From 830e32cdccdeeeadc5f07ba006b2b5779f8be65d Mon Sep 17 00:00:00 2001 From: Mahaver Chopra Date: Tue, 17 May 2016 18:53:09 +0100 Subject: [PATCH] Disallow OEM unlock when DISALLOW_FACTORY_RESET applies Bug: 28339424 Change-Id: I4b6dc6f186ea60a13e778f52d574e615b0b19b74 --- .../java/com/android/server/PersistentDataBlockService.java | 13 ++++++++++++- .../java/com/android/server/pm/UserRestrictionsUtils.java | 9 +++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java index b64363fce719..51037dd2cbc6 100644 --- a/services/core/java/com/android/server/PersistentDataBlockService.java +++ b/services/core/java/com/android/server/PersistentDataBlockService.java @@ -146,6 +146,15 @@ public class PersistentDataBlockService extends SystemService { "Only the Admin user is allowed to change OEM unlock state"); } } + + private void enforceFactoryResetAllowed() { + final boolean isOemUnlockRestricted = UserManager.get(mContext) + .hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET); + if (isOemUnlockRestricted) { + throw new SecurityException("OEM unlock is disallowed by DISALLOW_FACTORY_RESET"); + } + } + private int getTotalDataSizeLocked(DataInputStream inputStream) throws IOException { // skip over checksum inputStream.skipBytes(DIGEST_SIZE_BYTES); @@ -452,7 +461,9 @@ public class PersistentDataBlockService extends SystemService { Settings.Global.OEM_UNLOCK_DISALLOWED, 0) == 1) { throw new SecurityException("OEM unlock has been disallowed."); } - + if (enabled) { + enforceFactoryResetAllowed(); + } synchronized (mLock) { doSetOemUnlockEnabledLocked(enabled); computeAndWriteDigestLocked(); diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java index 38a3f421264f..414d16571870 100644 --- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java +++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java @@ -33,6 +33,7 @@ import android.os.RemoteException; import android.os.SystemProperties; import android.os.UserHandle; import android.os.UserManager; +import android.service.persistentdata.PersistentDataBlockManager; import android.telephony.SubscriptionInfo; import android.telephony.SubscriptionManager; import android.util.Log; @@ -424,6 +425,14 @@ public class UserRestrictionsUtils { android.provider.Settings.Global.SAFE_BOOT_DISALLOWED, newValue ? 1 : 0); break; + case UserManager.DISALLOW_FACTORY_RESET: + if (newValue) { + PersistentDataBlockManager manager = (PersistentDataBlockManager) context + .getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE); + if (manager != null) { + manager.setOemUnlockEnabled(false); + } + } } } finally { Binder.restoreCallingIdentity(id); -- 2.11.0