Skip to content
Commit 6efd55e7 authored by Yohei Yukawa's avatar Yohei Yukawa
Browse files

Lock down IInputMethodManger.{add,remove}Client() 

User mode processes are mistakenly allowed to call
IInputMethodManger.{add,remove}Client(), which may allow malicious
apps to register fake IInputMethodClient binder endpoints to
InputMethodManagerService (IMMS).

Luckily IMMS also checks whether the client process has a focused
window or not by calling IWindowManager.inputMethodClientHasFocus()
before doing some critical operations such as establishing a new
InputConnection between the client app and the current IME.

With this CL, IInputMethodManger.{add,remove}Client() start correctly
checking the caller process ID so that only the system process can
use those internal callbacks.

Bug: 112670859
Test: atest CtsInputMethodTestCases CtsInputMethodServiceHostTestCases
Change-Id: Ib9b588d11bd4017e431e3d494863987dd67384fc
parent b4fff5c9
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment