Added UM.DISALLOW_OEM_UNLOCK, Removed Global.OEM_UNLOCK_DISALLOWED.

Currently we used global setting to restrict user from enabling oem
unlock. As global settings can be chagned using adb, using user
restrictions instead.

Bug: 29893399
Change-Id: Ic83112a4838b8279bf50408a29ae205e0b8639ee

diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java
index a44a9ee..feb8b2b 100644 (file)
--- a/core/java/android/os/UserManager.java
+++ b/core/java/android/os/UserManager.java
@@ -603,6 +603,17 @@ public class UserManager {
     public static final String DISALLOW_SET_USER_ICON = "no_set_user_icon";
 
     /**
+     * Specifies if a user is not allowed to enable the oem unlock setting. The default value is
+     * <code>false</code>.
+     *
+     * @see DevicePolicyManager#addUserRestriction(ComponentName, String)
+     * @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
+     * @see #getUserRestrictions()
+     * @hide
+     */
+    public static final String DISALLOW_OEM_UNLOCK = "no_oem_unlock";
+
+    /**
      * Allows apps in the parent profile to handle web links from the managed profile.
      *
      * This user restriction has an effect only in a managed profile.

diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index 56610ed..5c2778d 100755 (executable)
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -9114,15 +9114,6 @@ public final class Settings {
         public static final String ENABLE_CELLULAR_ON_BOOT = "enable_cellular_on_boot";
 
         /**
-         * Whether toggling OEM unlock is disallowed. If disallowed, it is not possible to enable or
-         * disable OEM unlock.
-         * <p>
-         * Type: int (0: allow OEM unlock setting. 1: disallow OEM unlock)
-         * @hide
-         */
-        public static final String OEM_UNLOCK_DISALLOWED = "oem_unlock_disallowed";
-
-        /**
          * The maximum allowed notification enqueue rate in Hertz.
          *
          * Should be a float, and includes both posts and updates.

diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
index 7d19537..e87bb81 100644 (file)
--- a/core/res/res/values/config.xml
+++ b/core/res/res/values/config.xml
@@ -2527,4 +2527,9 @@
 
     <!-- Package name for the device provisioning package. -->
     <string name="config_deviceProvisioningPackage"></string>
+
+    <!-- User restrictions set when the first user is created.
+         Note: Also update appropriate overlay files. -->
+    <string-array translatable="false" name="config_defaultFirstUserRestrictions">
+    </string-array>
 </resources>

diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index ff5f7d9..6b064c1 100644 (file)
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -2668,4 +2668,7 @@
   <java-symbol type="integer" name="config_defaultNightDisplayAutoMode" />
   <java-symbol type="integer" name="config_defaultNightDisplayCustomStartTime" />
   <java-symbol type="integer" name="config_defaultNightDisplayCustomEndTime" />
+
+  <!-- Default first user restrictions -->
+  <java-symbol type="array" name="config_defaultFirstUserRestrictions" />
 </resources>

diff --git a/packages/SettingsProvider/res/values/defaults.xml b/packages/SettingsProvider/res/values/defaults.xml
index 108814e..978ca94 100644 (file)
--- a/packages/SettingsProvider/res/values/defaults.xml
+++ b/packages/SettingsProvider/res/values/defaults.xml
@@ -216,7 +216,4 @@
 
     <!-- Default setting for ability to add users from the lock screen -->
     <bool name="def_add_users_from_lockscreen">false</bool>
-
-    <!-- Default setting for disallow oem unlock. -->
-    <bool name="def_oem_unlock_disallow">false</bool>
 </resources>

diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 950c7d3..28e9a45 100644 (file)
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -2330,14 +2330,7 @@ public class SettingsProvider extends ContentProvider {
                 }
 
                 if (currentVersion == 127) {
-                    // Version 127: Disable OEM unlock setting by default on some devices.
-                    final SettingsState globalSettings = getGlobalSettingsLocked();
-                    String defaultOemUnlockDisabled = (getContext().getResources()
-                            .getBoolean(R.bool.def_oem_unlock_disallow) ? "1" : "0");
-                    globalSettings.insertSettingLocked(
-                            Settings.Global.OEM_UNLOCK_DISALLOWED,
-                            defaultOemUnlockDisabled,
-                            SettingsState.SYSTEM_PACKAGE_NAME);
+                    // version 127 is no longer used.
                     currentVersion = 128;
                 }
 

diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java
index e233b1c..080b46c 100644 (file)
--- a/services/core/java/com/android/server/PersistentDataBlockService.java
+++ b/services/core/java/com/android/server/PersistentDataBlockService.java
@@ -157,11 +157,10 @@ public class PersistentDataBlockService extends SystemService {
         }
     }
 
