1 /*
2  * Copyright (C) 2010 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #include "SensorService.h"
17 
18 #include <aidl/android/hardware/sensors/ISensors.h>
19 #include <android-base/strings.h>
20 #include <android/content/pm/IPackageManagerNative.h>
21 #include <android/util/ProtoOutputStream.h>
22 #include <binder/ActivityManager.h>
23 #include <binder/BinderService.h>
24 #include <binder/IServiceManager.h>
25 #include <binder/PermissionCache.h>
26 #include <binder/PermissionController.h>
27 #include <com_android_frameworks_sensorservice_flags.h>
28 #include <cutils/ashmem.h>
29 #include <cutils/misc.h>
30 #include <cutils/properties.h>
31 #include <frameworks/base/core/proto/android/service/sensor_service.proto.h>
32 #include <hardware/sensors.h>
33 #include <hardware_legacy/power.h>
34 #include <inttypes.h>
35 #include <log/log.h>
36 #include <math.h>
37 #include <openssl/digest.h>
38 #include <openssl/hmac.h>
39 #include <openssl/rand.h>
40 #include <private/android_filesystem_config.h>
41 #include <sched.h>
42 #include <sensor/SensorEventQueue.h>
43 #include <sensorprivacy/SensorPrivacyManager.h>
44 #include <stdint.h>
45 #include <sys/socket.h>
46 #include <sys/stat.h>
47 #include <sys/types.h>
48 #include <unistd.h>
49 #include <utils/SystemClock.h>
50 
51 #include <condition_variable>
52 #include <ctime>
53 #include <future>
54 #include <mutex>
55 #include <string>
56 
57 #include "BatteryService.h"
58 #include "CorrectedGyroSensor.h"
59 #include "GravitySensor.h"
60 #include "LimitedAxesImuSensor.h"
61 #include "LinearAccelerationSensor.h"
62 #include "OrientationSensor.h"
63 #include "RotationVectorSensor.h"
64 #include "SensorDirectConnection.h"
65 #include "SensorEventAckReceiver.h"
66 #include "SensorEventConnection.h"
67 #include "SensorFusion.h"
68 #include "SensorInterface.h"
69 #include "SensorRecord.h"
70 #include "SensorRegistrationInfo.h"
71 #include "SensorServiceUtils.h"
72 
73 using namespace std::chrono_literals;
74 namespace sensorservice_flags = com::android::frameworks::sensorservice::flags;
75 
76 namespace android {
77 // ---------------------------------------------------------------------------
78 
79 /*
80  * Notes:
81  *
82  * - what about a gyro-corrected magnetic-field sensor?
83  * - run mag sensor from time to time to force calibration
84  * - gravity sensor length is wrong (=> drift in linear-acc sensor)
85  *
86  */
87 
88 const char* SensorService::WAKE_LOCK_NAME = "SensorService_wakelock";
89 uint8_t SensorService::sHmacGlobalKey[128] = {};
90 bool SensorService::sHmacGlobalKeyIsValid = false;
91 std::map<String16, int> SensorService::sPackageTargetVersion;
92 Mutex SensorService::sPackageTargetVersionLock;
93 String16 SensorService::sSensorInterfaceDescriptorPrefix =
94     String16("android.frameworks.sensorservice");
95 AppOpsManager SensorService::sAppOpsManager;
96 std::atomic_uint64_t SensorService::curProxCallbackSeq(0);
97 std::atomic_uint64_t SensorService::completedCallbackSeq(0);
98 
99 #define SENSOR_SERVICE_DIR "/data/system/sensor_service"
100 #define SENSOR_SERVICE_HMAC_KEY_FILE  SENSOR_SERVICE_DIR "/hmac_key"
101 #define SENSOR_SERVICE_SCHED_FIFO_PRIORITY 10
102 
103 // Permissions.
104 static const String16 sAccessHighSensorSamplingRatePermission(
105         "android.permission.HIGH_SAMPLING_RATE_SENSORS");
106 static const String16 sDumpPermission("android.permission.DUMP");
107 static const String16 sLocationHardwarePermission("android.permission.LOCATION_HARDWARE");
108 static const String16 sManageSensorsPermission("android.permission.MANAGE_SENSORS");
109 
110 namespace {
111 
nextRuntimeSensorHandle()112 int32_t nextRuntimeSensorHandle() {
113     using ::aidl::android::hardware::sensors::ISensors;
114     static int32_t nextHandle = ISensors::RUNTIME_SENSORS_HANDLE_BASE;
115     if (nextHandle == ISensors::RUNTIME_SENSORS_HANDLE_END) {
116         return -1;
117     }
118     return nextHandle++;
119 }
120 
121 class RuntimeSensorCallbackProxy : public RuntimeSensor::SensorCallback {
122  public:
RuntimeSensorCallbackProxy(sp<SensorService::RuntimeSensorCallback> callback)123     RuntimeSensorCallbackProxy(sp<SensorService::RuntimeSensorCallback> callback)
124         : mCallback(std::move(callback)) {}
onConfigurationChanged(int handle,bool enabled,int64_t samplingPeriodNs,int64_t batchReportLatencyNs)125     status_t onConfigurationChanged(int handle, bool enabled, int64_t samplingPeriodNs,
126                                     int64_t batchReportLatencyNs) override {
127         return mCallback->onConfigurationChanged(handle, enabled, samplingPeriodNs,
128                 batchReportLatencyNs);
129     }
130  private:
131     sp<SensorService::RuntimeSensorCallback> mCallback;
132 };
133 
134 } // namespace
135 
isAutomotive()136 static bool isAutomotive() {
137     sp<IServiceManager> serviceManager = defaultServiceManager();
138     if (serviceManager.get() == nullptr) {
139         ALOGE("%s: unable to access native ServiceManager", __func__);
140         return false;
141     }
142 
143     sp<content::pm::IPackageManagerNative> packageManager;
144     sp<IBinder> binder = serviceManager->waitForService(String16("package_native"));
145     packageManager = interface_cast<content::pm::IPackageManagerNative>(binder);
146     if (packageManager == nullptr) {
147         ALOGE("%s: unable to access native PackageManager", __func__);
148         return false;
149     }
150 
151     bool isAutomotive = false;
152     binder::Status status =
153         packageManager->hasSystemFeature(String16("android.hardware.type.automotive"), 0,
154                                          &isAutomotive);
155     if (!status.isOk()) {
156         ALOGE("%s: hasSystemFeature failed: %s", __func__, status.exceptionMessage().c_str());
157         return false;
158     }
159 
160     return isAutomotive;
161 }
162 
SensorService()163 SensorService::SensorService()
164     : mInitCheck(NO_INIT), mSocketBufferSize(SOCKET_BUFFER_SIZE_NON_BATCHED),
165       mWakeLockAcquired(false), mLastReportedProxIsActive(false) {
166     mUidPolicy = new UidPolicy(this);
167     mSensorPrivacyPolicy = new SensorPrivacyPolicy(this);
168     mMicSensorPrivacyPolicy = new MicrophonePrivacyPolicy(this);
169 }
170 
registerRuntimeSensor(const sensor_t & sensor,int deviceId,sp<RuntimeSensorCallback> callback)171 int SensorService::registerRuntimeSensor(
172         const sensor_t& sensor, int deviceId, sp<RuntimeSensorCallback> callback) {
173     int handle = 0;
174     while (handle == 0 || !mSensors.isNewHandle(handle)) {
175         handle = nextRuntimeSensorHandle();
176         if (handle < 0) {
177             // Ran out of the dedicated range for runtime sensors.
178             return handle;
179         }
180     }
181 
182     ALOGI("Registering runtime sensor handle 0x%x, type %d, name %s",
183             handle, sensor.type, sensor.name);
184 
185     sp<RuntimeSensor::SensorCallback> runtimeSensorCallback(
186             new RuntimeSensorCallbackProxy(callback));
187     sensor_t runtimeSensor = sensor;
188     // force the handle to be consistent
189     runtimeSensor.handle = handle;
190     auto si = std::make_shared<RuntimeSensor>(runtimeSensor, std::move(runtimeSensorCallback));
191 
192     Mutex::Autolock _l(mLock);
193     if (!registerSensor(std::move(si), /* isDebug= */ false, /* isVirtual= */ false, deviceId)) {
194         // The registration was unsuccessful.
195         return mSensors.getNonSensor().getHandle();
196     }
197 
198     if (mRuntimeSensorCallbacks.find(deviceId) == mRuntimeSensorCallbacks.end()) {
199         mRuntimeSensorCallbacks.emplace(deviceId, callback);
200     }
201 
202     if (mRuntimeSensorHandler == nullptr) {
203         mRuntimeSensorEventBuffer =
204                 new sensors_event_t[SensorEventQueue::MAX_RECEIVE_BUFFER_EVENT_COUNT];
205         mRuntimeSensorHandler = new RuntimeSensorHandler(this);
206         // Use PRIORITY_URGENT_DISPLAY as the injected sensor events should be dispatched as soon as
207         // possible, and also for consistency within the SensorService.
208         mRuntimeSensorHandler->run("RuntimeSensorHandler", PRIORITY_URGENT_DISPLAY);
209     }
210 
211     return handle;
212 }
213 
unregisterRuntimeSensor(int handle)214 status_t SensorService::unregisterRuntimeSensor(int handle) {
215     ALOGI("Unregistering runtime sensor handle 0x%x disconnected", handle);
216     int deviceId = getDeviceIdFromHandle(handle);
217     {
218         Mutex::Autolock _l(mLock);
219         if (!unregisterDynamicSensorLocked(handle)) {
220             ALOGE("Runtime sensor release error.");
221             return UNKNOWN_ERROR;
222         }
223     }
224 
225     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
226     for (const sp<SensorEventConnection>& connection : connLock.getActiveConnections()) {
227         connection->removeSensor(handle);
228     }
229 
230     // If this was the last sensor for this device, remove its callback.
231     bool deviceHasSensors = false;
232     mSensors.forEachEntry(
233             [&deviceId, &deviceHasSensors] (const SensorServiceUtil::SensorList::Entry& e) -> bool {
234                 if (e.deviceId == deviceId) {
235                     deviceHasSensors = true;
236                     return false;  // stop iterating
237                 }
238                 return true;
239             });
240     if (!deviceHasSensors) {
241         mRuntimeSensorCallbacks.erase(deviceId);
242     }
243     return OK;
244 }
245 
sendRuntimeSensorEvent(const sensors_event_t & event)246 status_t SensorService::sendRuntimeSensorEvent(const sensors_event_t& event) {
247     std::unique_lock<std::mutex> lock(mRutimeSensorThreadMutex);
248     mRuntimeSensorEventQueue.push(event);
249     mRuntimeSensorsCv.notify_all();
250     return OK;
251 }
252 
initializeHmacKey()253 bool SensorService::initializeHmacKey() {
254     int fd = open(SENSOR_SERVICE_HMAC_KEY_FILE, O_RDONLY|O_CLOEXEC);
255     if (fd != -1) {
256         int result = read(fd, sHmacGlobalKey, sizeof(sHmacGlobalKey));
257         close(fd);
258         if (result == sizeof(sHmacGlobalKey)) {
259             return true;
260         }
261         ALOGW("Unable to read HMAC key; generating new one.");
262     }
263 
264     if (RAND_bytes(sHmacGlobalKey, sizeof(sHmacGlobalKey)) == -1) {
265         ALOGW("Can't generate HMAC key; dynamic sensor getId() will be wrong.");
266         return false;
267     }
268 
269     // We need to make sure this is only readable to us.
270     bool wroteKey = false;
271     mkdir(SENSOR_SERVICE_DIR, S_IRWXU);
272     fd = open(SENSOR_SERVICE_HMAC_KEY_FILE, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC,
273               S_IRUSR|S_IWUSR);
274     if (fd != -1) {
275         int result = write(fd, sHmacGlobalKey, sizeof(sHmacGlobalKey));
276         close(fd);
277         wroteKey = (result == sizeof(sHmacGlobalKey));
278     }
279     if (wroteKey) {
280         ALOGI("Generated new HMAC key.");
281     } else {
282         ALOGW("Unable to write HMAC key; dynamic sensor getId() will change "
283               "after reboot.");
284     }
285     // Even if we failed to write the key we return true, because we did
286     // initialize the HMAC key.
287     return true;
288 }
289 
290 // Set main thread to SCHED_FIFO to lower sensor event latency when system is under load
enableSchedFifoMode()291 void SensorService::enableSchedFifoMode() {
292     struct sched_param param = {0};
293     param.sched_priority = SENSOR_SERVICE_SCHED_FIFO_PRIORITY;
294     if (sched_setscheduler(getTid(), SCHED_FIFO | SCHED_RESET_ON_FORK, ¶m) != 0) {
295         ALOGE("Couldn't set SCHED_FIFO for SensorService thread");
296     }
297 }
298 
onFirstRef()299 void SensorService::onFirstRef() {
300     ALOGD("nuSensorService starting...");
301     SensorDevice& dev(SensorDevice::getInstance());
302 
303     sHmacGlobalKeyIsValid = initializeHmacKey();
304 
305     if (dev.initCheck() == NO_ERROR) {
306         sensor_t const* list;
307         ssize_t count = dev.getSensorList(&list);
308         if (count > 0) {
309             bool hasGyro = false, hasAccel = false, hasMag = false;
310             bool hasGyroUncalibrated = false;
311             bool hasAccelUncalibrated = false;
312             uint32_t virtualSensorsNeeds =
313                     (1<<SENSOR_TYPE_GRAVITY) |
314                     (1<<SENSOR_TYPE_LINEAR_ACCELERATION) |
315                     (1<<SENSOR_TYPE_ROTATION_VECTOR) |
316                     (1<<SENSOR_TYPE_GEOMAGNETIC_ROTATION_VECTOR) |
317                     (1<<SENSOR_TYPE_GAME_ROTATION_VECTOR);
318 
319             for (ssize_t i=0 ; i<count ; i++) {
320                 bool useThisSensor = true;
321 
322                 switch (list[i].type) {
323                     case SENSOR_TYPE_ACCELEROMETER:
324                         hasAccel = true;
325                         break;
326                     case SENSOR_TYPE_ACCELEROMETER_UNCALIBRATED:
327                         hasAccelUncalibrated = true;
328                         break;
329                     case SENSOR_TYPE_MAGNETIC_FIELD:
330                         hasMag = true;
331                         break;
332                     case SENSOR_TYPE_GYROSCOPE:
333                         hasGyro = true;
334                         break;
335                     case SENSOR_TYPE_GYROSCOPE_UNCALIBRATED:
336                         hasGyroUncalibrated = true;
337                         break;
338                     case SENSOR_TYPE_DYNAMIC_SENSOR_META:
339                         if (sensorservice_flags::dynamic_sensor_hal_reconnect_handling()) {
340                             mDynamicMetaSensorHandle = list[i].handle;
341                         }
342                       break;
343                     case SENSOR_TYPE_GRAVITY:
344                     case SENSOR_TYPE_LINEAR_ACCELERATION:
345                     case SENSOR_TYPE_ROTATION_VECTOR:
346                     case SENSOR_TYPE_GEOMAGNETIC_ROTATION_VECTOR:
347                     case SENSOR_TYPE_GAME_ROTATION_VECTOR:
348                         if (IGNORE_HARDWARE_FUSION) {
349                             useThisSensor = false;
350                         } else {
351                             virtualSensorsNeeds &= ~(1<<list[i].type);
352                         }
353                         break;
354                     default:
355                         break;
356                 }
357                 if (useThisSensor) {
358                     if (list[i].type == SENSOR_TYPE_PROXIMITY) {
359                         auto s = std::make_shared<ProximitySensor>(list[i], *this);
360                         const int handle = s->getSensor().getHandle();
361                         if (registerSensor(std::move(s))) {
362                             mProxSensorHandles.push_back(handle);
363                         }
364                     } else {
365                         registerSensor(std::make_shared<HardwareSensor>(list[i]));
366                     }
367                 }
368             }
369 
370             // it's safe to instantiate the SensorFusion object here
371             // (it wants to be instantiated after h/w sensors have been
372             // registered)
373             SensorFusion::getInstance();
374 
375             if ((hasGyro || hasGyroUncalibrated) && hasAccel && hasMag) {
376                 // Add Android virtual sensors if they're not already
377                 // available in the HAL
378                 bool needRotationVector =
379                         (virtualSensorsNeeds & (1<<SENSOR_TYPE_ROTATION_VECTOR)) != 0;
380                 registerVirtualSensor(std::make_shared<RotationVectorSensor>(),
381                                       /* isDebug= */ !needRotationVector);
382                 registerVirtualSensor(std::make_shared<OrientationSensor>(),
383                                       /* isDebug= */ !needRotationVector);
384 
385                 // virtual debugging sensors are not for user
386                 registerVirtualSensor(std::make_shared<CorrectedGyroSensor>(list, count),
387                                       /* isDebug= */ true);
388                 registerVirtualSensor(std::make_shared<GyroDriftSensor>(), /* isDebug= */ true);
389             }
390 
391             if (hasAccel && (hasGyro || hasGyroUncalibrated)) {
392                 bool needGravitySensor = (virtualSensorsNeeds & (1<<SENSOR_TYPE_GRAVITY)) != 0;
393                 registerVirtualSensor(std::make_shared<GravitySensor>(list, count),
394                                       /* isDebug= */ !needGravitySensor);
395 
396                 bool needLinearAcceleration =
397                         (virtualSensorsNeeds & (1<<SENSOR_TYPE_LINEAR_ACCELERATION)) != 0;
398                 registerVirtualSensor(std::make_shared<LinearAccelerationSensor>(list, count),
399                                       /* isDebug= */ !needLinearAcceleration);
400 
401                 bool needGameRotationVector =
402                         (virtualSensorsNeeds & (1<<SENSOR_TYPE_GAME_ROTATION_VECTOR)) != 0;
403                 registerVirtualSensor(std::make_shared<GameRotationVectorSensor>(),
404                                       /* isDebug= */ !needGameRotationVector);
405             }
406 
407             if (hasAccel && hasMag) {
408                 bool needGeoMagRotationVector =
409                         (virtualSensorsNeeds & (1<<SENSOR_TYPE_GEOMAGNETIC_ROTATION_VECTOR)) != 0;
410                 registerVirtualSensor(std::make_shared<GeoMagRotationVectorSensor>(),
411                                       /* isDebug= */ !needGeoMagRotationVector);
412             }
413 
414             if (isAutomotive()) {
415                 if (hasAccel) {
416                     registerVirtualSensor(
417                             std::make_shared<LimitedAxesImuSensor>(
418                                     list, count, SENSOR_TYPE_ACCELEROMETER));
419                }
420 
421                if (hasGyro) {
422                     registerVirtualSensor(
423                             std::make_shared<LimitedAxesImuSensor>(
424                                     list, count, SENSOR_TYPE_GYROSCOPE));
425                }
426 
427                if (hasAccelUncalibrated) {
428                     registerVirtualSensor(
429                             std::make_shared<LimitedAxesImuSensor>(
430                                     list, count, SENSOR_TYPE_ACCELEROMETER_UNCALIBRATED));
431                }
432 
433                if (hasGyroUncalibrated) {
434                     registerVirtualSensor(
435                             std::make_shared<LimitedAxesImuSensor>(
436                                     list, count, SENSOR_TYPE_GYROSCOPE_UNCALIBRATED));
437                }
438             }
439 
440             // Check if the device really supports batching by looking at the FIFO event
441             // counts for each sensor.
