService::SensorConnectionHolder::addDirectConnection(
1935 const sp<SensorService::SensorDirectConnection>& connection) {
1936 mDirectConnections.add(connection);
1937 }
1938
removeDirectConnection(const wp<SensorService::SensorDirectConnection> & connection)1939 void SensorService::SensorConnectionHolder::removeDirectConnection(
1940 const wp<SensorService::SensorDirectConnection>& connection) {
1941 mDirectConnections.remove(connection);
1942 }
1943
lock(Mutex & mutex)1944 SensorService::ConnectionSafeAutolock SensorService::SensorConnectionHolder::lock(Mutex& mutex) {
1945 return ConnectionSafeAutolock(*this, mutex);
1946 }
1947
1948 } // namespace android
1949