1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef ANDROID_SENSOR_SERVICE_H 18 #define ANDROID_SENSOR_SERVICE_H 19 20 #include "SensorList.h" 21 #include "RecentEventLogger.h" 22 23 #include <android-base/macros.h> 24 #include <binder/AppOpsManager.h> 25 #include <binder/BinderService.h> 26 #include <binder/IUidObserver.h> 27 #include <cutils/compiler.h> 28 #include <cutils/multiuser.h> 29 #include <sensor/ISensorServer.h> 30 #include <sensor/ISensorEventConnection.h> 31 #include <sensor/Sensor.h> 32 #include "android/hardware/BnSensorPrivacyListener.h" 33 34 #include <utils/AndroidThreads.h> 35 #include <utils/KeyedVector.h> 36 #include <utils/Looper.h> 37 #include <utils/SortedVector.h> 38 #include <utils/String8.h> 39 #include <utils/Vector.h> 40 #include <utils/threads.h> 41 42 #include <stdint.h> 43 #include <sys/types.h> 44 #include <unordered_map> 45 #include <unordered_set> 46 #include <vector> 47 48 #if __clang__ 49 // Clang warns about SensorEventConnection::dump hiding BBinder::dump. The cause isn't fixable 50 // without changing the API, so let's tell clang this is indeed intentional. 51 #pragma clang diagnostic ignored "-Woverloaded-virtual" 52 #endif 53 54 // --------------------------------------------------------------------------- 55 #define IGNORE_HARDWARE_FUSION false 56 #define DEBUG_CONNECTIONS false 57 // Max size is 100 KB which is enough to accept a batch of about 1000 events. 58 #define MAX_SOCKET_BUFFER_SIZE_BATCHED (100 * 1024) 59 // For older HALs which don't support batching, use a smaller socket buffer size. 60 #define SOCKET_BUFFER_SIZE_NON_BATCHED (4 * 1024) 61 62 #define SENSOR_REGISTRATIONS_BUF_SIZE 200 63 64 // Apps that targets S+ and do not have HIGH_SAMPLING_RATE_SENSORS permission will be capped 65 // at 200 Hz. The cap also applies to all requests when the mic toggle is flipped to on, regardless 66 // of their target SDKs and permission. 67 // Capped sampling periods for apps that have non-direct sensor connections. 68 #define SENSOR_SERVICE_CAPPED_SAMPLING_PERIOD_NS (5 * 1000 * 1000) 69 // Capped sampling rate level for apps that have direct sensor connections. 70 // The enum SENSOR_DIRECT_RATE_NORMAL corresponds to a rate value of at most 110 Hz. 71 #define SENSOR_SERVICE_CAPPED_SAMPLING_RATE_LEVEL SENSOR_DIRECT_RATE_NORMAL 72 73 namespace android { 74 // --------------------------------------------------------------------------- 75 class SensorInterface; 76 77 class SensorService : 78 public BinderService<SensorService>, 79 public BnSensorServer, 80 protected Thread 81 { 82 // nested class/struct for internal use 83 class SensorEventConnection; 84 class SensorDirectConnection; 85 86 public: 87 enum UidState { 88 UID_STATE_ACTIVE = 0, 89 UID_STATE_IDLE, 90 }; 91 92 class ProximityActiveListener : public virtual RefBase { 93 public: 94 // Note that the callback is invoked from an async thread and can interact with the 95 // SensorService directly. 96 virtual void onProximityActive(bool isActive) = 0; 97 }; 98 getServiceName()99 static char const* getServiceName() ANDROID_API { return "sensorservice"; } 100 SensorService() ANDROID_API; 101 102 void cleanupConnection(SensorEventConnection* connection); 103 void cleanupConnection(SensorDirectConnection* c); 104 105 // Call with mLock held. 106 void checkAndReportProxStateChangeLocked(); 107 void notifyProximityStateLocked(const bool isActive, 108 const std::vector<sp<ProximityActiveListener>>& listeners); 109 110 status_t enable(const sp<SensorEventConnection>& connection, int handle, 111 nsecs_t samplingPeriodNs, nsecs_t maxBatchReportLatencyNs, int reservedFlags, 112 const String16& opPackageName); 113 114 status_t disable(const sp<SensorEventConnection>& connection, int handle); 115 116 status_t setEventRate(const sp<SensorEventConnection>& connection, int handle, nsecs_t ns, 117 const String16& opPackageName); 118 119 status_t flushSensor(const sp<SensorEventConnection>& connection, 120 const String16& opPackageName); 121 122 status_t addProximityActiveListener(const sp<ProximityActiveListener>& callback) ANDROID_API; 123 status_t removeProximityActiveListener(const sp<ProximityActiveListener>& callback) ANDROID_API; 124 125 // Returns true if a sensor should be throttled according to our rate-throttling rules. 