442             bool batchingSupported = false;
443             mSensors.forEachSensor(
444                     [&batchingSupported] (const Sensor& s) -> bool {
445                         if (s.getFifoMaxEventCount() > 0) {
446                             batchingSupported = true;
447                         }
448                         return !batchingSupported;
449                     });
450 
451             if (batchingSupported) {
452                 // Increase socket buffer size to a max of 100 KB for batching capabilities.
453                 mSocketBufferSize = MAX_SOCKET_BUFFER_SIZE_BATCHED;
454             } else {
455                 mSocketBufferSize = SOCKET_BUFFER_SIZE_NON_BATCHED;
456             }
457 
458             // Compare the socketBufferSize value against the system limits and limit
459             // it to maxSystemSocketBufferSize if necessary.
460             FILE *fp = fopen("/proc/sys/net/core/wmem_max", "r");
461             char line[128];
462             if (fp != nullptr && fgets(line, sizeof(line), fp) != nullptr) {
463                 line[sizeof(line) - 1] = '\0';
464                 size_t maxSystemSocketBufferSize;
465                 sscanf(line, "%zu", &maxSystemSocketBufferSize);
466                 if (mSocketBufferSize > maxSystemSocketBufferSize) {
467                     mSocketBufferSize = maxSystemSocketBufferSize;
468                 }
469             }
470             if (fp) {
471                 fclose(fp);
472             }
473 
474             mWakeLockAcquired = false;
475             mLooper = new Looper(false);
476             const size_t minBufferSize = SensorEventQueue::MAX_RECEIVE_BUFFER_EVENT_COUNT;
477             mSensorEventBuffer = new sensors_event_t[minBufferSize];
478             mSensorEventScratch = new sensors_event_t[minBufferSize];
479             mRuntimeSensorEventBuffer = nullptr;
480             mMapFlushEventsToConnections = new wp<const SensorEventConnection> [minBufferSize];
481             mCurrentOperatingMode = NORMAL;
482 
483             mNextSensorRegIndex = 0;
484             for (int i = 0; i < SENSOR_REGISTRATIONS_BUF_SIZE; ++i) {
485                 mLastNSensorRegistrations.push();
486             }
487 
488             mInitCheck = NO_ERROR;
489             mAckReceiver = new SensorEventAckReceiver(this);
490             mAckReceiver->run("SensorEventAckReceiver", PRIORITY_URGENT_DISPLAY);
491             run("SensorService", PRIORITY_URGENT_DISPLAY);
492 
493             // priority can only be changed after run
494             enableSchedFifoMode();
495 
496             // Start watching UID changes to apply policy.
497             mUidPolicy->registerSelf();
498 
499             // Start watching sensor privacy changes
500             mSensorPrivacyPolicy->registerSelf();
501 
502             // Start watching mic sensor privacy changes
503             mMicSensorPrivacyPolicy->registerSelf();
504         }
505     }
506 }
507 
onUidStateChanged(uid_t uid,UidState state)508 void SensorService::onUidStateChanged(uid_t uid, UidState state) {
509     SensorDevice& dev(SensorDevice::getInstance());
510 
511     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
512     for (const sp<SensorEventConnection>& conn : connLock.getActiveConnections()) {
513         if (conn->getUid() == uid) {
514             dev.setUidStateForConnection(conn.get(), state);
515         }
516     }
517 
518     for (const sp<SensorDirectConnection>& conn : connLock.getDirectConnections()) {
519         if (conn->getUid() == uid) {
520             // Update sensor subscriptions if needed
521             bool hasAccess = hasSensorAccessLocked(conn->getUid(), conn->getOpPackageName());
522             conn->onSensorAccessChanged(hasAccess);
523         }
524     }
525     checkAndReportProxStateChangeLocked();
526 }
527 
hasSensorAccess(uid_t uid,const String16 & opPackageName)528 bool SensorService::hasSensorAccess(uid_t uid, const String16& opPackageName) {
529     Mutex::Autolock _l(mLock);
530     return hasSensorAccessLocked(uid, opPackageName);
531 }
532 
hasSensorAccessLocked(uid_t uid,const String16 & opPackageName)533 bool SensorService::hasSensorAccessLocked(uid_t uid, const String16& opPackageName) {
534     return !mSensorPrivacyPolicy->isSensorPrivacyEnabled()
535         && isUidActive(uid) && !isOperationRestrictedLocked(opPackageName);
536 }
537 
registerSensor(std::shared_ptr<SensorInterface> s,bool isDebug,bool isVirtual,int deviceId)538 bool SensorService::registerSensor(std::shared_ptr<SensorInterface> s, bool isDebug, bool isVirtual,
539                                    int deviceId) {
540     const int handle = s->getSensor().getHandle();
541     const int type = s->getSensor().getType();
542     if (mSensors.add(handle, std::move(s), isDebug, isVirtual, deviceId)) {
543         mRecentEvent.emplace(handle, new SensorServiceUtil::RecentEventLogger(type));
544         return true;
545     } else {
546         LOG_FATAL("Failed to register sensor with handle %d", handle);
547         return false;
548     }
549 }
550 
registerDynamicSensorLocked(std::shared_ptr<SensorInterface> s,bool isDebug)551 bool SensorService::registerDynamicSensorLocked(std::shared_ptr<SensorInterface> s, bool isDebug) {
552     return registerSensor(std::move(s), isDebug);
553 }
554 
unregisterDynamicSensorLocked(int handle)555 bool SensorService::unregisterDynamicSensorLocked(int handle) {
556     bool ret = mSensors.remove(handle);
557 
558     const auto i = mRecentEvent.find(handle);
559     if (i != mRecentEvent.end()) {
560         delete i->second;
561         mRecentEvent.erase(i);
562     }
563     return ret;
564 }
565 
registerVirtualSensor(std::shared_ptr<SensorInterface> s,bool isDebug)566 bool SensorService::registerVirtualSensor(std::shared_ptr<SensorInterface> s, bool isDebug) {
567     return registerSensor(std::move(s), isDebug, true);
568 }
569 
~SensorService()570 SensorService::~SensorService() {
571     for (auto && entry : mRecentEvent) {
572         delete entry.second;
573     }
574     mUidPolicy->unregisterSelf();
575     mSensorPrivacyPolicy->unregisterSelf();
576     mMicSensorPrivacyPolicy->unregisterSelf();
577 }
578 
dump(int fd,const Vector<String16> & args)579 status_t SensorService::dump(int fd, const Vector<String16>& args) {
580     String8 result;
581     if (!PermissionCache::checkCallingPermission(sDumpPermission)) {
582         result.appendFormat("Permission Denial: can't dump SensorService from pid=%d, uid=%d\n",
583                 IPCThreadState::self()->getCallingPid(),
584                 IPCThreadState::self()->getCallingUid());
585     } else {
586         bool privileged = IPCThreadState::self()->getCallingUid() == 0;
587         if (args.size() > 2) {
588            return INVALID_OPERATION;
589         }
590         if (args.size() > 0) {
591             Mode targetOperatingMode = NORMAL;
592             std::string inputStringMode = String8(args[0]).c_str();
593             if (getTargetOperatingMode(inputStringMode, &targetOperatingMode)) {
594               status_t error = changeOperatingMode(args, targetOperatingMode);
595               // Dump the latest state only if no error was encountered.
596               if (error != NO_ERROR) {
597                 return error;
598               }
599             }
600         }
601 
602         ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
603         // Run the following logic if a transition isn't requested above based on the input
604         // argument parsing.
605         if (args.size() == 1 && args[0] == String16("--proto")) {
606             return dumpProtoLocked(fd, &connLock);
607         } else if (!mSensors.hasAnySensor()) {
608             result.append("No Sensors on the device\n");
609             result.appendFormat("devInitCheck : %d\n", SensorDevice::getInstance().initCheck());
610         } else {
611             // Default dump the sensor list and debugging information.
612             //
613             timespec curTime;
614             clock_gettime(CLOCK_REALTIME, &curTime);
615             struct tm* timeinfo = localtime(&(curTime.tv_sec));
616             result.appendFormat("Captured at: %02d:%02d:%02d.%03d\n", timeinfo->tm_hour,
617                                 timeinfo->tm_min, timeinfo->tm_sec, (int)ns2ms(curTime.tv_nsec));
618             result.append("Sensor Device:\n");
619             result.append(SensorDevice::getInstance().dump().c_str());
620 
621             result.append("Sensor List:\n");
622             result.append(mSensors.dump().c_str());
623 
624             result.append("Fusion States:\n");
625             SensorFusion::getInstance().dump(result);
626 
627             result.append("Recent Sensor events:\n");
628             for (auto&& i : mRecentEvent) {
629                 std::shared_ptr<SensorInterface> s = getSensorInterfaceFromHandle(i.first);
630                 if (!i.second->isEmpty() && s != nullptr) {
631                     if (privileged || s->getSensor().getRequiredPermission().empty()) {
632                         i.second->setFormat("normal");
633                     } else {
634                         i.second->setFormat("mask_data");
635                     }
636                     // if there is events and sensor does not need special permission.
637                     result.appendFormat("%s: ", s->getSensor().getName().c_str());
638                     result.append(i.second->dump().c_str());
639                 }
640             }
641 
642             result.append("Active sensors:\n");
643             SensorDevice& dev = SensorDevice::getInstance();
644             for (size_t i=0 ; i<mActiveSensors.size() ; i++) {
645                 int handle = mActiveSensors.keyAt(i);
646                 if (dev.isSensorActive(handle)) {
647                     result.appendFormat("%s (handle=0x%08x, connections=%zu)\n",
648                             getSensorName(handle).c_str(),
649                             handle,
650                             mActiveSensors.valueAt(i)->getNumConnections());
651                 }
652             }
653 
654             result.appendFormat("Socket Buffer size = %zd events\n",
655                                 mSocketBufferSize/sizeof(sensors_event_t));
656             result.appendFormat("WakeLock Status: %s \n", mWakeLockAcquired ? "acquired" :
657                     "not held");
658             result.appendFormat("Mode :");
659             switch(mCurrentOperatingMode) {
660                case NORMAL:
661                    result.appendFormat(" NORMAL\n");
662                    break;
663                case RESTRICTED:
664                    result.appendFormat(" RESTRICTED : %s\n", mAllowListedPackage.c_str());
665                    break;
666                case DATA_INJECTION:
667                    result.appendFormat(" DATA_INJECTION : %s\n", mAllowListedPackage.c_str());
668                    break;
669                case REPLAY_DATA_INJECTION:
670                    result.appendFormat(" REPLAY_DATA_INJECTION : %s\n",
671                             mAllowListedPackage.c_str());
672                    break;
673                case HAL_BYPASS_REPLAY_DATA_INJECTION:
674                    result.appendFormat(" HAL_BYPASS_REPLAY_DATA_INJECTION : %s\n",
675                             mAllowListedPackage.c_str());
676                    break;
677                default:
678                    result.appendFormat(" UNKNOWN\n");
679                    break;
680             }
681             result.appendFormat("Sensor Privacy: %s\n",
682                     mSensorPrivacyPolicy->isSensorPrivacyEnabled() ? "enabled" : "disabled");
683 
684             const auto& activeConnections = connLock.getActiveConnections();
685             result.appendFormat("%zd open event connections\n", activeConnections.size());
686             for (size_t i=0 ; i < activeConnections.size() ; i++) {
687                 result.appendFormat("Connection Number: %zu \n", i);
688                 activeConnections[i]->dump(result);
689             }
690 
691             const auto& directConnections = connLock.getDirectConnections();
692             result.appendFormat("%zd open direct connections\n", directConnections.size());
693             for (size_t i = 0 ; i < directConnections.size() ; i++) {
694                 result.appendFormat("Direct connection %zu:\n", i);
695                 directConnections[i]->dump(result);
696             }
697 
698             result.appendFormat("Previous Registrations:\n");
699             // Log in the reverse chronological order.
700             int currentIndex = (mNextSensorRegIndex - 1 + SENSOR_REGISTRATIONS_BUF_SIZE) %
701                 SENSOR_REGISTRATIONS_BUF_SIZE;
702             const int startIndex = currentIndex;
703             do {
704                 const SensorRegistrationInfo& reg_info = mLastNSensorRegistrations[currentIndex];
705                 if (SensorRegistrationInfo::isSentinel(reg_info)) {
706                     // Ignore sentinel, proceed to next item.
707                     currentIndex = (currentIndex - 1 + SENSOR_REGISTRATIONS_BUF_SIZE) %
708                         SENSOR_REGISTRATIONS_BUF_SIZE;
709                     continue;
710                 }
711                 result.appendFormat("%s\n", reg_info.dump(this).c_str());
712                 currentIndex = (currentIndex - 1 + SENSOR_REGISTRATIONS_BUF_SIZE) %
713                         SENSOR_REGISTRATIONS_BUF_SIZE;
714             } while(startIndex != currentIndex);
715         }
716     }
717     write(fd, result.c_str(), result.size());
718     return NO_ERROR;
719 }
720 
721 /**
722  * Dump debugging information as android.service.SensorServiceProto protobuf message using
723  * ProtoOutputStream.
