DO NOT MERGE back porting for fixing sysui direct reply

Root cause: systemui run as user 0 service to handle all of users'
notifications. And, the users can user the copy/cut/paste
functionality.

Solution: To crate @hide API in TextView let SystemUI to mark the
TextView instance should check if the power of
INTERACT_ACROSS_USER_FULL is needed to be restricted.
e.x. Keyguard password textview/Notificaiton entries

Bug: 123232892
Test: manual test
Reference: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Reference: Ibabe13e5b85e5bb91f9f8af6ec07c395c25c4393
Reference: I975baa748c821538e5a733bb98a33ac609bf40a7

Change-Id: I6d11e4d6a84570bc2991a8552349e8b216b0d139
Merged-In: Ie3daecd1e8fc2f7fdf37baeb5979da9f2e0b3937
Merged-In: I6d11e4d6a84570bc2991a8552349e8b216b0d139
(cherry picked from commit 08aae90860c4ece4d3448b32a31e5417c8490b47)

3 files changed, 56 insertions, 0 deletions

diff --git a/core/java/android/widget/TextView.java b/core/java/android/widget/TextView.java
index 9826fa0b94a1..d892307f62b9 100644
--- a/core/java/android/widget/TextView.java
+++ b/core/java/android/widget/TextView.java
@@ -16,6 +16,7 @@
 
 package android.widget;
 
+import static android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;
 import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_ARG_LENGTH;
 import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_ARG_START_INDEX;
 import static android.view.accessibility.AccessibilityNodeInfo.EXTRA_DATA_TEXT_CHARACTER_LOCATION_KEY;
@@ -28,11 +29,13 @@ import android.annotation.FloatRange;
 import android.annotation.IntDef;
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.RequiresPermission;
 import android.annotation.Size;
 import android.annotation.StringRes;
 import android.annotation.StyleRes;
 import android.annotation.XmlRes;
 import android.app.Activity;
+import android.app.ActivityManager;
 import android.app.assist.AssistStructure;
 import android.content.ClipData;
 import android.content.ClipDescription;
@@ -66,6 +69,7 @@ import android.os.Parcel;
 import android.os.Parcelable;
 import android.os.ParcelableParcel;
 import android.os.SystemClock;
+import android.os.UserHandle;
 import android.provider.Settings;
 import android.text.BoringLayout;
 import android.text.DynamicLayout;
@@ -686,6 +690,19 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
 
     private InputFilter[] mFilters = NO_FILTERS;
 
+    /**
+     * To keep the information to indicate if there is necessary to restrict the power of
+     * INTERACT_ACROSS_USERS_FULL.
+     * <p>
+     * SystemUI always run as user 0 to process all of direct reply. SystemUI has the poer of
+     * INTERACT_ACROSS_USERS_FULL. However, all of the notifications not only belong to user 0 but
+     * also to the other users in multiple user environment.
+     * </p>
+     *
+     * @see #setRestrictedAcrossUser(boolean)
+     */
+    private boolean mIsRestrictedAcrossUser;
+
     private volatile Locale mCurrentSpellCheckerLocaleCache;
 
     // It is possible to have a selection even when mEditor is null (programmatically set, like when
@@ -10041,6 +10058,24 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     }
 
     /**
+     * To notify the TextView to restricted the power of the app granted INTERACT_ACROSS_USERS_FULL
+     * permission.
+     * <p>
+     * Most of applications should not granted the INTERACT_ACROSS_USERS_FULL permssion.
+     * SystemUI is the special one that run in user 0 process to handle multiple user notification.
+     * Unforunately, the power of INTERACT_ACROSS_USERS_FULL should be limited or restricted for
+     * preventing from information leak.</p>
+     * <p>This function call is called for SystemUI Keyguard and Notification.</p>
+     *
+     * @param isRestricted is true if the power of INTERACT_ACROSS_USERS_FULL should be limited.
+     * @hide
+     */
+    @RequiresPermission(INTERACT_ACROSS_USERS_FULL)
+    public final void setRestrictedAcrossUser(boolean isRestricted) {
+        mIsRestrictedAcrossUser = isRestricted;
+    }
+
+    /**
      * This is a temporary method. Future versions may support multi-locale text.
      * Caveat: This method may not return the latest text services locale, but this should be
      * acceptable and it's more important to make this method asynchronous.
@@ -11073,6 +11108,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     }
 
     boolean canCut() {
+        if (mIsRestrictedAcrossUser
+                && UserHandle.myUserId() != ActivityManager.getCurrentUser()) {
+            // When it's restricted, and the curren user is not the process user. It can't cut
+            // because it may cut the text of the user 10 into the clipboard of user 0.
+            return false;
+        }
         if (hasPasswordTransformationMethod()) {
             return false;
         }
@@ -11086,6 +11127,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     }
 
     boolean canCopy() {
+        if (mIsRestrictedAcrossUser
+                && UserHandle.myUserId() != ActivityManager.getCurrentUser()) {
+            // When it's restricted, and the curren user is not the process user. It can't copy
+            // because it may copy the text of the user 10 to the clipboard of user 0.
+            return false;
+        }
         if (hasPasswordTransformationMethod()) {
             return false;
         }
@@ -11115,6 +11162,12 @@ public class TextView extends View implements ViewTreeObserver.OnPreDrawListener
     }
 
     boolean canPaste() {
+        if (mIsRestrictedAcrossUser
+                && UserHandle.myUserId() != ActivityManager.getCurrentUser()) {
+            // When it's restricted, and the curren user is not the process user. It can't paste
+            // because it may copy the text from the user 0 clipboard in current user is 10.
+            return false;
+        }
         return (mText instanceof Editable
                 && mEditor != null && mEditor.mKeyListener != null
                 && getSelectionStart() >= 0
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
index b6184a883210..4f6d15165fcd 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
@@ -79,6 +79,7 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView
 
     @Override
     protected void resetState() {
+        mPasswordEntry.setRestrictedAcrossUser(true);
         mSecurityMessageDisplay.setMessage("");
         final boolean wasDisabled = mPasswordEntry.isEnabled();
         setPasswordEntryEnabled(true);
@@ -175,6 +176,7 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView
                 Context.INPUT_METHOD_SERVICE);
 
         mPasswordEntry = findViewById(getPasswordTextViewId());
+        mPasswordEntry.setRestrictedAcrossUser(true);
         mPasswordEntryDisabler = new TextViewInputDisabler(mPasswordEntry);
         mPasswordEntry.setKeyListener(TextKeyListener.getInstance());
         mPasswordEntry.setInputType(InputType.TYPE_CLASS_TEXT
diff --git a/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java b/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java
index ad78b3a01662..da384ec359f4 100644
--- a/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java
+++ b/packages/SystemUI/src/com/android/systemui/statusbar/policy/RemoteInputView.java
@@ -179,6 +179,7 @@ public class RemoteInputView extends LinearLayout implements View.OnClickListene
                 LayoutInflater.from(context).inflate(R.layout.remote_input, root, false);
         v.mController = controller;
         v.mEntry = entry;
+        v.mEditText.setRestrictedAcrossUser(true);
         v.setTag(VIEW_TAG);
 
         return v;