126 static bool isSensorInCappedSet(int sensorType); 127 128 virtual status_t shellCommand(int in, int out, int err, Vector<String16>& args); 129 130 private: 131 friend class BinderService<SensorService>; 132 133 // nested class/struct for internal use 134 class ConnectionSafeAutolock; 135 class SensorConnectionHolder; 136 class SensorEventAckReceiver; 137 class SensorRecord; 138 class SensorRegistrationInfo; 139 140 // Promoting a SensorEventConnection or SensorDirectConnection from wp to sp must be done with 141 // mLock held, but destroying that sp must be done unlocked to avoid a race condition that 142 // causes a deadlock (remote dies while we hold a local sp, then our decStrong() call invokes 143 // the dtor -> cleanupConnection() tries to re-lock the mutex). This class ensures safe usage 144 // by wrapping a Mutex::Autolock on SensorService's mLock, plus vectors that hold promoted sp<> 145 // references until the lock is released, when they are safely destroyed. 146 // All read accesses to the connection lists in mConnectionHolder must be done via this class. 147 class ConnectionSafeAutolock final { 148 public: 149 // Returns a list of non-null promoted connection references 150 const std::vector<sp<SensorEventConnection>>& getActiveConnections(); 151 const std::vector<sp<SensorDirectConnection>>& getDirectConnections(); 152 153 private: 154 // Constructed via SensorConnectionHolder::lock() 155 friend class SensorConnectionHolder; 156 explicit ConnectionSafeAutolock(SensorConnectionHolder& holder, Mutex& mutex); 157 DISALLOW_IMPLICIT_CONSTRUCTORS(ConnectionSafeAutolock); 158 159 // NOTE: Order of these members is important, as the destructor for non-static members 160 // get invoked in the reverse order of their declaration. Here we are relying on the 161 // Autolock to be destroyed *before* the vectors, so the sp<> objects are destroyed without 162 // the lock held, which avoids the deadlock. 163 SensorConnectionHolder& mConnectionHolder; 164 std::vector<std::vector<sp<SensorEventConnection>>> mReferencedActiveConnections; 165 std::vector<std::vector<sp<SensorDirectConnection>>> mReferencedDirectConnections; 166 Mutex::Autolock mAutolock; 167 168 template<typename ConnectionType> 169 const std::vector<sp<ConnectionType>>& getConnectionsHelper( 170 const SortedVector<wp<ConnectionType>>& connectionList, 171 std::vector<std::vector<sp<ConnectionType>>>* referenceHolder); 172 }; 173 174 // Encapsulates the collection of active SensorEventConection and SensorDirectConnection 175 // references. Write access is done through this class with mLock held, but all read access 176 // must be routed through ConnectionSafeAutolock. 177 class SensorConnectionHolder { 178 public: 179 void addEventConnectionIfNotPresent(const sp<SensorEventConnection>& connection); 180 void removeEventConnection(const wp<SensorEventConnection>& connection); 181 182 void addDirectConnection(const sp<SensorDirectConnection>& connection); 183 void removeDirectConnection(const wp<SensorDirectConnection>& connection); 184 185 // Pass in the mutex that protects this connection holder; acquires the lock and returns an 186 // object that can be used to safely read the lists of connections 187 ConnectionSafeAutolock lock(Mutex& mutex); 188 189 private: 190 friend class ConnectionSafeAutolock; 191 SortedVector< wp<SensorEventConnection> > mActiveConnections; 192 SortedVector< wp<SensorDirectConnection> > mDirectConnections; 193 }; 194 