724  *
725  * See proto definition and some notes about ProtoOutputStream in
726  * frameworks/base/core/proto/android/service/sensor_service.proto
727  */
dumpProtoLocked(int fd,ConnectionSafeAutolock * connLock) const728 status_t SensorService::dumpProtoLocked(int fd, ConnectionSafeAutolock* connLock) const {
729     using namespace service::SensorServiceProto;
730     util::ProtoOutputStream proto;
731     proto.write(INIT_STATUS, int(SensorDevice::getInstance().initCheck()));
732     if (!mSensors.hasAnySensor()) {
733         return proto.flush(fd) ? OK : UNKNOWN_ERROR;
734     }
735     const bool privileged = IPCThreadState::self()->getCallingUid() == 0;
736 
737     timespec curTime;
738     clock_gettime(CLOCK_REALTIME, &curTime);
739     proto.write(CURRENT_TIME_MS, curTime.tv_sec * 1000 + ns2ms(curTime.tv_nsec));
740 
741     // Write SensorDeviceProto
742     uint64_t token = proto.start(SENSOR_DEVICE);
743     SensorDevice::getInstance().dump(&proto);
744     proto.end(token);
745 
746     // Write SensorListProto
747     token = proto.start(SENSORS);
748     mSensors.dump(&proto);
749     proto.end(token);
750 
751     // Write SensorFusionProto
752     token = proto.start(FUSION_STATE);
753     SensorFusion::getInstance().dump(&proto);
754     proto.end(token);
755 
756     // Write SensorEventsProto
757     token = proto.start(SENSOR_EVENTS);
758     for (auto&& i : mRecentEvent) {
759         std::shared_ptr<SensorInterface> s = getSensorInterfaceFromHandle(i.first);
760         if (!i.second->isEmpty() && s != nullptr) {
761             i.second->setFormat(privileged || s->getSensor().getRequiredPermission().empty() ?
762                     "normal" : "mask_data");
763             const uint64_t mToken = proto.start(service::SensorEventsProto::RECENT_EVENTS_LOGS);
764             proto.write(service::SensorEventsProto::RecentEventsLog::NAME,
765                     std::string(s->getSensor().getName().c_str()));
766             i.second->dump(&proto);
767             proto.end(mToken);
768         }
769     }
770     proto.end(token);
771 
772     // Write ActiveSensorProto
773     SensorDevice& dev = SensorDevice::getInstance();
774     for (size_t i=0 ; i<mActiveSensors.size() ; i++) {
775         int handle = mActiveSensors.keyAt(i);
776         if (dev.isSensorActive(handle)) {
777             token = proto.start(ACTIVE_SENSORS);
778             proto.write(service::ActiveSensorProto::NAME,
779                     std::string(getSensorName(handle).c_str()));
780             proto.write(service::ActiveSensorProto::HANDLE, handle);
781             proto.write(service::ActiveSensorProto::NUM_CONNECTIONS,
782                     int(mActiveSensors.valueAt(i)->getNumConnections()));
783             proto.end(token);
784         }
785     }
786 
787     proto.write(SOCKET_BUFFER_SIZE, int(mSocketBufferSize));
788     proto.write(SOCKET_BUFFER_SIZE_IN_EVENTS, int(mSocketBufferSize / sizeof(sensors_event_t)));
789     proto.write(WAKE_LOCK_ACQUIRED, mWakeLockAcquired);
790 
791     switch(mCurrentOperatingMode) {
792         case NORMAL:
793             proto.write(OPERATING_MODE, OP_MODE_NORMAL);
794             break;
795         case RESTRICTED:
796             proto.write(OPERATING_MODE, OP_MODE_RESTRICTED);
797             proto.write(WHITELISTED_PACKAGE, std::string(mAllowListedPackage.c_str()));
798             break;
799         case DATA_INJECTION:
800             proto.write(OPERATING_MODE, OP_MODE_DATA_INJECTION);
801             proto.write(WHITELISTED_PACKAGE, std::string(mAllowListedPackage.c_str()));
802             break;
803         default:
804             proto.write(OPERATING_MODE, OP_MODE_UNKNOWN);
805     }
806     proto.write(SENSOR_PRIVACY, mSensorPrivacyPolicy->isSensorPrivacyEnabled());
807 
808     // Write repeated SensorEventConnectionProto
809     const auto& activeConnections = connLock->getActiveConnections();
810     for (size_t i = 0; i < activeConnections.size(); i++) {
811         token = proto.start(ACTIVE_CONNECTIONS);
812         activeConnections[i]->dump(&proto);
813         proto.end(token);
814     }
815 
816     // Write repeated SensorDirectConnectionProto
817     const auto& directConnections = connLock->getDirectConnections();
818     for (size_t i = 0 ; i < directConnections.size() ; i++) {
819         token = proto.start(DIRECT_CONNECTIONS);
820         directConnections[i]->dump(&proto);
821         proto.end(token);
822     }
823 
824     // Write repeated SensorRegistrationInfoProto
825     const int startIndex = mNextSensorRegIndex;
826     int curr = startIndex;
827     do {
828         const SensorRegistrationInfo& reg_info = mLastNSensorRegistrations[curr];
829         if (SensorRegistrationInfo::isSentinel(reg_info)) {
830             // Ignore sentinel, proceed to next item.
831             curr = (curr + 1 + SENSOR_REGISTRATIONS_BUF_SIZE) % SENSOR_REGISTRATIONS_BUF_SIZE;
832             continue;
833         }
834         token = proto.start(PREVIOUS_REGISTRATIONS);
835         reg_info.dump(&proto);
836         proto.end(token);
837         curr = (curr + 1 + SENSOR_REGISTRATIONS_BUF_SIZE) % SENSOR_REGISTRATIONS_BUF_SIZE;
838     } while (startIndex != curr);
839 
840     return proto.flush(fd) ? OK : UNKNOWN_ERROR;
841 }
842 
disableAllSensors()843 void SensorService::disableAllSensors() {
844     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
845     disableAllSensorsLocked(&connLock);
846 }
847 
disableAllSensorsLocked(ConnectionSafeAutolock * connLock)848 void SensorService::disableAllSensorsLocked(ConnectionSafeAutolock* connLock) {
849     SensorDevice& dev(SensorDevice::getInstance());
850     for (const sp<SensorDirectConnection>& conn : connLock->getDirectConnections()) {
851         bool hasAccess = hasSensorAccessLocked(conn->getUid(), conn->getOpPackageName());
852         conn->onSensorAccessChanged(hasAccess);
853     }
854     dev.disableAllSensors();
855     checkAndReportProxStateChangeLocked();
856     // Clear all pending flush connections for all active sensors. If one of the active
857     // connections has called flush() and the underlying sensor has been disabled before a
858     // flush complete event is returned, we need to remove the connection from this queue.
859     for (size_t i=0 ; i< mActiveSensors.size(); ++i) {
860         mActiveSensors.valueAt(i)->clearAllPendingFlushConnections();
861     }
862 }
863 
enableAllSensors()864 void SensorService::enableAllSensors() {
865     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
866     enableAllSensorsLocked(&connLock);
867 }
868 
enableAllSensorsLocked(ConnectionSafeAutolock * connLock)869 void SensorService::enableAllSensorsLocked(ConnectionSafeAutolock* connLock) {
870     // sensors should only be enabled if the operating state is not restricted and sensor
871     // privacy is not enabled.
872     if (mCurrentOperatingMode == RESTRICTED || mSensorPrivacyPolicy->isSensorPrivacyEnabled()) {
873         ALOGW("Sensors cannot be enabled: mCurrentOperatingMode = %d, sensor privacy = %s",
874               mCurrentOperatingMode,
875               mSensorPrivacyPolicy->isSensorPrivacyEnabled() ? "enabled" : "disabled");
876         return;
877     }
878     SensorDevice& dev(SensorDevice::getInstance());
879     dev.enableAllSensors();
880     for (const sp<SensorDirectConnection>& conn : connLock->getDirectConnections()) {
881         bool hasAccess = hasSensorAccessLocked(conn->getUid(), conn->getOpPackageName());
882         conn->onSensorAccessChanged(hasAccess);
883     }
884     checkAndReportProxStateChangeLocked();
885 }
886 
capRates()887 void SensorService::capRates() {
888     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
889     for (const sp<SensorDirectConnection>& conn : connLock.getDirectConnections()) {
890         conn->onMicSensorAccessChanged(true);
891     }
892 
893     for (const sp<SensorEventConnection>& conn : connLock.getActiveConnections()) {
894         conn->onMicSensorAccessChanged(true);
895     }
896 }
897 
uncapRates()898 void SensorService::uncapRates() {
899     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
900     for (const sp<SensorDirectConnection>& conn : connLock.getDirectConnections()) {
901         conn->onMicSensorAccessChanged(false);
902     }
903 
904     for (const sp<SensorEventConnection>& conn : connLock.getActiveConnections()) {
905         conn->onMicSensorAccessChanged(false);
906     }
907 }
908 
909 // NOTE: This is a remote API - make sure all args are validated
shellCommand(int in,int out,int err,Vector<String16> & args)910 status_t SensorService::shellCommand(int in, int out, int err, Vector<String16>& args) {
911     if (!checkCallingPermission(sManageSensorsPermission, nullptr, nullptr)) {
912         return PERMISSION_DENIED;
913     }
914     if (args.size() == 0) {
915       return BAD_INDEX;
916     }
917     if (in == BAD_TYPE || out == BAD_TYPE || err == BAD_TYPE) {
918         return BAD_VALUE;
919     }
920     if (args[0] == String16("set-uid-state")) {
921         return handleSetUidState(args, err);
922     } else if (args[0] == String16("reset-uid-state")) {
923         return handleResetUidState(args, err);
924     } else if (args[0] == String16("get-uid-state")) {
925         return handleGetUidState(args, out, err);
926     } else if (args[0] == String16("unrestrict-ht")) {
927         mHtRestricted = false;
928         return NO_ERROR;
929     } else if (args[0] == String16("restrict-ht")) {
930         mHtRestricted = true;
931         return NO_ERROR;
932     } else if (args.size() == 1 && args[0] == String16("help")) {
933         printHelp(out);
934         return NO_ERROR;
935     }
936     printHelp(err);
937     return BAD_VALUE;
938 }
939 
getUidForPackage(String16 packageName,int userId,uid_t & uid,int err)940 static status_t getUidForPackage(String16 packageName, int userId, /*inout*/uid_t& uid, int err) {
941     PermissionController pc;
942     uid = pc.getPackageUid(packageName, 0);
943     if (uid <= 0) {
944         ALOGE("Unknown package: '%s'", String8(packageName).c_str());
945         dprintf(err, "Unknown package: '%s'\n", String8(packageName).c_str());
946         return BAD_VALUE;
947     }
948 
949     if (userId < 0) {
950         ALOGE("Invalid user: %d", userId);
951         dprintf(err, "Invalid user: %d\n", userId);
952         return BAD_VALUE;
953     }
954 
955     uid = multiuser_get_uid(userId, uid);
956     return NO_ERROR;
957 }
958 
handleSetUidState(Vector<String16> & args,int err)959 status_t SensorService::handleSetUidState(Vector<String16>& args, int err) {
960     // Valid arg.size() is 3 or 5, args.size() is 5 with --user option.
961     if (!(args.size() == 3 || args.size() == 5)) {
962         printHelp(err);
963         return BAD_VALUE;
964     }
965 
966     bool active = false;
967     if (args[2] == String16("active")) {
968         active = true;
969     } else if ((args[2] != String16("idle"))) {
970         ALOGE("Expected active or idle but got: '%s'", String8(args[2]).c_str());
971         return BAD_VALUE;
972     }
973 
974     int userId = 0;
975     if (args.size() == 5 && args[3] == String16("--user")) {
976         userId = atoi(String8(args[4]));
977     }
978 
979     uid_t uid;
980     if (getUidForPackage(args[1], userId, uid, err) != NO_ERROR) {
981         return BAD_VALUE;
982     }
983 
984     mUidPolicy->addOverrideUid(uid, active);
985     return NO_ERROR;
986 }
987 
handleResetUidState(Vector<String16> & args,int err)988 status_t SensorService::handleResetUidState(Vector<String16>& args, int err) {
989     // Valid arg.size() is 2 or 4, args.size() is 4 with --user option.
990     if (!(args.size() == 2 || args.size() == 4)) {
991         printHelp(err);
992         return BAD_VALUE;
993     }
994 
995     int userId = 0;
996     if (args.size() == 4 && args[2] == String16("--user")) {
997         userId = atoi(String8(args[3]));
998     }
999 
1000     uid_t uid;
1001     if (getUidForPackage(args[1], userId, uid, err) == BAD_VALUE) {
1002         return BAD_VALUE;
1003     }
1004 
1005     mUidPolicy->removeOverrideUid(uid);
1006     return NO_ERROR;
1007 }
1008 
handleGetUidState(Vector<String16> & args,int out,int err)1009 status_t SensorService::handleGetUidState(Vector<String16>& args, int out, int err) {
1010     // Valid arg.size() is 2 or 4, args.size() is 4 with --user option.
1011     if (!(args.size() == 2 || args.size() == 4)) {
1012         printHelp(err);
1013         return BAD_VALUE;
1014     }
1015 
1016     int userId = 0;
1017     if (args.size() == 4 && args[2] == String16("--user")) {
1018         userId = atoi(String8(args[3]));
1019     }
1020 
1021     uid_t uid;
1022     if (getUidForPackage(args[1], userId, uid, err) == BAD_VALUE) {
1023         return BAD_VALUE;
1024     }
1025 
1026     if (mUidPolicy->isUidActive(uid)) {
1027         return dprintf(out, "active\n");
1028     } else {
1029         return dprintf(out, "idle\n");
1030     }
1031 }
1032 
printHelp(int out)1033 status_t SensorService::printHelp(int out) {
1034     return dprintf(out, "Sensor service commands:\n"
1035         "  get-uid-state <PACKAGE> [--user USER_ID] gets the uid state\n"
1036         "  set-uid-state <PACKAGE> <active|idle> [--user USER_ID] overrides the uid state\n"
1037         "  reset-uid-state <PACKAGE> [--user USER_ID] clears the uid state override\n"
1038         "  help print this message\n");
1039 }
1040 
1041 //TODO: move to SensorEventConnection later
cleanupAutoDisabledSensorLocked(const sp<SensorEventConnection> & connection,sensors_event_t const * buffer,const int count)1042 void SensorService::cleanupAutoDisabledSensorLocked(const sp<SensorEventConnection>& connection,
1043         sensors_event_t const* buffer, const int count) {
1044     for (int i=0 ; i<count ; i++) {
1045         int handle = buffer[i].sensor;
1046         if (buffer[i].type == SENSOR_TYPE_META_DATA) {
1047             handle = buffer[i].meta_data.sensor;
1048         }
1049         if (connection->hasSensor(handle)) {
1050             std::shared_ptr<SensorInterface> si = getSensorInterfaceFromHandle(handle);
1051             // If this buffer has an event from a one_shot sensor and this connection is registered
1052             // for this particular one_shot sensor, try cleaning up the connection.
1053             if (si != nullptr &&
1054                 si->getSensor().getReportingMode() == AREPORTING_MODE_ONE_SHOT) {
1055                 si->autoDisable(connection.get(), handle);
1056                 cleanupWithoutDisableLocked(connection, handle);
1057             }
1058 
1059         }
1060    }
1061 }
1062 
sendEventsToAllClients(const std::vector<sp<SensorEventConnection>> & activeConnections,ssize_t count)1063 void SensorService::sendEventsToAllClients(
1064     const std::vector<sp<SensorEventConnection>>& activeConnections,
1065     ssize_t count) {
1066    // Send our events to clients. Check the state of wake lock for each client
1067    // and release the lock if none of the clients need it.
1068    bool needsWakeLock = false;
1069    for (const sp<SensorEventConnection>& connection : activeConnections) {
1070        connection->sendEvents(mSensorEventBuffer, count, mSensorEventScratch,
1071                               mMapFlushEventsToConnections);
1072        needsWakeLock |= connection->needsWakeLock();
1073        // If the connection has one-shot sensors, it may be cleaned up after
1074        // first trigger. Early check for one-shot sensors.
