From 3d9805d50281882b4420ee2d4ede8a8bdd94d455 Mon Sep 17 00:00:00 2001 From: Mahaver Chopra Date: Thu, 7 Jul 2016 16:25:05 +0100 Subject: [PATCH] Added UM.DISALLOW_OEM_UNLOCK, Removed Global.OEM_UNLOCK_DISALLOWED. Currently we used global setting to restrict user from enabling oem unlock. As global settings can be chagned using adb, using user restrictions instead. Bug: 29893399 Change-Id: Ic83112a4838b8279bf50408a29ae205e0b8639ee --- core/java/android/os/UserManager.java | 11 +++++++++++ core/java/android/provider/Settings.java | 9 --------- core/res/res/values/config.xml | 5 +++++ core/res/res/values/symbols.xml | 3 +++ packages/SettingsProvider/res/values/defaults.xml | 3 --- .../android/providers/settings/SettingsProvider.java | 9 +-------- .../android/server/PersistentDataBlockService.java | 19 +++++++------------ .../com/android/server/pm/UserManagerService.java | 12 ++++++++++++ .../com/android/server/pm/UserRestrictionsUtils.java | 7 +++++-- 9 files changed, 44 insertions(+), 34 deletions(-) diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java index a44a9eed701b..feb8b2be3c58 100644 --- a/core/java/android/os/UserManager.java +++ b/core/java/android/os/UserManager.java @@ -603,6 +603,17 @@ public class UserManager { public static final String DISALLOW_SET_USER_ICON = "no_set_user_icon"; /** + * Specifies if a user is not allowed to enable the oem unlock setting. The default value is + * false. + * + * @see DevicePolicyManager#addUserRestriction(ComponentName, String) + * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) + * @see #getUserRestrictions() + * @hide + */ + public static final String DISALLOW_OEM_UNLOCK = "no_oem_unlock"; + + /** * Allows apps in the parent profile to handle web links from the managed profile. * * This user restriction has an effect only in a managed profile. diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java index 56610ed1d7ee..5c2778d483ac 100755 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -9114,15 +9114,6 @@ public final class Settings { public static final String ENABLE_CELLULAR_ON_BOOT = "enable_cellular_on_boot"; /** - * Whether toggling OEM unlock is disallowed. If disallowed, it is not possible to enable or - * disable OEM unlock. - *

- * Type: int (0: allow OEM unlock setting. 1: disallow OEM unlock) - * @hide - */ - public static final String OEM_UNLOCK_DISALLOWED = "oem_unlock_disallowed"; - - /** * The maximum allowed notification enqueue rate in Hertz. * * Should be a float, and includes both posts and updates. diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml index 7d195370c6db..e87bb8173049 100644 --- a/core/res/res/values/config.xml +++ b/core/res/res/values/config.xml @@ -2527,4 +2527,9 @@ + + + + diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml index ff5f7d9b86f5..6b064c10447b 100644 --- a/core/res/res/values/symbols.xml +++ b/core/res/res/values/symbols.xml @@ -2668,4 +2668,7 @@ + + + diff --git a/packages/SettingsProvider/res/values/defaults.xml b/packages/SettingsProvider/res/values/defaults.xml index 108814e66348..978ca9466ff1 100644 --- a/packages/SettingsProvider/res/values/defaults.xml +++ b/packages/SettingsProvider/res/values/defaults.xml @@ -216,7 +216,4 @@ false - - - false diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java index 950c7d33b672..28e9a45cc40e 100644 --- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java +++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java @@ -2330,14 +2330,7 @@ public class SettingsProvider extends ContentProvider { } if (currentVersion == 127) { - // Version 127: Disable OEM unlock setting by default on some devices. - final SettingsState globalSettings = getGlobalSettingsLocked(); - String defaultOemUnlockDisabled = (getContext().getResources() - .getBoolean(R.bool.def_oem_unlock_disallow) ? "1" : "0"); - globalSettings.insertSettingLocked( - Settings.Global.OEM_UNLOCK_DISALLOWED, - defaultOemUnlockDisabled, - SettingsState.SYSTEM_PACKAGE_NAME); + // version 127 is no longer used. currentVersion = 128; } diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java index e233b1c84bc6..080b46c24a2f 100644 --- a/services/core/java/com/android/server/PersistentDataBlockService.java +++ b/services/core/java/com/android/server/PersistentDataBlockService.java @@ -157,11 +157,10 @@ public class PersistentDataBlockService extends SystemService { } } - private void enforceFactoryResetAllowed() { - final boolean isOemUnlockRestricted = UserManager.get(mContext) - .hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET); - if (isOemUnlockRestricted) { - throw new SecurityException("OEM unlock is disallowed by DISALLOW_FACTORY_RESET"); + private void enforceUserRestriction(String userRestriction) { + if (UserManager.get(mContext).hasUserRestriction(userRestriction)) { + throw new SecurityException( + "OEM unlock is disallowed by user restriction: " + userRestriction); } } @@ -467,13 +466,9 @@ public class PersistentDataBlockService extends SystemService { enforceIsAdmin(); if (enabled) { - // Do not allow oem unlock to be enabled if it has been disallowed. - if (Settings.Global.getInt(getContext().getContentResolver(), - Settings.Global.OEM_UNLOCK_DISALLOWED, 0) == 1) { - throw new SecurityException( - "OEM unlock has been disallowed by OEM_UNLOCK_DISALLOWED."); - } - enforceFactoryResetAllowed(); + // Do not allow oem unlock to be enabled if it's disallowed by a user restriction. + enforceUserRestriction(UserManager.DISALLOW_OEM_UNLOCK); + enforceUserRestriction(UserManager.DISALLOW_FACTORY_RESET); } synchronized (mLock) { doSetOemUnlockEnabledLocked(enabled); diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java index d750cbf17f66..c0624851c21f 100644 --- a/services/core/java/com/android/server/pm/UserManagerService.java +++ b/services/core/java/com/android/server/pm/UserManagerService.java @@ -1799,6 +1799,18 @@ public class UserManagerService extends IUserManager.Stub { mUserVersion = USER_VERSION; Bundle restrictions = new Bundle(); + try { + final String[] defaultFirstUserRestrictions = mContext.getResources().getStringArray( + com.android.internal.R.array.config_defaultFirstUserRestrictions); + for (String userRestriction : defaultFirstUserRestrictions) { + if (UserRestrictionsUtils.isValidRestriction(userRestriction)) { + restrictions.putBoolean(userRestriction, true); + } + } + } catch (Resources.NotFoundException e) { + Log.e(LOG_TAG, "Couldn't find resource: config_defaultFirstUserRestrictions", e); + } + synchronized (mRestrictionsLock) { mBaseUserRestrictions.append(UserHandle.USER_SYSTEM, restrictions); } diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java index c082143e9b5f..04997570b89e 100644 --- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java +++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java @@ -104,7 +104,8 @@ public class UserRestrictionsUtils { UserManager.DISALLOW_RUN_IN_BACKGROUND, UserManager.DISALLOW_DATA_ROAMING, UserManager.DISALLOW_SET_USER_ICON, - UserManager.DISALLOW_SET_WALLPAPER + UserManager.DISALLOW_SET_WALLPAPER, + UserManager.DISALLOW_OEM_UNLOCK }); /** @@ -138,7 +139,8 @@ public class UserRestrictionsUtils { */ private static final Set IMMUTABLE_BY_OWNERS = Sets.newArraySet( UserManager.DISALLOW_RECORD_AUDIO, - UserManager.DISALLOW_WALLPAPER + UserManager.DISALLOW_WALLPAPER, + UserManager.DISALLOW_OEM_UNLOCK ); /** @@ -426,6 +428,7 @@ public class UserRestrictionsUtils { newValue ? 1 : 0); break; case UserManager.DISALLOW_FACTORY_RESET: + case UserManager.DISALLOW_OEM_UNLOCK: if (newValue) { PersistentDataBlockManager manager = (PersistentDataBlockManager) context .getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE); -- 2.11.0