195 // If accessing a sensor we need to make sure the UID has access to it. If 196 // the app UID is idle then it cannot access sensors and gets no trigger 197 // events, no on-change events, flush event behavior does not change, and 198 // recurring events are the same as the first one delivered in idle state 199 // emulating no sensor change. As soon as the app UID transitions to an 200 // active state we will start reporting events as usual and vise versa. This 201 // approach transparently handles observing sensors while the app UID transitions 202 // between idle/active state avoiding to get stuck in a state receiving sensor 203 // data while idle or not receiving sensor data while active. 204 class UidPolicy : public BnUidObserver { 205 public: UidPolicy(wp<SensorService> service)206 explicit UidPolicy(wp<SensorService> service) 207 : mService(service) {} 208 void registerSelf(); 209 void unregisterSelf(); 210 211 bool isUidActive(uid_t uid); 212 213 void onUidGone(uid_t uid, bool disabled); 214 void onUidActive(uid_t uid); 215 void onUidIdle(uid_t uid, bool disabled); onUidStateChanged(uid_t uid __unused,int32_t procState __unused,int64_t procStateSeq __unused,int32_t capability __unused)216 void onUidStateChanged(uid_t uid __unused, int32_t procState __unused, 217 int64_t procStateSeq __unused, int32_t capability __unused) {} 218 219 void addOverrideUid(uid_t uid, bool active); 220 void removeOverrideUid(uid_t uid); 221 private: 222 bool isUidActiveLocked(uid_t uid); 223 void updateOverrideUid(uid_t uid, bool active, bool insert); 224 225 Mutex mUidLock; 226 wp<SensorService> mService; 227 std::unordered_set<uid_t> mActiveUids; 228 std::unordered_map<uid_t, bool> mOverrideUids; 229 }; 230 231 bool isUidActive(uid_t uid); 232 233 // Sensor privacy allows a user to disable access to all sensors on the device. When 234 // enabled sensor privacy will prevent all apps, including active apps, from accessing 235 // sensors, they will not receive trigger nor on-change events, flush event behavior 236 // does not change, and recurring events are the same as the first one delivered when 237 // sensor privacy was enabled. All sensor direct connections will be stopped as well 238 // and new direct connections will not be allowed while sensor privacy is enabled. 239 // Once sensor privacy is disabled access to sensors will be restored for active 240 // apps, previously stopped direct connections will be restarted, and new direct 241 // connections will be allowed again. 242 class SensorPrivacyPolicy : public hardware::BnSensorPrivacyListener { 243 public: SensorPrivacyPolicy(wp<SensorService> service)244 explicit SensorPrivacyPolicy(wp<SensorService> service) 245 : mService(service), mIsIndividualMic(false), mUserId(0) {} 246 void registerSelf(); 247 void unregisterSelf(); 248 249 status_t registerSelfForIndividual(int userId); 250 251 bool isSensorPrivacyEnabled(); 252 253 binder::Status onSensorPrivacyChanged(bool enabled); 254 255 private: 256 wp<SensorService> mService; 257 Mutex mSensorPrivacyLock; 258 std::atomic_bool mSensorPrivacyEnabled; 259 bool mIsIndividualMic; 260 userid_t mUserId; 261 }; 262 263 // A class automatically clearing and restoring binder caller identity inside 264 // a code block (scoped variable). 265 // Declare one systematically before calling SensorPrivacyManager methods so that they are 266 // executed with the same level of privilege as the SensorService process. 267 class AutoCallerClear { 268 public: AutoCallerClear()269 AutoCallerClear() : 270 mToken(IPCThreadState::self()->clearCallingIdentity()) {} ~AutoCallerClear()271 ~AutoCallerClear() { 272 IPCThreadState::self()->restoreCallingIdentity(mToken); 273 } 274 275 private: 276 const int64_t mToken; 277 }; 278 279 enum Mode { 280 // The regular operating mode where any application can register/unregister/call flush on 281 // sensors. 