1075        if (connection->hasOneShotSensors()) {
1076            cleanupAutoDisabledSensorLocked(connection, mSensorEventBuffer, count);
1077        }
1078    }
1079 
1080    if (mWakeLockAcquired && !needsWakeLock) {
1081         setWakeLockAcquiredLocked(false);
1082    }
1083 }
1084 
disconnectDynamicSensor(int handle,const std::vector<sp<SensorEventConnection>> & activeConnections)1085 void SensorService::disconnectDynamicSensor(
1086     int handle,
1087     const std::vector<sp<SensorEventConnection>>& activeConnections) {
1088    ALOGI("Dynamic sensor handle 0x%x disconnected", handle);
1089    SensorDevice::getInstance().handleDynamicSensorConnection(
1090        handle, false /*connected*/);
1091    if (!unregisterDynamicSensorLocked(handle)) {
1092         ALOGE("Dynamic sensor release error.");
1093    }
1094    for (const sp<SensorEventConnection>& connection : activeConnections) {
1095         connection->removeSensor(handle);
1096    }
1097 }
1098 
handleDeviceReconnection(SensorDevice & device)1099 void SensorService::handleDeviceReconnection(SensorDevice& device) {
1100     if (sensorservice_flags::dynamic_sensor_hal_reconnect_handling()) {
1101         const std::vector<sp<SensorEventConnection>> activeConnections =
1102                 mConnectionHolder.lock(mLock).getActiveConnections();
1103 
1104         for (int32_t handle : device.getDynamicSensorHandles()) {
1105             if (mDynamicMetaSensorHandle.has_value()) {
1106                 // Sending one event at a time to prevent the number of handle is more than the
1107                 // buffer can hold.
1108                 mSensorEventBuffer[0].type = SENSOR_TYPE_DYNAMIC_SENSOR_META;
1109                 mSensorEventBuffer[0].sensor = *mDynamicMetaSensorHandle;
1110                 mSensorEventBuffer[0].dynamic_sensor_meta.connected = false;
1111                 mSensorEventBuffer[0].dynamic_sensor_meta.handle = handle;
1112                 mMapFlushEventsToConnections[0] = nullptr;
1113 
1114                 disconnectDynamicSensor(handle, activeConnections);
1115                 sendEventsToAllClients(activeConnections, 1);
1116             } else {
1117                 ALOGE("Failed to find mDynamicMetaSensorHandle during init.");
1118                 break;
1119             }
1120         }
1121     }
1122     device.reconnect();
1123 }
1124 
threadLoop()1125 bool SensorService::threadLoop() {
1126     ALOGD("nuSensorService thread starting...");
1127 
1128     // each virtual sensor could generate an event per "real" event, that's why we need to size
1129     // numEventMax much smaller than MAX_RECEIVE_BUFFER_EVENT_COUNT.  in practice, this is too
1130     // aggressive, but guaranteed to be enough.
1131     const size_t vcount = mSensors.getVirtualSensors().size();
1132     const size_t minBufferSize = SensorEventQueue::MAX_RECEIVE_BUFFER_EVENT_COUNT;
1133     const size_t numEventMax = minBufferSize / (1 + vcount);
1134 
1135     SensorDevice& device(SensorDevice::getInstance());
1136 
1137     const int halVersion = device.getHalDeviceVersion();
1138     do {
1139         ssize_t count = device.poll(mSensorEventBuffer, numEventMax);
1140         if (count < 0) {
1141             if (count == DEAD_OBJECT && device.isReconnecting()) {
1142                 handleDeviceReconnection(device);
1143                 continue;
1144             } else {
1145                 ALOGE("sensor poll failed (%s)", strerror(-count));
1146                 break;
1147             }
1148         }
1149 
1150         // Reset sensors_event_t.flags to zero for all events in the buffer.
1151         for (int i = 0; i < count; i++) {
1152              mSensorEventBuffer[i].flags = 0;
1153         }
1154         ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1155 
1156         // Poll has returned. Hold a wakelock if one of the events is from a wake up sensor. The
1157         // rest of this loop is under a critical section protected by mLock. Acquiring a wakeLock,
1158         // sending events to clients (incrementing SensorEventConnection::mWakeLockRefCount) should
1159         // not be interleaved with decrementing SensorEventConnection::mWakeLockRefCount and
1160         // releasing the wakelock.
1161         uint32_t wakeEvents = 0;
1162         for (int i = 0; i < count; i++) {
1163             if (isWakeUpSensorEvent(mSensorEventBuffer[i])) {
1164                 wakeEvents++;
1165             }
1166         }
1167 
1168         if (wakeEvents > 0) {
1169             if (!mWakeLockAcquired) {
1170                 setWakeLockAcquiredLocked(true);
1171             }
1172             device.writeWakeLockHandled(wakeEvents);
1173         }
1174         recordLastValueLocked(mSensorEventBuffer, count);
1175 
1176         // handle virtual sensors
1177         if (count && vcount) {
1178             sensors_event_t const * const event = mSensorEventBuffer;
1179             if (!mActiveVirtualSensors.empty()) {
1180                 size_t k = 0;
1181                 SensorFusion& fusion(SensorFusion::getInstance());
1182                 if (fusion.isEnabled()) {
1183                     for (size_t i=0 ; i<size_t(count) ; i++) {
1184                         fusion.process(event[i]);
1185                     }
1186                 }
1187                 for (size_t i=0 ; i<size_t(count) && k<minBufferSize ; i++) {
1188                     for (int handle : mActiveVirtualSensors) {
1189                         if (count + k >= minBufferSize) {
1190                             ALOGE("buffer too small to hold all events: "
1191                                     "count=%zd, k=%zu, size=%zu",
1192                                     count, k, minBufferSize);
1193                             break;
1194                         }
1195                         sensors_event_t out;
1196                         std::shared_ptr<SensorInterface> si = getSensorInterfaceFromHandle(handle);
1197                         if (si == nullptr) {
1198                             ALOGE("handle %d is not an valid virtual sensor", handle);
1199                             continue;
1200                         }
1201 
1202                         if (si->process(&out, event[i])) {
1203                             mSensorEventBuffer[count + k] = out;
1204                             k++;
1205                         }
1206                     }
1207                 }
1208                 if (k) {
1209                     // record the last synthesized values
1210                     recordLastValueLocked(&mSensorEventBuffer[count], k);
1211                     count += k;
1212                     sortEventBuffer(mSensorEventBuffer, count);
1213                 }
1214             }
1215         }
1216 
1217         // handle backward compatibility for RotationVector sensor
1218         if (halVersion < SENSORS_DEVICE_API_VERSION_1_0) {
1219             for (int i = 0; i < count; i++) {
1220                 if (mSensorEventBuffer[i].type == SENSOR_TYPE_ROTATION_VECTOR) {
1221                     // All the 4 components of the quaternion should be available
1222                     // No heading accuracy. Set it to -1
1223                     mSensorEventBuffer[i].data[4] = -1;
1224                 }
1225             }
1226         }
1227 
1228         // Cache the list of active connections, since we use it in multiple places below but won't
1229         // modify it here
1230         const std::vector<sp<SensorEventConnection>> activeConnections = connLock.getActiveConnections();
1231 
1232         for (int i = 0; i < count; ++i) {
1233             // Map flush_complete_events in the buffer to SensorEventConnections which called flush
1234             // on the hardware sensor. mapFlushEventsToConnections[i] will be the
1235             // SensorEventConnection mapped to the corresponding flush_complete_event in
1236             // mSensorEventBuffer[i] if such a mapping exists (NULL otherwise).
1237             mMapFlushEventsToConnections[i] = nullptr;
1238             if (mSensorEventBuffer[i].type == SENSOR_TYPE_META_DATA) {
1239                 const int sensor_handle = mSensorEventBuffer[i].meta_data.sensor;
1240                 SensorRecord* rec = mActiveSensors.valueFor(sensor_handle);
1241                 if (rec != nullptr) {
1242                     mMapFlushEventsToConnections[i] = rec->getFirstPendingFlushConnection();
1243                     rec->removeFirstPendingFlushConnection();
1244                 }
1245             }
1246             // handle dynamic sensor meta events, process registration and unregistration of dynamic
1247             // sensor based on content of event.
1248             if (mSensorEventBuffer[i].type == SENSOR_TYPE_DYNAMIC_SENSOR_META) {
1249                 if (mSensorEventBuffer[i].dynamic_sensor_meta.connected) {
1250                     int handle = mSensorEventBuffer[i].dynamic_sensor_meta.handle;
1251                     const sensor_t& dynamicSensor =
1252                             *(mSensorEventBuffer[i].dynamic_sensor_meta.sensor);
1253                     ALOGI("Dynamic sensor handle 0x%x connected, type %d, name %s",
1254                           handle, dynamicSensor.type, dynamicSensor.name);
1255 
1256                     if (mSensors.isNewHandle(handle)) {
1257                         const auto& uuid = mSensorEventBuffer[i].dynamic_sensor_meta.uuid;
1258                         sensor_t s = dynamicSensor;
1259                         // make sure the dynamic sensor flag is set
1260                         s.flags |= DYNAMIC_SENSOR_MASK;
1261                         // force the handle to be consistent
1262                         s.handle = handle;
1263 
1264                         auto si = std::make_shared<HardwareSensor>(s, uuid);
1265 
1266                         // This will release hold on dynamic sensor meta, so it should be called
1267                         // after Sensor object is created.
1268                         device.handleDynamicSensorConnection(handle, true /*connected*/);
1269                         registerDynamicSensorLocked(std::move(si));
1270                     } else {
1271                         ALOGE("Handle %d has been used, cannot use again before reboot.", handle);
1272                     }
1273                 } else {
1274                     int handle = mSensorEventBuffer[i].dynamic_sensor_meta.handle;
1275                     disconnectDynamicSensor(handle, activeConnections);
1276                     if (sensorservice_flags::
1277                             sensor_service_clear_dynamic_sensor_data_at_the_end()) {
1278                       device.cleanupDisconnectedDynamicSensor(handle);
1279                     }
1280                 }
1281             }
1282         }
1283 
1284         // Send our events to clients. Check the state of wake lock for each client and release the
1285         // lock if none of the clients need it.
1286         sendEventsToAllClients(activeConnections, count);
1287     } while (!Thread::exitPending());
1288 
1289     ALOGW("Exiting SensorService::threadLoop => aborting...");
1290     abort();
1291     return false;
1292 }
1293 
processRuntimeSensorEvents()1294 void SensorService::processRuntimeSensorEvents() {
1295     size_t count = 0;
1296     const size_t maxBufferSize = SensorEventQueue::MAX_RECEIVE_BUFFER_EVENT_COUNT;
1297 
1298     {
1299         std::unique_lock<std::mutex> lock(mRutimeSensorThreadMutex);
1300 
1301         if (mRuntimeSensorEventQueue.empty()) {
1302             mRuntimeSensorsCv.wait(lock, [this] { return !mRuntimeSensorEventQueue.empty(); });
1303         }
1304 
1305         // Pop the events from the queue into the buffer until it's empty or the buffer is full.
1306         while (!mRuntimeSensorEventQueue.empty()) {
1307             if (count >= maxBufferSize) {
1308                 ALOGE("buffer too small to hold all events: count=%zd, size=%zu", count,
1309                       maxBufferSize);
1310                 break;
1311             }
1312             mRuntimeSensorEventBuffer[count] = mRuntimeSensorEventQueue.front();
1313             mRuntimeSensorEventQueue.pop();
1314             count++;
1315         }
1316     }
1317 
1318     if (count) {
1319         ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1320 
1321         recordLastValueLocked(mRuntimeSensorEventBuffer, count);
1322         sortEventBuffer(mRuntimeSensorEventBuffer, count);
1323 
1324         for (const sp<SensorEventConnection>& connection : connLock.getActiveConnections()) {
1325             connection->sendEvents(mRuntimeSensorEventBuffer, count, /* scratch= */ nullptr,
1326                                    /* mapFlushEventsToConnections= */ nullptr);
1327             if (connection->hasOneShotSensors()) {
1328                 cleanupAutoDisabledSensorLocked(connection, mRuntimeSensorEventBuffer, count);
1329             }
1330         }
1331     }
1332 }
1333 
getLooper() const1334 sp<Looper> SensorService::getLooper() const {
1335     return mLooper;
1336 }
1337 
resetAllWakeLockRefCounts()1338 void SensorService::resetAllWakeLockRefCounts() {
1339     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1340     for (const sp<SensorEventConnection>& connection : connLock.getActiveConnections()) {
1341         connection->resetWakeLockRefCount();
1342     }
1343     setWakeLockAcquiredLocked(false);
1344 }
1345 
setWakeLockAcquiredLocked(bool acquire)1346 void SensorService::setWakeLockAcquiredLocked(bool acquire) {
1347     if (acquire) {
1348         if (!mWakeLockAcquired) {
1349             acquire_wake_lock(PARTIAL_WAKE_LOCK, WAKE_LOCK_NAME);
1350             mWakeLockAcquired = true;
1351         }
1352         mLooper->wake();
1353     } else {
1354         if (mWakeLockAcquired) {
1355             release_wake_lock(WAKE_LOCK_NAME);
1356             mWakeLockAcquired = false;
1357         }
1358     }
1359 }
1360 
isWakeLockAcquired()1361 bool SensorService::isWakeLockAcquired() {
1362     Mutex::Autolock _l(mLock);
1363     return mWakeLockAcquired;
1364 }
1365 
threadLoop()1366 bool SensorService::SensorEventAckReceiver::threadLoop() {
1367     ALOGD("new thread SensorEventAckReceiver");
1368     sp<Looper> looper = mService->getLooper();
1369     do {
1370         bool wakeLockAcquired = mService->isWakeLockAcquired();
1371         int timeout = -1;
1372         if (wakeLockAcquired) timeout = 5000;
1373         int ret = looper->pollOnce(timeout);
1374         if (ret == ALOOPER_POLL_TIMEOUT) {
1375            mService->resetAllWakeLockRefCounts();
1376         }
1377     } while(!Thread::exitPending());
1378     return false;
1379 }
1380 
threadLoop()1381 bool SensorService::RuntimeSensorHandler::threadLoop() {
1382     ALOGD("new thread RuntimeSensorHandler");
1383     do {
1384         mService->processRuntimeSensorEvents();
1385     } while (!Thread::exitPending());
1386     return false;
1387 }
1388 
recordLastValueLocked(const sensors_event_t * buffer,size_t count)1389 void SensorService::recordLastValueLocked(
1390         const sensors_event_t* buffer, size_t count) {
1391     for (size_t i = 0; i < count; i++) {
1392         if (buffer[i].type == SENSOR_TYPE_META_DATA ||
1393             buffer[i].type == SENSOR_TYPE_DYNAMIC_SENSOR_META ||
1394             buffer[i].type == SENSOR_TYPE_ADDITIONAL_INFO) {
1395             continue;
1396         }
1397 
1398         auto logger = mRecentEvent.find(buffer[i].sensor);
1399         if (logger != mRecentEvent.end()) {
1400             logger->second->addEvent(buffer[i]);
1401         }
1402     }
1403 }
1404 
sortEventBuffer(sensors_event_t * buffer,size_t count)1405 void SensorService::sortEventBuffer(sensors_event_t* buffer, size_t count) {
1406     struct compar {
1407         static int cmp(void const* lhs, void const* rhs) {
1408             sensors_event_t const* l = static_cast<sensors_event_t const*>(lhs);
1409             sensors_event_t const* r = static_cast<sensors_event_t const*>(rhs);
1410             return l->timestamp - r->timestamp;
1411         }
1412     };
1413     qsort(buffer, count, sizeof(sensors_event_t), compar::cmp);
1414 }
1415 
getSensorName(int handle) const1416 String8 SensorService::getSensorName(int handle) const {
1417     return mSensors.getName(handle);
1418 }
1419 
getSensorStringType(int handle) const1420 String8 SensorService::getSensorStringType(int handle) const {
1421     return mSensors.getStringType(handle);
1422 }
1423 
isVirtualSensor(int handle) const1424 bool SensorService::isVirtualSensor(int handle) const {
1425     std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1426     return sensor != nullptr && sensor->isVirtual();
1427 }
1428 
isWakeUpSensorEvent(const sensors_event_t & event) const1429 bool SensorService::isWakeUpSensorEvent(const sensors_event_t& event) const {
1430     int handle = event.sensor;
1431     if (event.type == SENSOR_TYPE_META_DATA) {
1432         handle = event.meta_data.sensor;
1433     }
1434     std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1435     return sensor != nullptr && sensor->getSensor().isWakeUpSensor();
1436 }
1437 
getIdFromUuid(const Sensor::uuid_t & uuid) const1438 int32_t SensorService::getIdFromUuid(const Sensor::uuid_t &uuid) const {
1439     if ((uuid.i64[0] == 0) && (uuid.i64[1] == 0)) {
1440         // UUID is not supported for this device.
1441         return 0;
1442     }
1443     if ((uuid.i64[0] == INT64_C(~0)) && (uuid.i64[1] == INT64_C(~0))) {
1444         // This sensor can be uniquely identified in the system by
1445         // the combination of its type and name.
1446         return -1;
1447     }
1448 
1449     // We have a dynamic sensor.
1450 
1451     if (!sHmacGlobalKeyIsValid) {
1452         // Rather than risk exposing UUIDs, we slow down dynamic sensors.
1453         ALOGW("HMAC key failure; dynamic sensor getId() will be wrong.");
1454         return 0;
1455     }
1456 
1457     // We want each app author/publisher to get a different ID, so that the
1458     // same dynamic sensor cannot be tracked across apps by multiple
1459     // authors/publishers.  So we use both our UUID and our User ID.
1460     // Note potential confusion:
1461     //     UUID => Universally Unique Identifier.
1462     //     UID  => User Identifier.
1463     // We refrain from using "uid" except as needed by API to try to
1464     // keep this distinction clear.
1465 
1466     auto appUserId = IPCThreadState::self()->getCallingUid();
1467     uint8_t uuidAndApp[sizeof(uuid) + sizeof(appUserId)];
1468     memcpy(uuidAndApp, &uuid, sizeof(uuid));
1469     memcpy(uuidAndApp + sizeof(uuid), &appUserId, sizeof(appUserId));
1470 
1471     // Now we use our key on our UUID/app combo to get the hash.
1472     uint8_t hash[EVP_MAX_MD_SIZE];
1473     unsigned int hashLen;
1474     if (HMAC(EVP_sha256(),
1475              sHmacGlobalKey, sizeof(sHmacGlobalKey),
1476              uuidAndApp, sizeof(uuidAndApp),
1477              hash, &hashLen) == nullptr) {
1478         // Rather than risk exposing UUIDs, we slow down dynamic sensors.
1479         ALOGW("HMAC failure; dynamic sensor getId() will be wrong.");
1480         return 0;
1481     }
1482 
1483     int32_t id = 0;
1484     if (hashLen < sizeof(id)) {
1485         // We never expect this case, but out of paranoia, we handle it.
1486         // Our 'id' length is already quite small, we don't want the
1487         // effective length of it to be even smaller.
1488         // Rather than risk exposing UUIDs, we cripple dynamic sensors.
1489         ALOGW("HMAC insufficient; dynamic sensor getId() will be wrong.");
1490         return 0;
1491     }
1492 
1493     // This is almost certainly less than all of 'hash', but it's as secure
1494     // as we can be with our current 'id' length.
1495     memcpy(&id, hash, sizeof(id));
1496 
1497     // Note at the beginning of the function that we return the values of
1498     // 0 and -1 to represent special cases.  As a result, we can't return
1499     // those as dynamic sensor IDs.  If we happened to hash to one of those
1500     // values, we change 'id' so we report as a dynamic sensor, and not as
1501     // one of those special cases.
1502     if (id == -1) {
1503         id = -2;
1504     } else if (id == 0) {
1505         id = 1;
1506     }
1507     return id;
1508 }
1509 
makeUuidsIntoIdsForSensorList(Vector<Sensor> & sensorList) const1510 void SensorService::makeUuidsIntoIdsForSensorList(Vector<Sensor> &sensorList) const {
1511     for (auto &sensor : sensorList) {
1512         int32_t id = getIdFromUuid(sensor.getUuid());
1513         sensor.setId(id);
1514         // The sensor UUID must always be anonymized here for non privileged clients.
1515         // There is no other checks after this point before returning to client process.
1516         if (!isAudioServerOrSystemServerUid(IPCThreadState::self()->getCallingUid())) {
1517             sensor.anonymizeUuid();
1518         }
1519     }
1520 }
1521 
getSensorList(const String16 & opPackageName)1522 Vector<Sensor> SensorService::getSensorList(const String16& opPackageName) {
1523     char value[PROPERTY_VALUE_MAX];
1524     property_get("debug.sensors", value, "0");
1525     const Vector<Sensor>& initialSensorList = (atoi(value)) ?
1526             mSensors.getUserDebugSensors() : mSensors.getUserSensors();
1527     Vector<Sensor> accessibleSensorList;
1528 
1529     resetTargetSdkVersionCache(opPackageName);
1530     bool isCapped = isRateCappedBasedOnPermission(opPackageName);
1531     for (size_t i = 0; i < initialSensorList.size(); i++) {
1532         Sensor sensor = initialSensorList[i];
1533         if (isCapped && isSensorInCappedSet(sensor.getType())) {
1534             sensor.capMinDelayMicros(SENSOR_SERVICE_CAPPED_SAMPLING_PERIOD_NS / 1000);
1535             sensor.capHighestDirectReportRateLevel(SENSOR_SERVICE_CAPPED_SAMPLING_RATE_LEVEL);
1536         }
1537         accessibleSensorList.add(sensor);
1538     }
1539     makeUuidsIntoIdsForSensorList(accessibleSensorList);
1540     return accessibleSensorList;
1541 }
1542 
addSensorIfAccessible(const String16 & opPackageName,const Sensor & sensor,Vector<Sensor> & accessibleSensorList)1543 void SensorService::addSensorIfAccessible(const String16& opPackageName, const Sensor& sensor,
1544         Vector<Sensor>& accessibleSensorList) {
1545     if (canAccessSensor(sensor, "can't see", opPackageName)) {
1546         accessibleSensorList.add(sensor);
1547     } else if (sensor.getType() != SENSOR_TYPE_HEAD_TRACKER) {
1548         ALOGI("Skipped sensor %s because it requires permission %s and app op %" PRId32,
1549         sensor.getName().c_str(), sensor.getRequiredPermission().c_str(),
1550         sensor.getRequiredAppOp());
1551     }
1552 }
1553 
getDynamicSensorList(const String16 & opPackageName)1554 Vector<Sensor> SensorService::getDynamicSensorList(const String16& opPackageName) {
1555     Vector<Sensor> accessibleSensorList;
1556     mSensors.forEachSensor(
1557             [this, &opPackageName, &accessibleSensorList] (const Sensor& sensor) -> bool {
1558                 if (sensor.isDynamicSensor()) {
1559                     addSensorIfAccessible(opPackageName, sensor, accessibleSensorList);
1560                 }
1561                 return true;
1562             });
1563     makeUuidsIntoIdsForSensorList(accessibleSensorList);
1564     return accessibleSensorList;
1565 }
1566 
getRuntimeSensorList(const String16 & opPackageName,int deviceId)1567 Vector<Sensor> SensorService::getRuntimeSensorList(const String16& opPackageName, int deviceId) {
1568     Vector<Sensor> accessibleSensorList;
1569     mSensors.forEachEntry(
1570             [this, &opPackageName, deviceId, &accessibleSensorList] (
1571                     const SensorServiceUtil::SensorList::Entry& e) -> bool {
1572                 if (e.deviceId == deviceId) {
1573                     addSensorIfAccessible(opPackageName, e.si->getSensor(), accessibleSensorList);
1574                 }
1575                 return true;
1576             });
1577     makeUuidsIntoIdsForSensorList(accessibleSensorList);
1578     return accessibleSensorList;
1579 }
1580 
createSensorEventConnection(const String8 & packageName,int requestedMode,const String16 & opPackageName,const String16 & attributionTag)1581 sp<ISensorEventConnection> SensorService::createSensorEventConnection(const String8& packageName,
1582         int requestedMode, const String16& opPackageName, const String16& attributionTag) {
1583     // Only 4 modes supported for a SensorEventConnection ... NORMAL, DATA_INJECTION,
1584     // REPLAY_DATA_INJECTION and HAL_BYPASS_REPLAY_DATA_INJECTION
1585     if (requestedMode != NORMAL && !isInjectionMode(requestedMode)) {
1586       ALOGE(
1587           "Failed to create sensor event connection: invalid request mode. "
1588           "requestMode: %d",
1589           requestedMode);
1590       return nullptr;
1591     }
1592     resetTargetSdkVersionCache(opPackageName);
1593 
1594     Mutex::Autolock _l(mLock);
1595     // To create a client in DATA_INJECTION mode to inject data, SensorService should already be
1596     // operating in DI mode.
1597     if (requestedMode == DATA_INJECTION) {
1598       if (mCurrentOperatingMode != DATA_INJECTION) {
1599         ALOGE(
1600             "Failed to create sensor event connection: sensor service not in "
1601             "DI mode when creating a client in DATA_INJECTION mode");
1602         return nullptr;
1603       }
1604       if (!isAllowListedPackage(packageName)) {
1605         ALOGE(
1606             "Failed to create sensor event connection: package %s not in "
1607             "allowed list for DATA_INJECTION mode",
1608             packageName.c_str());
1609         return nullptr;
1610       }
1611     }
1612 
1613     uid_t uid = IPCThreadState::self()->getCallingUid();
1614     pid_t pid = IPCThreadState::self()->getCallingPid();
1615 
1616     String8 connPackageName =
1617             (packageName == "") ? String8::format("unknown_package_pid_%d", pid) : packageName;
1618     String16 connOpPackageName =
1619             (opPackageName == String16("")) ? String16(connPackageName) : opPackageName;
1620     sp<SensorEventConnection> result(new SensorEventConnection(this, uid, connPackageName,
1621                                                                isInjectionMode(requestedMode),
1622                                                                connOpPackageName, attributionTag));
1623     if (isInjectionMode(requestedMode)) {
1624         mConnectionHolder.addEventConnectionIfNotPresent(result);
1625         // Add the associated file descriptor to the Looper for polling whenever there is data to
1626         // be injected.
1627         result->updateLooperRegistration(mLooper);
1628     }
1629     return result;
1630 }
1631 
isDataInjectionEnabled()1632 int SensorService::isDataInjectionEnabled() {
1633     Mutex::Autolock _l(mLock);
1634     return mCurrentOperatingMode == DATA_INJECTION;
1635 }
1636 
isReplayDataInjectionEnabled()1637 int SensorService::isReplayDataInjectionEnabled() {
1638     Mutex::Autolock _l(mLock);
1639     return mCurrentOperatingMode == REPLAY_DATA_INJECTION;
1640 }
1641 
isHalBypassReplayDataInjectionEnabled()1642 int SensorService::isHalBypassReplayDataInjectionEnabled() {
1643     Mutex::Autolock _l(mLock);
1644     return mCurrentOperatingMode == HAL_BYPASS_REPLAY_DATA_INJECTION;
1645 }
1646 
isInjectionMode(int mode)1647 bool SensorService::isInjectionMode(int mode) {
1648     return (mode == DATA_INJECTION || mode == REPLAY_DATA_INJECTION ||
1649             mode == HAL_BYPASS_REPLAY_DATA_INJECTION);
1650 }
1651 
createSensorDirectConnection(const String16 & opPackageName,int deviceId,uint32_t size,int32_t type,int32_t format,const native_handle * resource)1652 sp<ISensorEventConnection> SensorService::createSensorDirectConnection(
1653         const String16& opPackageName, int deviceId, uint32_t size, int32_t type, int32_t format,
1654         const native_handle *resource) {
1655     resetTargetSdkVersionCache(opPackageName);
1656     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1657 
1658     // No new direct connections are allowed when sensor privacy is enabled
1659     if (mSensorPrivacyPolicy->isSensorPrivacyEnabled()) {
1660         ALOGE("Cannot create new direct connections when sensor privacy is enabled");
1661         return nullptr;
1662     }
1663 
1664     struct sensors_direct_mem_t mem = {
1665         .type = type,
1666         .format = format,
1667         .size = size,
1668         .handle = resource,
1669     };
1670     uid_t uid = IPCThreadState::self()->getCallingUid();
1671 
1672     if (mem.handle == nullptr) {
1673         ALOGE("Failed to clone resource handle");
1674         return nullptr;
1675     }
1676 
1677     // check format
1678     if (format != SENSOR_DIRECT_FMT_SENSORS_EVENT) {
1679         ALOGE("Direct channel format %d is unsupported!", format);
1680         return nullptr;
1681     }
1682 
1683     // check for duplication
1684     for (const sp<SensorDirectConnection>& connection : connLock.getDirectConnections()) {
1685         if (connection->isEquivalent(&mem)) {
1686             ALOGE("Duplicate create channel request for the same share memory");
1687             return nullptr;
1688         }
1689     }
1690 
1691     // check specific to memory type
1692     switch(type) {
1693         case SENSOR_DIRECT_MEM_TYPE_ASHMEM: { // channel backed by ashmem
1694             if (resource->numFds < 1) {
1695                 ALOGE("Ashmem direct channel requires a memory region to be supplied");
1696                 android_errorWriteLog(0x534e4554, "70986337");  // SafetyNet
1697                 return nullptr;
1698             }
1699             int fd = resource->data[0];
1700             if (!ashmem_valid(fd)) {
1701                 ALOGE("Supplied Ashmem memory region is invalid");
1702                 return nullptr;
1703             }
1704 
1705             int size2 = ashmem_get_size_region(fd);
1706             // check size consistency
1707             if (size2 < static_cast<int64_t>(size)) {
1708                 ALOGE("Ashmem direct channel size %" PRIu32 " greater than shared memory size %d",
1709                       size, size2);
1710                 return nullptr;
1711             }
1712             break;
1713         }
1714         case SENSOR_DIRECT_MEM_TYPE_GRALLOC:
1715             // no specific checks for gralloc
1716             break;
1717         default:
1718             ALOGE("Unknown direct connection memory type %d", type);
1719             return nullptr;
1720     }
1721 
1722     native_handle_t *clone = native_handle_clone(resource);
1723     if (!clone) {
1724         return nullptr;
1725     }
1726     native_handle_set_fdsan_tag(clone);
1727 
1728     sp<SensorDirectConnection> conn;
1729     int channelHandle = 0;
1730     if (deviceId == RuntimeSensor::DEFAULT_DEVICE_ID) {
1731         SensorDevice& dev(SensorDevice::getInstance());
1732         channelHandle = dev.registerDirectChannel(&mem);
1733     } else {
1734         auto runtimeSensorCallback = mRuntimeSensorCallbacks.find(deviceId);
1735         if (runtimeSensorCallback == mRuntimeSensorCallbacks.end()) {
1736             ALOGE("Runtime sensor callback for deviceId %d not found", deviceId);
1737         } else {
1738             int fd = dup(clone->data[0]);
1739             channelHandle = runtimeSensorCallback->second->onDirectChannelCreated(fd);
1740         }
1741     }
1742 
1743     if (channelHandle <= 0) {
1744         ALOGE("SensorDevice::registerDirectChannel returns %d", channelHandle);
1745     } else {
1746         mem.handle = clone;
1747         IPCThreadState* thread = IPCThreadState::self();
1748         pid_t pid = (thread != nullptr) ? thread->getCallingPid() : -1;
1749         conn = new SensorDirectConnection(this, uid, pid, &mem, channelHandle, opPackageName,
1750                                           deviceId);
1751     }
1752 
1753     if (conn == nullptr) {
1754         native_handle_close_with_tag(clone);
1755         native_handle_delete(clone);
1756     } else {
1757         // add to list of direct connections
1758         // sensor service should never hold pointer or sp of SensorDirectConnection object.
1759         mConnectionHolder.addDirectConnection(conn);
1760     }
1761     return conn;
1762 }
1763 
configureRuntimeSensorDirectChannel(int sensorHandle,const SensorDirectConnection * c,const sensors_direct_cfg_t * config)1764 int SensorService::configureRuntimeSensorDirectChannel(
1765         int sensorHandle, const SensorDirectConnection* c, const sensors_direct_cfg_t* config) {
1766     int deviceId = c->getDeviceId();
1767     int sensorDeviceId = getDeviceIdFromHandle(sensorHandle);
1768     if (sensorDeviceId != c->getDeviceId()) {
1769         ALOGE("Cannot configure direct channel created for device %d with a sensor that belongs "
1770               "to device %d", c->getDeviceId(), sensorDeviceId);
1771         return BAD_VALUE;
1772     }
1773     auto runtimeSensorCallback = mRuntimeSensorCallbacks.find(deviceId);
1774     if (runtimeSensorCallback == mRuntimeSensorCallbacks.end()) {
1775         ALOGE("Runtime sensor callback for deviceId %d not found", deviceId);
1776         return BAD_VALUE;
1777     }
1778     return runtimeSensorCallback->second->onDirectChannelConfigured(
1779             c->getHalChannelHandle(), sensorHandle, config->rate_level);
1780 }
1781 
setOperationParameter(int32_t handle,int32_t type,const Vector<float> & floats,const Vector<int32_t> & ints)1782 int SensorService::setOperationParameter(
1783             int32_t handle, int32_t type,
1784             const Vector<float> &floats, const Vector<int32_t> &ints) {
1785     Mutex::Autolock _l(mLock);
1786 
1787     if (!checkCallingPermission(sLocationHardwarePermission, nullptr, nullptr)) {
1788         return PERMISSION_DENIED;
1789     }
1790 
1791     bool isFloat = true;
1792     bool isCustom = false;
1793     size_t expectSize = INT32_MAX;
1794     switch (type) {
1795         case AINFO_LOCAL_GEOMAGNETIC_FIELD:
1796             isFloat = true;
1797             expectSize = 3;
1798             break;
1799         case AINFO_LOCAL_GRAVITY:
1800             isFloat = true;
1801             expectSize = 1;
1802             break;
1803         case AINFO_DOCK_STATE:
1804         case AINFO_HIGH_PERFORMANCE_MODE:
1805         case AINFO_MAGNETIC_FIELD_CALIBRATION:
1806             isFloat = false;
1807             expectSize = 1;
1808             break;
1809         default:
1810             // CUSTOM events must only contain float data; it may have variable size
1811             if (type < AINFO_CUSTOM_START || type >= AINFO_DEBUGGING_START ||
1812                     ints.size() ||
1813                     sizeof(additional_info_event_t::data_float)/sizeof(float) < floats.size() ||
1814                     handle < 0) {
1815                 return BAD_VALUE;
1816             }
1817             isFloat = true;
1818             isCustom = true;
1819             expectSize = floats.size();
1820             break;
1821     }
1822 
1823     if (!isCustom && handle != -1) {
1824         return BAD_VALUE;
1825     }
1826 
1827     // three events: first one is begin tag, last one is end tag, the one in the middle
1828     // is the payload.