-    private void enforceFactoryResetAllowed() {
-        final boolean isOemUnlockRestricted = UserManager.get(mContext)
-                .hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET);
-        if (isOemUnlockRestricted) {
-            throw new SecurityException("OEM unlock is disallowed by DISALLOW_FACTORY_RESET");
+    private void enforceUserRestriction(String userRestriction) {
+        if (UserManager.get(mContext).hasUserRestriction(userRestriction)) {
+            throw new SecurityException(
+                    "OEM unlock is disallowed by user restriction: " + userRestriction);
         }
     }
 
@@ -467,13 +466,9 @@ public class PersistentDataBlockService extends SystemService {
             enforceIsAdmin();
 
             if (enabled) {
-                // Do not allow oem unlock to be enabled if it has been disallowed.
-                if (Settings.Global.getInt(getContext().getContentResolver(),
-                        Settings.Global.OEM_UNLOCK_DISALLOWED, 0) == 1) {
-                    throw new SecurityException(
-                            "OEM unlock has been disallowed by OEM_UNLOCK_DISALLOWED.");
-                }
-                enforceFactoryResetAllowed();
+                // Do not allow oem unlock to be enabled if it's disallowed by a user restriction.
+                enforceUserRestriction(UserManager.DISALLOW_OEM_UNLOCK);
+                enforceUserRestriction(UserManager.DISALLOW_FACTORY_RESET);
             }
             synchronized (mLock) {
                 doSetOemUnlockEnabledLocked(enabled);

diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index d750cbf..c062485 100644 (file)
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -1799,6 +1799,18 @@ public class UserManagerService extends IUserManager.Stub {
         mUserVersion = USER_VERSION;
 
         Bundle restrictions = new Bundle();
+        try {
+            final String[] defaultFirstUserRestrictions = mContext.getResources().getStringArray(
+                    com.android.internal.R.array.config_defaultFirstUserRestrictions);
+            for (String userRestriction : defaultFirstUserRestrictions) {
+                if (UserRestrictionsUtils.isValidRestriction(userRestriction)) {
+                    restrictions.putBoolean(userRestriction, true);
+                }
+            }
+        } catch (Resources.NotFoundException e) {
+            Log.e(LOG_TAG, "Couldn't find resource: config_defaultFirstUserRestrictions", e);
+        }
+
         synchronized (mRestrictionsLock) {
             mBaseUserRestrictions.append(UserHandle.USER_SYSTEM, restrictions);
         }

diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index c082143..0499757 100644 (file)
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -104,7 +104,8 @@ public class UserRestrictionsUtils {
             UserManager.DISALLOW_RUN_IN_BACKGROUND,
             UserManager.DISALLOW_DATA_ROAMING,
             UserManager.DISALLOW_SET_USER_ICON,
-            UserManager.DISALLOW_SET_WALLPAPER
+            UserManager.DISALLOW_SET_WALLPAPER,
+            UserManager.DISALLOW_OEM_UNLOCK
     });
 
     /**
@@ -138,7 +139,8 @@ public class UserRestrictionsUtils {
      */
     private static final Set<String> IMMUTABLE_BY_OWNERS = Sets.newArraySet(
             UserManager.DISALLOW_RECORD_AUDIO,
-            UserManager.DISALLOW_WALLPAPER
+            UserManager.DISALLOW_WALLPAPER,
+            UserManager.DISALLOW_OEM_UNLOCK
     );
 
     /**
@@ -426,6 +428,7 @@ public class UserRestrictionsUtils {
                             newValue ? 1 : 0);
                     break;
                 case UserManager.DISALLOW_FACTORY_RESET:
+                case UserManager.DISALLOW_OEM_UNLOCK:
                     if (newValue) {
                         PersistentDataBlockManager manager = (PersistentDataBlockManager) context
                                 .getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);