282 NORMAL = 0, 283 // This mode is only used for testing purposes. Not all HALs support this mode. In this mode, 284 // the HAL ignores the sensor data provided by physical sensors and accepts the data that is 285 // injected from the SensorService as if it were the real sensor data. This mode is primarily 286 // used for testing various algorithms like vendor provided SensorFusion, Step Counter and 287 // Step Detector etc. Typically in this mode, there will be a client (a 288 // SensorEventConnection) which will be injecting sensor data into the HAL. Normal apps can 289 // unregister and register for any sensor that supports injection. Registering to sensors 290 // that do not support injection will give an error. TODO(aakella) : Allow exactly one 291 // client to inject sensor data at a time. 292 DATA_INJECTION = 1, 293 // This mode is used only for testing sensors. Each sensor can be tested in isolation with 294 // the required sampling_rate and maxReportLatency parameters without having to think about 295 // the data rates requested by other applications. End user devices are always expected to be 296 // in NORMAL mode. When this mode is first activated, all active sensors from all connections 297 // are disabled. Calling flush() will return an error. In this mode, only the requests from 298 // selected apps whose package names are whitelisted are allowed (typically CTS apps). Only 299 // these apps can register/unregister/call flush() on sensors. If SensorService switches to 300 // NORMAL mode again, all sensors that were previously registered to are activated with the 301 // corresponding paramaters if the application hasn't unregistered for sensors in the mean 302 // time. NOTE: Non whitelisted app whose sensors were previously deactivated may still 303 // receive events if a whitelisted app requests data from the same sensor. 304 RESTRICTED = 2 305 306 // State Transitions supported. 307 // RESTRICTED <--- NORMAL ---> DATA_INJECTION 308 // ---> <--- 309 310 // Shell commands to switch modes in SensorService. 311 // 1) Put SensorService in RESTRICTED mode with packageName .cts. If it is already in 312 // restricted mode it is treated as a NO_OP (and packageName is NOT changed). 313 // 314 // $ adb shell dumpsys sensorservice restrict .cts. 315 // 316 // 2) Put SensorService in DATA_INJECTION mode with packageName .xts. If it is already in 317 // data_injection mode it is treated as a NO_OP (and packageName is NOT changed). 318 // 319 // $ adb shell dumpsys sensorservice data_injection .xts. 320 // 321 // 3) Reset sensorservice back to NORMAL mode. 322 // $ adb shell dumpsys sensorservice enable 323 }; 324 325 static const char* WAKE_LOCK_NAME; 326 virtual ~SensorService(); 327 328 virtual void onFirstRef(); 329 330 // Thread interface 331 virtual bool threadLoop(); 332 333 // ISensorServer interface 334 virtual Vector<Sensor> getSensorList(const String16& opPackageName); 335 virtual Vector<Sensor> getDynamicSensorList(const String16& opPackageName); 336 virtual sp<ISensorEventConnection> createSensorEventConnection( 337 const String8& packageName, 338 int requestedMode, const String16& opPackageName, const String16& attributionTag); 339 virtual int isDataInjectionEnabled(); 340 virtual sp<ISensorEventConnection> createSensorDirectConnection(const String16& opPackageName, 341 uint32_t size, int32_t type, int32_t format, const native_handle *resource); 342 virtual int setOperationParameter( 343 int32_t handle, int32_t type, const Vector<float> &floats, const Vector<int32_t> &ints); 344 virtual status_t dump(int fd, const Vector<String16>& args); 345 346 status_t dumpProtoLocked(int fd, ConnectionSafeAutolock* connLock) const; 347 String8 getSensorName(int handle) const; 348 String8 getSensorStringType(int handle) const; 349 bool isVirtualSensor(int handle) const; 350 