1829     sensors_event_t event[3];
1830     int64_t timestamp = elapsedRealtimeNano();
1831     for (sensors_event_t* i = event; i < event + 3; i++) {
1832         *i = (sensors_event_t) {
1833             .version = sizeof(sensors_event_t),
1834             .sensor = handle,
1835             .type = SENSOR_TYPE_ADDITIONAL_INFO,
1836             .timestamp = timestamp++,
1837             .additional_info = (additional_info_event_t) {
1838                 .serial = 0
1839             }
1840         };
1841     }
1842 
1843     event[0].additional_info.type = AINFO_BEGIN;
1844     event[1].additional_info.type = type;
1845     event[2].additional_info.type = AINFO_END;
1846 
1847     if (isFloat) {
1848         if (floats.size() != expectSize) {
1849             return BAD_VALUE;
1850         }
1851         for (size_t i = 0; i < expectSize; ++i) {
1852             event[1].additional_info.data_float[i] = floats[i];
1853         }
1854     } else {
1855         if (ints.size() != expectSize) {
1856             return BAD_VALUE;
1857         }
1858         for (size_t i = 0; i < expectSize; ++i) {
1859             event[1].additional_info.data_int32[i] = ints[i];
1860         }
1861     }
1862 
1863     SensorDevice& dev(SensorDevice::getInstance());
1864     for (sensors_event_t* i = event; i < event + 3; i++) {
1865         int ret = dev.injectSensorData(i);
1866         if (ret != NO_ERROR) {
1867             return ret;
1868         }
1869     }
1870     return NO_ERROR;
1871 }
1872 
resetToNormalMode()1873 status_t SensorService::resetToNormalMode() {
1874     Mutex::Autolock _l(mLock);
1875     return resetToNormalModeLocked();
1876 }
1877 
resetToNormalModeLocked()1878 status_t SensorService::resetToNormalModeLocked() {
1879     SensorDevice& dev(SensorDevice::getInstance());
1880     status_t err = dev.setMode(NORMAL);
1881     if (err == NO_ERROR) {
1882         mCurrentOperatingMode = NORMAL;
1883         dev.enableAllSensors();
1884         checkAndReportProxStateChangeLocked();
1885     }
1886     return err;
1887 }
1888 
cleanupConnection(SensorEventConnection * c)1889 void SensorService::cleanupConnection(SensorEventConnection* c) {
1890     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
1891     const wp<SensorEventConnection> connection(c);
1892     size_t size = mActiveSensors.size();
1893     ALOGD_IF(DEBUG_CONNECTIONS, "%zu active sensors", size);
1894     for (size_t i=0 ; i<size ; ) {
1895         int handle = mActiveSensors.keyAt(i);
1896         if (c->hasSensor(handle)) {
1897             ALOGD_IF(DEBUG_CONNECTIONS, "%zu: disabling handle=0x%08x", i, handle);
1898             std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
1899             if (sensor != nullptr) {
1900                 sensor->activate(c, false);
1901             } else {
1902                 ALOGE("sensor interface of handle=0x%08x is null!", handle);
1903             }
1904             if (c->removeSensor(handle)) {
1905                 BatteryService::disableSensor(c->getUid(), handle);
1906             }
1907         }
1908         SensorRecord* rec = mActiveSensors.valueAt(i);
1909         ALOGE_IF(!rec, "mActiveSensors[%zu] is null (handle=0x%08x)!", i, handle);
1910         ALOGD_IF(DEBUG_CONNECTIONS,
1911                 "removing connection %p for sensor[%zu].handle=0x%08x",
1912                 c, i, handle);
1913 
1914         if (rec && rec->removeConnection(connection)) {
1915             ALOGD_IF(DEBUG_CONNECTIONS, "... and it was the last connection");
1916             mActiveSensors.removeItemsAt(i, 1);
1917             mActiveVirtualSensors.erase(handle);
1918             delete rec;
1919             size--;
1920         } else {
1921             i++;
1922         }
1923     }
1924     c->updateLooperRegistration(mLooper);
1925     mConnectionHolder.removeEventConnection(connection);
1926     if (c->needsWakeLock()) {
1927         checkWakeLockStateLocked(&connLock);
1928     }
1929 
1930     SensorDevice& dev(SensorDevice::getInstance());
1931     dev.notifyConnectionDestroyed(c);
1932 }
1933 
cleanupConnection(SensorDirectConnection * c)1934 void SensorService::cleanupConnection(SensorDirectConnection* c) {
1935     Mutex::Autolock _l(mLock);
1936 
1937     int deviceId = c->getDeviceId();
1938     if (deviceId == RuntimeSensor::DEFAULT_DEVICE_ID) {
1939         SensorDevice& dev(SensorDevice::getInstance());
1940         dev.unregisterDirectChannel(c->getHalChannelHandle());
1941     } else {
1942         auto runtimeSensorCallback = mRuntimeSensorCallbacks.find(deviceId);
1943         if (runtimeSensorCallback != mRuntimeSensorCallbacks.end()) {
1944             runtimeSensorCallback->second->onDirectChannelDestroyed(c->getHalChannelHandle());
1945         } else {
1946             ALOGE("Runtime sensor callback for deviceId %d not found", deviceId);
1947         }
1948     }
1949     mConnectionHolder.removeDirectConnection(c);
1950 }
1951 
checkAndReportProxStateChangeLocked()1952 void SensorService::checkAndReportProxStateChangeLocked() {
1953     if (mProxSensorHandles.empty()) return;
1954 
1955     SensorDevice& dev(SensorDevice::getInstance());
1956     bool isActive = false;
1957     for (auto& sensor : mProxSensorHandles) {
1958         if (dev.isSensorActive(sensor)) {
1959             isActive = true;
1960             break;
1961         }
1962     }
1963     if (isActive != mLastReportedProxIsActive) {
1964         notifyProximityStateLocked(isActive, mProximityActiveListeners);
1965         mLastReportedProxIsActive = isActive;
1966     }
1967 }
1968 
notifyProximityStateLocked(const bool isActive,const std::vector<sp<ProximityActiveListener>> & listeners)1969 void SensorService::notifyProximityStateLocked(
1970         const bool isActive,
1971         const std::vector<sp<ProximityActiveListener>>& listeners) {
1972     const uint64_t mySeq = ++curProxCallbackSeq;
1973     std::thread t([isActive, mySeq, listenersCopy = listeners]() {
1974         while (completedCallbackSeq.load() != mySeq - 1)
1975             std::this_thread::sleep_for(1ms);
1976         for (auto& listener : listenersCopy)
1977             listener->onProximityActive(isActive);
1978         completedCallbackSeq++;
1979     });
1980     t.detach();
1981 }
1982 
addProximityActiveListener(const sp<ProximityActiveListener> & callback)1983 status_t SensorService::addProximityActiveListener(const sp<ProximityActiveListener>& callback) {
1984     if (callback == nullptr) {
1985         return BAD_VALUE;
1986     }
1987 
1988     Mutex::Autolock _l(mLock);
1989 
1990     // Check if the callback was already added.
1991     for (const auto& cb : mProximityActiveListeners) {
1992         if (cb == callback) {
1993             return ALREADY_EXISTS;
1994         }
1995     }
1996 
1997     mProximityActiveListeners.push_back(callback);
1998     std::vector<sp<ProximityActiveListener>> listener(1, callback);
1999     notifyProximityStateLocked(mLastReportedProxIsActive, listener);
2000     return OK;
2001 }
2002 
removeProximityActiveListener(const sp<ProximityActiveListener> & callback)2003 status_t SensorService::removeProximityActiveListener(
2004         const sp<ProximityActiveListener>& callback) {
2005     if (callback == nullptr) {
2006         return BAD_VALUE;
2007     }
2008 
2009     Mutex::Autolock _l(mLock);
2010 
2011     for (auto iter = mProximityActiveListeners.begin();
2012          iter != mProximityActiveListeners.end();
2013          ++iter) {
2014         if (*iter == callback) {
2015             mProximityActiveListeners.erase(iter);
2016             return OK;
2017         }
2018     }
2019     return NAME_NOT_FOUND;
2020 }
2021 
getSensorInterfaceFromHandle(int handle) const2022 std::shared_ptr<SensorInterface> SensorService::getSensorInterfaceFromHandle(int handle) const {
2023     return mSensors.getInterface(handle);
2024 }
2025 
getDeviceIdFromHandle(int handle) const2026 int SensorService::getDeviceIdFromHandle(int handle) const {
2027     int deviceId = RuntimeSensor::DEFAULT_DEVICE_ID;
2028     mSensors.forEachEntry(
2029             [&deviceId, handle] (const SensorServiceUtil::SensorList::Entry& e) -> bool {
2030                 if (e.si->getSensor().getHandle() == handle) {
2031                     deviceId = e.deviceId;
2032                     return false;  // stop iterating
2033                 }
2034                 return true;
2035             });
2036     return deviceId;
2037 }
2038 
enable(const sp<SensorEventConnection> & connection,int handle,nsecs_t samplingPeriodNs,nsecs_t maxBatchReportLatencyNs,int reservedFlags,const String16 & opPackageName)2039 status_t SensorService::enable(const sp<SensorEventConnection>& connection,
2040         int handle, nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags,
2041         const String16& opPackageName) {
2042     if (mInitCheck != NO_ERROR)
2043         return mInitCheck;
2044 
2045     std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
2046     if (sensor == nullptr ||
2047         !canAccessSensor(sensor->getSensor(), "Tried enabling", opPackageName)) {
2048         return BAD_VALUE;
2049     }
2050 
2051     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
2052     if (mCurrentOperatingMode != NORMAL &&
2053         !isInjectionMode(mCurrentOperatingMode) &&
2054         !isAllowListedPackage(connection->getPackageName())) {
2055       return INVALID_OPERATION;
2056     }
2057 
2058     SensorRecord* rec = mActiveSensors.valueFor(handle);
2059     if (rec == nullptr) {
2060         rec = new SensorRecord(connection);
2061         mActiveSensors.add(handle, rec);
2062         if (sensor->isVirtual()) {
2063             mActiveVirtualSensors.emplace(handle);
2064         }
2065 
2066         // There was no SensorRecord for this sensor which means it was previously disabled. Mark
2067         // the recent event as stale to ensure that the previous event is not sent to a client. This
2068         // ensures on-change events that were generated during a previous sensor activation are not
2069         // erroneously sent to newly connected clients, especially if a second client registers for
2070         // an on-change sensor before the first client receives the updated event. Once an updated
2071         // event is received, the recent events will be marked as current, and any new clients will
2072         // immediately receive the most recent event.
2073         if (sensor->getSensor().getReportingMode() == AREPORTING_MODE_ON_CHANGE) {
2074             auto logger = mRecentEvent.find(handle);
2075             if (logger != mRecentEvent.end()) {
2076                 logger->second->setLastEventStale();
2077             }
2078         }
2079     } else {
2080         if (rec->addConnection(connection)) {
2081             // this sensor is already activated, but we are adding a connection that uses it.
2082             // Immediately send down the last known value of the requested sensor if it's not a
2083             // "continuous" sensor.
2084             if (sensor->getSensor().getReportingMode() == AREPORTING_MODE_ON_CHANGE) {
2085                 // NOTE: The wake_up flag of this event may get set to
2086                 // WAKE_UP_SENSOR_EVENT_NEEDS_ACK if this is a wake_up event.
2087 
2088                 auto logger = mRecentEvent.find(handle);
2089                 if (logger != mRecentEvent.end()) {
2090                     sensors_event_t event;
2091                     // Verify that the last sensor event was generated from the current activation
2092                     // of the sensor. If not, it is possible for an on-change sensor to receive a
2093                     // sensor event that is stale if two clients re-activate the sensor
2094                     // simultaneously.
2095                     if(logger->second->populateLastEventIfCurrent(&event)) {
2096                         event.sensor = handle;
2097                         if (event.version == sizeof(sensors_event_t)) {
2098                             if (isWakeUpSensorEvent(event) && !mWakeLockAcquired) {
2099                                 setWakeLockAcquiredLocked(true);
2100                             }
2101                             connection->sendEvents(&event, 1, nullptr);
2102                             if (!connection->needsWakeLock() && mWakeLockAcquired) {
2103                                 checkWakeLockStateLocked(&connLock);
2104                             }
2105                         }
2106                     }
2107                 }
2108             }
2109         }
2110     }
2111 
2112     if (connection->addSensor(handle)) {
2113         BatteryService::enableSensor(connection->getUid(), handle);
2114         // the sensor was added (which means it wasn't already there)
2115         // so, see if this connection becomes active
2116         mConnectionHolder.addEventConnectionIfNotPresent(connection);
2117     } else {
2118         ALOGW("sensor %08x already enabled in connection %p (ignoring)",
2119             handle, connection.get());
2120     }
2121 
2122     // Check maximum delay for the sensor.
2123     nsecs_t maxDelayNs = sensor->getSensor().getMaxDelay() * 1000LL;
2124     if (maxDelayNs > 0 && (samplingPeriodNs > maxDelayNs)) {
2125         samplingPeriodNs = maxDelayNs;
2126     }
2127 
2128     nsecs_t minDelayNs = sensor->getSensor().getMinDelayNs();
2129     if (samplingPeriodNs < minDelayNs) {
2130         samplingPeriodNs = minDelayNs;
2131     }
2132 
2133     ALOGD_IF(DEBUG_CONNECTIONS, "Calling batch handle==%d flags=%d"
2134                                 "rate=%" PRId64 " timeout== %" PRId64"",
2135              handle, reservedFlags, samplingPeriodNs, maxBatchReportLatencyNs);
2136 
2137     status_t err = sensor->batch(connection.get(), handle, 0, samplingPeriodNs,
2138                                  maxBatchReportLatencyNs);
2139 
2140     // Call flush() before calling activate() on the sensor. Wait for a first
2141     // flush complete event before sending events on this connection. Ignore
2142     // one-shot sensors which don't support flush(). Ignore on-change sensors
2143     // to maintain the on-change logic (any on-change events except the initial
2144     // one should be trigger by a change in value). Also if this sensor isn't
2145     // already active, don't call flush().
2146     if (err == NO_ERROR &&
2147             sensor->getSensor().getReportingMode() == AREPORTING_MODE_CONTINUOUS &&
2148             rec->getNumConnections() > 1) {
2149         connection->setFirstFlushPending(handle, true);
2150         status_t err_flush = sensor->flush(connection.get(), handle);
2151         // Flush may return error if the underlying h/w sensor uses an older HAL.
2152         if (err_flush == NO_ERROR) {
2153             rec->addPendingFlushConnection(connection.get());
2154         } else {
2155             connection->setFirstFlushPending(handle, false);
2156         }
2157     }
2158 
2159     if (err == NO_ERROR) {
2160         ALOGD_IF(DEBUG_CONNECTIONS, "Calling activate on %d", handle);
2161         err = sensor->activate(connection.get(), true);
2162     }
2163 
2164     if (err == NO_ERROR) {
2165         connection->updateLooperRegistration(mLooper);
2166 
2167         if (sensor->getSensor().getRequiredPermission().size() > 0 &&
2168                 sensor->getSensor().getRequiredAppOp() >= 0) {
2169             connection->mHandleToAppOp[handle] = sensor->getSensor().getRequiredAppOp();
2170         }
2171     }
2172 
2173     if (err != NO_ERROR) {
2174         // batch/activate has failed, reset our state.
2175         cleanupWithoutDisableLocked(connection, handle);
2176     }
2177 
2178     mLastNSensorRegistrations.editItemAt(mNextSensorRegIndex) =
2179             SensorRegistrationInfo(handle, connection->getPackageName(), samplingPeriodNs,
2180                                    maxBatchReportLatencyNs, /*activate=*/ true, err);
2181     mNextSensorRegIndex = (mNextSensorRegIndex + 1) % SENSOR_REGISTRATIONS_BUF_SIZE;
2182     return err;
2183 }
2184 
disable(const sp<SensorEventConnection> & connection,int handle)2185 status_t SensorService::disable(const sp<SensorEventConnection>& connection, int handle) {
2186     if (mInitCheck != NO_ERROR)
2187         return mInitCheck;
2188 
2189     Mutex::Autolock _l(mLock);
2190     status_t err = cleanupWithoutDisableLocked(connection, handle);
2191     if (err == NO_ERROR) {
2192         std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
2193         err = sensor != nullptr ? sensor->activate(connection.get(), false) : status_t(BAD_VALUE);
2194     }
2195     mLastNSensorRegistrations.editItemAt(mNextSensorRegIndex) =
2196             SensorRegistrationInfo(handle, connection->getPackageName(), 0, 0, /*activate=*/ false, err);
2197     mNextSensorRegIndex = (mNextSensorRegIndex + 1) % SENSOR_REGISTRATIONS_BUF_SIZE;
2198     return err;
2199 }
2200 
cleanupWithoutDisable(const sp<SensorEventConnection> & connection,int handle)2201 status_t SensorService::cleanupWithoutDisable(
2202         const sp<SensorEventConnection>& connection, int handle) {
2203     Mutex::Autolock _l(mLock);
2204     return cleanupWithoutDisableLocked(connection, handle);
2205 }
2206 
cleanupWithoutDisableLocked(const sp<SensorEventConnection> & connection,int handle)2207 status_t SensorService::cleanupWithoutDisableLocked(
2208         const sp<SensorEventConnection>& connection, int handle) {
2209     SensorRecord* rec = mActiveSensors.valueFor(handle);
2210     if (rec) {
2211         // see if this connection becomes inactive
2212         if (connection->removeSensor(handle)) {
2213             BatteryService::disableSensor(connection->getUid(), handle);
2214         }
2215         if (connection->hasAnySensor() == false) {
2216             connection->updateLooperRegistration(mLooper);
2217             mConnectionHolder.removeEventConnection(connection);
2218         }
2219         // see if this sensor becomes inactive
2220         if (rec->removeConnection(connection)) {
2221             mActiveSensors.removeItem(handle);
2222             mActiveVirtualSensors.erase(handle);
2223             delete rec;
2224         }
2225         return NO_ERROR;
2226     }
2227     return BAD_VALUE;
2228 }
2229 
setEventRate(const sp<SensorEventConnection> & connection,int handle,nsecs_t ns,const String16 & opPackageName)2230 status_t SensorService::setEventRate(const sp<SensorEventConnection>& connection,
2231         int handle, nsecs_t ns, const String16& opPackageName) {
2232     if (mInitCheck != NO_ERROR)
2233         return mInitCheck;
2234 
2235     std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
2236     if (sensor == nullptr ||
2237         !canAccessSensor(sensor->getSensor(), "Tried configuring", opPackageName)) {
2238         return BAD_VALUE;
2239     }
2240 
2241     if (ns < 0)
2242         return BAD_VALUE;
2243 
2244     nsecs_t minDelayNs = sensor->getSensor().getMinDelayNs();
2245     if (ns < minDelayNs) {
2246         ns = minDelayNs;
2247     }
2248 
2249     return sensor->setDelay(connection.get(), handle, ns);
2250 }
2251 
flushSensor(const sp<SensorEventConnection> & connection,const String16 & opPackageName)2252 status_t SensorService::flushSensor(const sp<SensorEventConnection>& connection,
2253         const String16& opPackageName) {
2254     if (mInitCheck != NO_ERROR) return mInitCheck;
2255     SensorDevice& dev(SensorDevice::getInstance());
2256     const int halVersion = dev.getHalDeviceVersion();
2257     status_t err(NO_ERROR);
2258     Mutex::Autolock _l(mLock);
2259     // Loop through all sensors for this connection and call flush on each of them.
2260     for (int handle : connection->getActiveSensorHandles()) {
2261         std::shared_ptr<SensorInterface> sensor = getSensorInterfaceFromHandle(handle);
2262         if (sensor == nullptr) {
2263             continue;
2264         }
2265         if (sensor->getSensor().getReportingMode() == AREPORTING_MODE_ONE_SHOT) {
2266             ALOGE("flush called on a one-shot sensor");
2267             err = INVALID_OPERATION;
2268             continue;
2269         }
2270         if (halVersion <= SENSORS_DEVICE_API_VERSION_1_0 || isVirtualSensor(handle)) {
2271             // For older devices just increment pending flush count which will send a trivial
2272             // flush complete event.
2273             if (!connection->incrementPendingFlushCountIfHasAccess(handle)) {
2274                 ALOGE("flush called on an inaccessible sensor");
2275                 err = INVALID_OPERATION;
2276             }
2277         } else {
2278             if (!canAccessSensor(sensor->getSensor(), "Tried flushing", opPackageName)) {
2279                 err = INVALID_OPERATION;
2280                 continue;
2281             }
2282             status_t err_flush = sensor->flush(connection.get(), handle);
2283             if (err_flush == NO_ERROR) {
2284                 SensorRecord* rec = mActiveSensors.valueFor(handle);
2285                 if (rec != nullptr) rec->addPendingFlushConnection(connection);
2286             }
2287             err = (err_flush != NO_ERROR) ? err_flush : err;
2288         }
2289     }
2290     return err;
2291 }
2292 
canAccessSensor(const Sensor & sensor,const char * operation,const String16 & opPackageName)2293 bool SensorService::canAccessSensor(const Sensor& sensor, const char* operation,
2294         const String16& opPackageName) {
2295     // Special case for Head Tracker sensor type: currently restricted to system usage only, unless
2296     // the restriction is specially lifted for testing
2297     if (sensor.getType() == SENSOR_TYPE_HEAD_TRACKER &&
2298             !isAudioServerOrSystemServerUid(IPCThreadState::self()->getCallingUid())) {
2299         if (!mHtRestricted) {
2300             ALOGI("Permitting access to HT sensor type outside system (%s)",
2301                   String8(opPackageName).c_str());
2302         } else {
2303             ALOGW("%s %s a sensor (%s) as a non-system client", String8(opPackageName).c_str(),
2304                   operation, sensor.getName().c_str());
2305             return false;
2306         }
2307     }
2308 
2309     // Check if a permission is required for this sensor
2310     if (sensor.getRequiredPermission().length() <= 0) {
2311         return true;
2312     }
2313 
2314     const int32_t opCode = sensor.getRequiredAppOp();
2315     int targetSdkVersion = getTargetSdkVersion(opPackageName);
2316 
2317     bool canAccess = false;
2318     if (targetSdkVersion > 0 && targetSdkVersion <= __ANDROID_API_P__ &&
2319             (sensor.getType() == SENSOR_TYPE_STEP_COUNTER ||
2320              sensor.getType() == SENSOR_TYPE_STEP_DETECTOR)) {
2321         // Allow access to step sensors if the application targets pre-Q, which is before the
2322         // requirement to hold the AR permission to access Step Counter and Step Detector events
2323         // was introduced.
2324         canAccess = true;
2325     } else if (IPCThreadState::self()->getCallingUid() == AID_SYSTEM) {
2326         // Allow access if it is requested from system.
2327         canAccess = true;
2328     } else if (hasPermissionForSensor(sensor)) {
2329         // Ensure that the AppOp is allowed, or that there is no necessary app op
2330         // for the sensor
2331         if (opCode >= 0) {
2332             const int32_t appOpMode =
2333                     sAppOpsManager.checkOp(opCode, IPCThreadState::self()->getCallingUid(),
2334                                            opPackageName);
2335             canAccess = (appOpMode == AppOpsManager::MODE_ALLOWED);
2336         } else {
2337             canAccess = true;
2338         }
2339     }
2340 
2341     if (!canAccess) {
2342         ALOGE("%s %s a sensor (%s) without holding %s", String8(opPackageName).c_str(),
2343               operation, sensor.getName().c_str(), sensor.getRequiredPermission().c_str());
2344     }
2345 
2346     return canAccess;
2347 }
2348 
hasPermissionForSensor(const Sensor & sensor)2349 bool SensorService::hasPermissionForSensor(const Sensor& sensor) {
2350     bool hasPermission = false;
2351     const String8& requiredPermission = sensor.getRequiredPermission();
2352 
2353     // Runtime permissions can't use the cache as they may change.
2354     if (sensor.isRequiredPermissionRuntime()) {
2355         hasPermission = checkPermission(String16(requiredPermission),
2356                 IPCThreadState::self()->getCallingPid(),
2357                 IPCThreadState::self()->getCallingUid(),
2358                 /*logPermissionFailure=*/ false);
2359     } else {
2360         hasPermission = PermissionCache::checkCallingPermission(String16(requiredPermission));
2361     }
2362     return hasPermission;
2363 }
2364 
getTargetSdkVersion(const String16 & opPackageName)2365 int SensorService::getTargetSdkVersion(const String16& opPackageName) {
2366     // Don't query the SDK version for the ISensorManager descriptor as it
2367     // doesn't have one. This descriptor tends to be used for VNDK clients, but
2368     // can technically be set by anyone so don't give it elevated privileges.
2369     bool isVNDK = opPackageName.startsWith(sSensorInterfaceDescriptorPrefix) &&
2370                   opPackageName.contains(String16("@"));
2371     if (isVNDK) {
2372         return -1;
2373     }
2374 
2375     Mutex::Autolock packageLock(sPackageTargetVersionLock);
2376     int targetSdkVersion = -1;
2377     auto entry = sPackageTargetVersion.find(opPackageName);
2378     if (entry != sPackageTargetVersion.end()) {
2379         targetSdkVersion = entry->second;
2380     } else {
2381         sp<IBinder> binder = defaultServiceManager()->getService(String16("package_native"));
2382         if (binder != nullptr) {
2383             sp<content::pm::IPackageManagerNative> packageManager =
2384                     interface_cast<content::pm::IPackageManagerNative>(binder);
2385             if (packageManager != nullptr) {
2386                 binder::Status status = packageManager->getTargetSdkVersionForPackage(
2387                         opPackageName, &targetSdkVersion);
2388                 if (!status.isOk()) {
2389                     targetSdkVersion = -1;
2390                 }
2391             }
2392         }
2393         sPackageTargetVersion[opPackageName] = targetSdkVersion;
2394     }
2395     return targetSdkVersion;
2396 }
2397 
resetTargetSdkVersionCache(const String16 & opPackageName)2398 void SensorService::resetTargetSdkVersionCache(const String16& opPackageName) {
2399     Mutex::Autolock packageLock(sPackageTargetVersionLock);
2400     auto iter = sPackageTargetVersion.find(opPackageName);
2401     if (iter != sPackageTargetVersion.end()) {
2402         sPackageTargetVersion.erase(iter);
2403     }
2404 }
2405 
getTargetOperatingMode(const std::string & inputString,Mode * targetModeOut)2406 bool SensorService::getTargetOperatingMode(const std::string &inputString, Mode *targetModeOut) {
2407     if (inputString == std::string("restrict")) {
2408       *targetModeOut = RESTRICTED;
2409       return true;
2410     }
2411     if (inputString == std::string("enable")) {
2412       *targetModeOut = NORMAL;
2413       return true;
2414     }
2415     if (inputString == std::string("data_injection")) {
2416       *targetModeOut = DATA_INJECTION;
2417       return true;
2418     }
2419     if (inputString == std::string("replay_data_injection")) {
2420       *targetModeOut = REPLAY_DATA_INJECTION;
2421       return true;
2422     }
2423     if (inputString == std::string("hal_bypass_replay_data_injection")) {
2424       *targetModeOut = HAL_BYPASS_REPLAY_DATA_INJECTION;
2425       return true;
2426     }
2427     return false;
2428 }
2429 
changeOperatingMode(const Vector<String16> & args,Mode targetOperatingMode)2430 status_t SensorService::changeOperatingMode(const Vector<String16>& args,
2431                                             Mode targetOperatingMode) {
2432     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
2433     SensorDevice& dev(SensorDevice::getInstance());
2434     if (mCurrentOperatingMode == targetOperatingMode) {
2435         return NO_ERROR;
2436     }
2437     if (targetOperatingMode != NORMAL && args.size() < 2) {
2438         return INVALID_OPERATION;
2439     }
2440     switch (targetOperatingMode) {
2441       case NORMAL:
2442         // If currently in restricted mode, reset back to NORMAL mode else ignore.
2443         if (mCurrentOperatingMode == RESTRICTED) {
2444             mCurrentOperatingMode = NORMAL;
2445             // enable sensors and recover all sensor direct report
2446             enableAllSensorsLocked(&connLock);
2447         }
2448         if (mCurrentOperatingMode == REPLAY_DATA_INJECTION) {
2449             dev.disableAllSensors();
2450         }
2451         if (mCurrentOperatingMode == DATA_INJECTION ||
2452                 mCurrentOperatingMode == REPLAY_DATA_INJECTION ||
2453                 mCurrentOperatingMode == HAL_BYPASS_REPLAY_DATA_INJECTION) {
2454           resetToNormalModeLocked();
2455         }
2456         mAllowListedPackage.clear();
2457         return status_t(NO_ERROR);
2458       case RESTRICTED:
2459         // If in any mode other than normal, ignore.
2460         if (mCurrentOperatingMode != NORMAL) {
2461             return INVALID_OPERATION;
2462         }
2463 
2464         mCurrentOperatingMode = RESTRICTED;
2465         // temporarily stop all sensor direct report and disable sensors
2466         disableAllSensorsLocked(&connLock);
2467         mAllowListedPackage = String8(args[1]);
2468         return status_t(NO_ERROR);
2469       case HAL_BYPASS_REPLAY_DATA_INJECTION:
2470         FALLTHROUGH_INTENDED;
2471       case REPLAY_DATA_INJECTION:
2472         if (SensorServiceUtil::isUserBuild()) {
2473             return INVALID_OPERATION;
2474         }
2475         FALLTHROUGH_INTENDED;
2476       case DATA_INJECTION:
2477         if (mCurrentOperatingMode == NORMAL) {
2478             dev.disableAllSensors();
2479             status_t err = NO_ERROR;
2480             if (targetOperatingMode == HAL_BYPASS_REPLAY_DATA_INJECTION) {
2481                 // Set SensorDevice to HAL_BYPASS_REPLAY_DATA_INJECTION_MODE. This value is not
2482                 // injected into the HAL, nor will any events be injected into the HAL
2483                 err = dev.setMode(HAL_BYPASS_REPLAY_DATA_INJECTION);
2484             } else {
2485                 // Otherwise use DATA_INJECTION here since this value goes to the HAL and the HAL
2486                 // doesn't have an understanding of replay vs. normal data injection.
2487                 err = dev.setMode(DATA_INJECTION);
2488             }
2489             if (err == NO_ERROR) {
2490                 mCurrentOperatingMode = targetOperatingMode;
2491             }
2492             if (err != NO_ERROR || targetOperatingMode == REPLAY_DATA_INJECTION) {
2493                 // Re-enable sensors.
2494                 dev.enableAllSensors();
2495             }
2496             mAllowListedPackage = String8(args[1]);
2497             return NO_ERROR;
2498         } else {
2499             // Transition to data injection mode supported only from NORMAL mode.