sp<SensorInterface> getSensorInterfaceFromHandle(int handle) const; 351 bool isWakeUpSensor(int type) const; 352 void recordLastValueLocked(sensors_event_t const* buffer, size_t count); 353 static void sortEventBuffer(sensors_event_t* buffer, size_t count); 354 const Sensor& registerSensor(SensorInterface* sensor, 355 bool isDebug = false, bool isVirtual = false); 356 const Sensor& registerVirtualSensor(SensorInterface* sensor, bool isDebug = false); 357 const Sensor& registerDynamicSensorLocked(SensorInterface* sensor, bool isDebug = false); 358 bool unregisterDynamicSensorLocked(int handle); 359 status_t cleanupWithoutDisable(const sp<SensorEventConnection>& connection, int handle); 360 status_t cleanupWithoutDisableLocked(const sp<SensorEventConnection>& connection, int handle); 361 void cleanupAutoDisabledSensorLocked(const sp<SensorEventConnection>& connection, 362 sensors_event_t const* buffer, const int count); 363 static bool canAccessSensor(const Sensor& sensor, const char* operation, 364 const String16& opPackageName); 365 static bool hasPermissionForSensor(const Sensor& sensor); 366 static int getTargetSdkVersion(const String16& opPackageName); 367 // SensorService acquires a partial wakelock for delivering events from wake up sensors. This 368 // method checks whether all the events from these wake up sensors have been delivered to the 369 // corresponding applications, if yes the wakelock is released. 370 void checkWakeLockState(); 371 void checkWakeLockStateLocked(ConnectionSafeAutolock* connLock); 372 bool isWakeLockAcquired(); 373 bool isWakeUpSensorEvent(const sensors_event_t& event) const; 374 375 sp<Looper> getLooper() const; 376 377 // Reset mWakeLockRefCounts for all SensorEventConnections to zero. This may happen if 378 // SensorService did not receive any acknowledgements from apps which have registered for 379 // wake_up sensors. 380 void resetAllWakeLockRefCounts(); 381 382 // Acquire or release wake_lock. If wake_lock is acquired, set the timeout in the looper to 5 383 // seconds and wake the looper. 384 void setWakeLockAcquiredLocked(bool acquire); 385 386 // Send events from the event cache for this particular connection. 387 void sendEventsFromCache(const sp<SensorEventConnection>& connection); 388 389 // If SensorService is operating in RESTRICTED mode, only select whitelisted packages are 390 // allowed to register for or call flush on sensors. Typically only cts test packages are 391 // allowed. 392 bool isWhiteListedPackage(const String8& packageName); 393 394 // Returns true if a connection with the specified opPackageName has no access to sensors 395 // in the RESTRICTED mode (i.e. the service is in RESTRICTED mode, and the package is not 396 // whitelisted). mLock must be held to invoke this method. 397 bool isOperationRestrictedLocked(const String16& opPackageName); 398 399 status_t adjustSamplingPeriodBasedOnMicAndPermission(nsecs_t* requestedPeriodNs, 400 const String16& opPackageName); 401 status_t adjustRateLevelBasedOnMicAndPermission(int* requestedRateLevel, 402 const String16& opPackageName); 403 bool isRateCappedBasedOnPermission(const String16& opPackageName); 404 bool isPackageDebuggable(const String16& opPackageName); 405 406 // Reset the state of SensorService to NORMAL mode. 407 status_t resetToNormalMode(); 408 status_t resetToNormalModeLocked(); 409 410 // Transforms the UUIDs for all the sensors into proper IDs. 411 void makeUuidsIntoIdsForSensorList(Vector<Sensor> &sensorList) const; 412 // Gets the appropriate ID from the given UUID. 413 int32_t getIdFromUuid(const Sensor::uuid_t &uuid) const; 414 // Either read from storage or create a new one. 415 static bool initializeHmacKey(); 416 417 // Enable SCHED_FIFO priority for thread 418 void enableSchedFifoMode(); 419 420 // Sets whether the given UID can get sensor data 421 void onUidStateChanged(uid_t uid, UidState state); 422 423 // Returns true if a connection with the given uid and opPackageName 424 // currently has access to sensors. 