2500             return INVALID_OPERATION;
2501         }
2502         break;
2503       default:
2504         break;
2505     }
2506     return NO_ERROR;
2507 }
2508 
checkWakeLockState()2509 void SensorService::checkWakeLockState() {
2510     ConnectionSafeAutolock connLock = mConnectionHolder.lock(mLock);
2511     checkWakeLockStateLocked(&connLock);
2512 }
2513 
checkWakeLockStateLocked(ConnectionSafeAutolock * connLock)2514 void SensorService::checkWakeLockStateLocked(ConnectionSafeAutolock* connLock) {
2515     if (!mWakeLockAcquired) {
2516         return;
2517     }
2518     bool releaseLock = true;
2519     for (const sp<SensorEventConnection>& connection : connLock->getActiveConnections()) {
2520         if (connection->needsWakeLock()) {
2521             releaseLock = false;
2522             break;
2523         }
2524     }
2525     if (releaseLock) {
2526         setWakeLockAcquiredLocked(false);
2527     }
2528 }
2529 
sendEventsFromCache(const sp<SensorEventConnection> & connection)2530 void SensorService::sendEventsFromCache(const sp<SensorEventConnection>& connection) {
2531     Mutex::Autolock _l(mLock);
2532     connection->writeToSocketFromCache();
2533     if (connection->needsWakeLock()) {
2534         setWakeLockAcquiredLocked(true);
2535     }
2536 }
2537 
isAllowListedPackage(const String8 & packageName)2538 bool SensorService::isAllowListedPackage(const String8& packageName) {
2539     return (packageName.contains(mAllowListedPackage.c_str()));
2540 }
2541 
isOperationRestrictedLocked(const String16 & opPackageName)2542 bool SensorService::isOperationRestrictedLocked(const String16& opPackageName) {
2543     if (mCurrentOperatingMode == RESTRICTED) {
2544         String8 package(opPackageName);
2545         return !isAllowListedPackage(package);
2546     }
2547     return false;
2548 }
2549 
registerSelf()2550 void SensorService::UidPolicy::registerSelf() {
2551     ActivityManager am;
2552     am.registerUidObserver(this, ActivityManager::UID_OBSERVER_GONE
2553             | ActivityManager::UID_OBSERVER_IDLE
2554             | ActivityManager::UID_OBSERVER_ACTIVE,
2555             ActivityManager::PROCESS_STATE_UNKNOWN,
2556             String16("android"));
2557 }
2558 
unregisterSelf()2559 void SensorService::UidPolicy::unregisterSelf() {
2560     ActivityManager am;
2561     am.unregisterUidObserver(this);
2562 }
2563 
onUidGone(__unused uid_t uid,__unused bool disabled)2564 void SensorService::UidPolicy::onUidGone(__unused uid_t uid, __unused bool disabled) {
2565     onUidIdle(uid, disabled);
2566 }
2567 
onUidActive(uid_t uid)2568 void SensorService::UidPolicy::onUidActive(uid_t uid) {
2569     {
2570         Mutex::Autolock _l(mUidLock);
2571         mActiveUids.insert(uid);
2572     }
2573     sp<SensorService> service = mService.promote();
2574     if (service != nullptr) {
2575         service->onUidStateChanged(uid, UID_STATE_ACTIVE);
2576     }
2577 }
2578 
onUidIdle(uid_t uid,__unused bool disabled)2579 void SensorService::UidPolicy::onUidIdle(uid_t uid, __unused bool disabled) {
2580     bool deleted = false;
2581     {
2582         Mutex::Autolock _l(mUidLock);
2583         if (mActiveUids.erase(uid) > 0) {
2584             deleted = true;
2585         }
2586     }
2587     if (deleted) {
2588         sp<SensorService> service = mService.promote();
2589         if (service != nullptr) {
2590             service->onUidStateChanged(uid, UID_STATE_IDLE);
2591         }
2592     }
2593 }
2594 
addOverrideUid(uid_t uid,bool active)2595 void SensorService::UidPolicy::addOverrideUid(uid_t uid, bool active) {
2596     updateOverrideUid(uid, active, true);
2597 }
2598 
removeOverrideUid(uid_t uid)2599 void SensorService::UidPolicy::removeOverrideUid(uid_t uid) {
2600     updateOverrideUid(uid, false, false);
2601 }
2602 
updateOverrideUid(uid_t uid,bool active,bool insert)2603 void SensorService::UidPolicy::updateOverrideUid(uid_t uid, bool active, bool insert) {
2604     bool wasActive = false;
2605     bool isActive = false;
2606     {
2607         Mutex::Autolock _l(mUidLock);
2608         wasActive = isUidActiveLocked(uid);
2609         mOverrideUids.erase(uid);
2610         if (insert) {
2611             mOverrideUids.insert(std::pair<uid_t, bool>(uid, active));
2612         }
2613         isActive = isUidActiveLocked(uid);
2614     }
2615     if (wasActive != isActive) {
2616         sp<SensorService> service = mService.promote();
2617         if (service != nullptr) {
2618             service->onUidStateChanged(uid, isActive ? UID_STATE_ACTIVE : UID_STATE_IDLE);
2619         }
2620     }
2621 }
2622 
isUidActive(uid_t uid)2623 bool SensorService::UidPolicy::isUidActive(uid_t uid) {
2624     // Non-app UIDs are considered always active
2625     if (uid < FIRST_APPLICATION_UID) {
2626         return true;
2627     }
2628     Mutex::Autolock _l(mUidLock);
2629     return isUidActiveLocked(uid);
2630 }
2631 
isUidActiveLocked(uid_t uid)2632 bool SensorService::UidPolicy::isUidActiveLocked(uid_t uid) {
2633     // Non-app UIDs are considered always active
2634     if (uid < FIRST_APPLICATION_UID) {
2635         return true;
2636     }
2637     auto it = mOverrideUids.find(uid);
2638     if (it != mOverrideUids.end()) {
2639         return it->second;
2640     }
2641     return mActiveUids.find(uid) != mActiveUids.end();
2642 }
2643 
isUidActive(uid_t uid)2644 bool SensorService::isUidActive(uid_t uid) {
2645     return mUidPolicy->isUidActive(uid);
2646 }
2647 
isRateCappedBasedOnPermission(const String16 & opPackageName)2648 bool SensorService::isRateCappedBasedOnPermission(const String16& opPackageName) {
2649     int targetSdk = getTargetSdkVersion(opPackageName);
2650     bool hasSamplingRatePermission = checkPermission(sAccessHighSensorSamplingRatePermission,
2651             IPCThreadState::self()->getCallingPid(),
2652             IPCThreadState::self()->getCallingUid(),
2653             /*logPermissionFailure=*/ false);
2654     if (targetSdk < __ANDROID_API_S__ ||
2655             (targetSdk >= __ANDROID_API_S__ && hasSamplingRatePermission)) {
2656         return false;
2657     }
2658     return true;
2659 }
2660 
2661 /**
2662  * Checks if a sensor should be capped according to HIGH_SAMPLING_RATE_SENSORS
2663  * permission.
2664  *
2665  * This needs to be kept in sync with the list defined on the Java side
2666  * in frameworks/base/core/java/android/hardware/SystemSensorManager.java
2667  */
isSensorInCappedSet(int sensorType)2668 bool SensorService::isSensorInCappedSet(int sensorType) {
2669     return (sensorType == SENSOR_TYPE_ACCELEROMETER
2670             || sensorType == SENSOR_TYPE_ACCELEROMETER_UNCALIBRATED
2671             || sensorType == SENSOR_TYPE_GYROSCOPE
2672             || sensorType == SENSOR_TYPE_GYROSCOPE_UNCALIBRATED
2673             || sensorType == SENSOR_TYPE_MAGNETIC_FIELD
2674             || sensorType == SENSOR_TYPE_MAGNETIC_FIELD_UNCALIBRATED);
2675 }
2676 
adjustSamplingPeriodBasedOnMicAndPermission(nsecs_t * requestedPeriodNs,const String16 & opPackageName)2677 status_t SensorService::adjustSamplingPeriodBasedOnMicAndPermission(nsecs_t* requestedPeriodNs,
2678         const String16& opPackageName) {
2679     if (*requestedPeriodNs >= SENSOR_SERVICE_CAPPED_SAMPLING_PERIOD_NS) {
2680         return OK;
2681     }
2682     bool shouldCapBasedOnPermission = isRateCappedBasedOnPermission(opPackageName);
2683     if (shouldCapBasedOnPermission) {
2684         *requestedPeriodNs = SENSOR_SERVICE_CAPPED_SAMPLING_PERIOD_NS;
2685         if (isPackageDebuggable(opPackageName)) {
2686             return PERMISSION_DENIED;
2687         }
2688         return OK;
2689     }
2690     if (mMicSensorPrivacyPolicy->isSensorPrivacyEnabled()) {
2691         *requestedPeriodNs = SENSOR_SERVICE_CAPPED_SAMPLING_PERIOD_NS;
2692         return OK;
2693     }
2694     return OK;
2695 }
2696 
adjustRateLevelBasedOnMicAndPermission(int * requestedRateLevel,const String16 & opPackageName)2697 status_t SensorService::adjustRateLevelBasedOnMicAndPermission(int* requestedRateLevel,
2698         const String16& opPackageName) {
2699     if (*requestedRateLevel <= SENSOR_SERVICE_CAPPED_SAMPLING_RATE_LEVEL) {
2700         return OK;
2701     }
2702     bool shouldCapBasedOnPermission = isRateCappedBasedOnPermission(opPackageName);
2703     if (shouldCapBasedOnPermission) {
2704         *requestedRateLevel = SENSOR_SERVICE_CAPPED_SAMPLING_RATE_LEVEL;
2705         if (isPackageDebuggable(opPackageName)) {
2706             return PERMISSION_DENIED;
2707         }
2708         return OK;
2709     }
2710     if (mMicSensorPrivacyPolicy->isSensorPrivacyEnabled()) {
2711         *requestedRateLevel = SENSOR_SERVICE_CAPPED_SAMPLING_RATE_LEVEL;
2712         return OK;
2713     }
2714     return OK;
2715 }
2716 
registerSelf()2717 void SensorService::SensorPrivacyPolicy::registerSelf() {
2718     AutoCallerClear acc;
2719     SensorPrivacyManager spm;
2720     mSensorPrivacyEnabled = spm.isSensorPrivacyEnabled();
2721     spm.addSensorPrivacyListener(this);
2722 }
2723 
unregisterSelf()2724 void SensorService::SensorPrivacyPolicy::unregisterSelf() {
2725     AutoCallerClear acc;
2726     SensorPrivacyManager spm;
2727     spm.removeSensorPrivacyListener(this);
2728 }
2729 
isSensorPrivacyEnabled()2730 bool SensorService::SensorPrivacyPolicy::isSensorPrivacyEnabled() {
2731     return mSensorPrivacyEnabled;
2732 }
2733 
onSensorPrivacyChanged(int toggleType __unused,int sensor __unused,bool enabled)2734 binder::Status SensorService::SensorPrivacyPolicy::onSensorPrivacyChanged(int toggleType __unused,
2735         int sensor __unused, bool enabled) {
2736     mSensorPrivacyEnabled = enabled;
2737     sp<SensorService> service = mService.promote();
2738 
2739     if (service != nullptr) {
2740         if (enabled) {
2741             service->disableAllSensors();
2742         } else {
2743             service->enableAllSensors();
2744         }
2745     }
2746     return binder::Status::ok();
2747 }
2748 
registerSelf()2749 void SensorService::MicrophonePrivacyPolicy::registerSelf() {
2750     AutoCallerClear acc;
2751     SensorPrivacyManager spm;
2752     mSensorPrivacyEnabled =
2753             spm.isToggleSensorPrivacyEnabled(
2754                     SensorPrivacyManager::TOGGLE_TYPE_SOFTWARE,
2755             SensorPrivacyManager::TOGGLE_SENSOR_MICROPHONE)
2756                     || spm.isToggleSensorPrivacyEnabled(
2757                             SensorPrivacyManager::TOGGLE_TYPE_HARDWARE,
2758                             SensorPrivacyManager::TOGGLE_SENSOR_MICROPHONE);
2759     spm.addToggleSensorPrivacyListener(this);
2760 }
2761 
unregisterSelf()2762 void SensorService::MicrophonePrivacyPolicy::unregisterSelf() {
2763     AutoCallerClear acc;
2764     SensorPrivacyManager spm;
2765     spm.removeToggleSensorPrivacyListener(this);
2766 }
2767 
onSensorPrivacyChanged(int toggleType __unused,int sensor,bool enabled)2768 binder::Status SensorService::MicrophonePrivacyPolicy::onSensorPrivacyChanged(int toggleType __unused,
2769         int sensor, bool enabled) {
2770     if (sensor != SensorPrivacyManager::TOGGLE_SENSOR_MICROPHONE) {
2771         return binder::Status::ok();
2772     }
2773     mSensorPrivacyEnabled = enabled;
2774     sp<SensorService> service = mService.promote();
2775 
2776     if (service != nullptr) {
2777         if (enabled) {
2778             service->capRates();
2779         } else {
2780             service->uncapRates();
2781         }
2782     }
2783     return binder::Status::ok();
2784 }
2785 
ConnectionSafeAutolock(SensorService::SensorConnectionHolder & holder,Mutex & mutex)2786 SensorService::ConnectionSafeAutolock::ConnectionSafeAutolock(
2787         SensorService::SensorConnectionHolder& holder, Mutex& mutex)
2788         : mConnectionHolder(holder), mAutolock(mutex) {}
2789 
2790 template<typename ConnectionType>
getConnectionsHelper(const SortedVector<wp<ConnectionType>> & connectionList,std::vector<std::vector<sp<ConnectionType>>> * referenceHolder)2791 const std::vector<sp<ConnectionType>>& SensorService::ConnectionSafeAutolock::getConnectionsHelper(
2792         const SortedVector<wp<ConnectionType>>& connectionList,
2793         std::vector<std::vector<sp<ConnectionType>>>* referenceHolder) {
2794     referenceHolder->emplace_back();
2795     std::vector<sp<ConnectionType>>& connections = referenceHolder->back();
2796     for (const wp<ConnectionType>& weakConnection : connectionList){
2797         sp<ConnectionType> connection = weakConnection.promote();
2798         if (connection != nullptr) {
2799             connections.push_back(std::move(connection));
2800         }
2801     }
2802     return connections;
2803 }
2804 
2805 const std::vector<sp<SensorService::SensorEventConnection>>&
getActiveConnections()2806         SensorService::ConnectionSafeAutolock::getActiveConnections() {
2807     return getConnectionsHelper(mConnectionHolder.mActiveConnections,
2808                                 &mReferencedActiveConnections);
2809 }
2810 
2811 const std::vector<sp<SensorService::SensorDirectConnection>>&
getDirectConnections()2812         SensorService::ConnectionSafeAutolock::getDirectConnections() {
2813     return getConnectionsHelper(mConnectionHolder.mDirectConnections,
2814                                 &mReferencedDirectConnections);
2815 }
2816 
addEventConnectionIfNotPresent(const sp<SensorService::SensorEventConnection> & connection)2817 void SensorService::SensorConnectionHolder::addEventConnectionIfNotPresent(
2818         const sp<SensorService::SensorEventConnection>& connection) {
2819     if (mActiveConnections.indexOf(connection) < 0) {
2820         mActiveConnections.add(connection);
2821     }
2822 }
2823 
removeEventConnection(const wp<SensorService::SensorEventConnection> & connection)2824 void SensorService::SensorConnectionHolder::removeEventConnection(
2825         const wp<SensorService::SensorEventConnection>& connection) {
2826     mActiveConnections.remove(connection);
2827 }
2828 
addDirectConnection(const sp<SensorService::SensorDirectConnection> & connection)2829 void SensorService::SensorConnectionHolder::addDirectConnection(
2830         const sp<SensorService::SensorDirectConnection>& connection) {
2831     mDirectConnections.add(connection);
2832 }
2833 
removeDirectConnection(const wp<SensorService::SensorDirectConnection> & connection)2834 void SensorService::SensorConnectionHolder::removeDirectConnection(
2835         const wp<SensorService::SensorDirectConnection>& connection) {
2836     mDirectConnections.remove(connection);
2837 }
2838 
lock(Mutex & mutex)2839 SensorService::ConnectionSafeAutolock SensorService::SensorConnectionHolder::lock(Mutex& mutex) {
2840     return ConnectionSafeAutolock(*this, mutex);
2841 }
2842 
isPackageDebuggable(const String16 & opPackageName)2843 bool SensorService::isPackageDebuggable(const String16& opPackageName) {
2844     bool debugMode = false;
2845     sp<IBinder> binder = defaultServiceManager()->getService(String16("package_native"));
2846     if (binder != nullptr) {
2847         sp<content::pm::IPackageManagerNative> packageManager =
2848                 interface_cast<content::pm::IPackageManagerNative>(binder);
2849         if (packageManager != nullptr) {
2850             binder::Status status = packageManager->isPackageDebuggable(
2851                 opPackageName, &debugMode);
2852         }
2853     }
2854     return debugMode;
2855 }
2856 } // namespace android
2857