425 bool hasSensorAccess(uid_t uid, const String16& opPackageName); 426 // Same as hasSensorAccess but with mLock held. 427 bool hasSensorAccessLocked(uid_t uid, const String16& opPackageName); 428 429 // Overrides the UID state as if it is idle 430 status_t handleSetUidState(Vector<String16>& args, int err); 431 // Clears the override for the UID state 432 status_t handleResetUidState(Vector<String16>& args, int err); 433 // Gets the UID state 434 status_t handleGetUidState(Vector<String16>& args, int out, int err); 435 // Prints the shell command help 436 status_t printHelp(int out); 437 438 // temporarily stops all active direct connections and disables all sensors 439 void disableAllSensors(); 440 void disableAllSensorsLocked(ConnectionSafeAutolock* connLock); 441 // restarts the previously stopped direct connections and enables all sensors 442 void enableAllSensors(); 443 void enableAllSensorsLocked(ConnectionSafeAutolock* connLock); 444 445 // Caps active direct connections (when the mic toggle is flipped to on) 446 void capRates(userid_t userId); 447 // Removes the capped rate on active direct connections (when the mic toggle is flipped to off) 448 void uncapRates(userid_t userId); 449 450 static uint8_t sHmacGlobalKey[128]; 451 static bool sHmacGlobalKeyIsValid; 452 453 static std::atomic_uint64_t curProxCallbackSeq; 454 static std::atomic_uint64_t completedCallbackSeq; 455 456 SensorServiceUtil::SensorList mSensors; 457 status_t mInitCheck; 458 459 // Socket buffersize used to initialize BitTube. This size depends on whether batching is 460 // supported or not. 461 uint32_t mSocketBufferSize; 462 sp<Looper> mLooper; 463 sp<SensorEventAckReceiver> mAckReceiver; 464 465 // protected by mLock 466 mutable Mutex mLock; 467 DefaultKeyedVector<int, SensorRecord*> mActiveSensors; 468 std::unordered_set<int> mActiveVirtualSensors; 469 SensorConnectionHolder mConnectionHolder; 470 bool mWakeLockAcquired; 471 sensors_event_t *mSensorEventBuffer, *mSensorEventScratch; 472 // WARNING: these SensorEventConnection instances must not be promoted to sp, except via 473 // modification to add support for them in ConnectionSafeAutolock 474 wp<const SensorEventConnection> * mMapFlushEventsToConnections; 475 std::unordered_map<int, SensorServiceUtil::RecentEventLogger*> mRecentEvent; 476 Mode mCurrentOperatingMode; 477 478 // This packagaName is set when SensorService is in RESTRICTED or DATA_INJECTION mode. Only 479 // applications with this packageName are allowed to activate/deactivate or call flush on 480 // sensors. To run CTS this is can be set to ".cts." and only CTS tests will get access to 481 // sensors. 482 String8 mWhiteListedPackage; 483 484 int mNextSensorRegIndex; 485 Vector<SensorRegistrationInfo> mLastNSensorRegistrations; 486 487 sp<UidPolicy> mUidPolicy; 488 sp<SensorPrivacyPolicy> mSensorPrivacyPolicy; 489 490 static AppOpsManager sAppOpsManager; 491 static std::map<String16, int> sPackageTargetVersion; 492 static Mutex sPackageTargetVersionLock; 493 static String16 sSensorInterfaceDescriptorPrefix; 494 495 // Map from user to SensorPrivacyPolicy 496 std::map<userid_t, sp<SensorPrivacyPolicy>> mMicSensorPrivacyPolicies; 497 // Checks if the mic sensor privacy is enabled for the uid 498 bool isMicSensorPrivacyEnabledForUid(uid_t uid); 499 500 // Keeps track of the handles of all proximity sensors in the system. 501 std::vector<int32_t> mProxSensorHandles; 502 // The last proximity sensor active state reported to listeners. 503 bool mLastReportedProxIsActive; 504 // Listeners subscribed to receive updates on the proximity sensor active state. 505 std::vector<sp<ProximityActiveListener>> mProximityActiveListeners; 506 }; 507 508 } // namespace android 509 #endif // ANDROID_SENSOR_SERVICE_H 510