Always synchronize the OEM unlock allowed bit to the FRP partition
For devices using OEMLock HAL, OEM unlock allowed bit is maintained by the HAL.
However PersistentDataBlockService will only look at the OEM unlock allowed bit
on the pst partition to make sure FRP data is cleared on a unlockable device.
As a short term fix, make sure the OEM unlock allowed bit on both the HAL and pst
partition is always in sync.
Bug: 67043266
Test: On walleye/taimen, add an account, enable OEM unlock, factory reset
via fastboot, and observe FRP is not enforced.
Change-Id: Id4a0d81d7a424e17c2751e7e65582b51c14bd073
This commit is contained in:
Rubin Xu
committed by
Thierry Strudel
Thierry Strudel
parent
6a8f482687
commit
2257fda563
@@ -31,6 +31,7 @@ import android.os.UserManager;
|
|||||||
import android.os.UserManagerInternal;
|
import android.os.UserManagerInternal;
|
||||||
import android.os.UserManagerInternal.UserRestrictionsListener;
|
import android.os.UserManagerInternal.UserRestrictionsListener;
|
||||||
import android.service.oemlock.IOemLockService;
|
import android.service.oemlock.IOemLockService;
|
||||||
|
import android.service.persistentdata.PersistentDataBlockManager;
|
||||||
import android.util.Slog;
|
import android.util.Slog;
|
||||||
|
|
||||||
import com.android.server.LocalServices;
|
import com.android.server.LocalServices;
|
||||||
@@ -98,6 +99,7 @@ public class OemLockService extends SystemService {
|
|||||||
!newRestrictions.getBoolean(UserManager.DISALLOW_FACTORY_RESET);
|
!newRestrictions.getBoolean(UserManager.DISALLOW_FACTORY_RESET);
|
||||||
if (!unlockAllowedByAdmin) {
|
if (!unlockAllowedByAdmin) {
|
||||||
mOemLock.setOemUnlockAllowedByDevice(false);
|
mOemLock.setOemUnlockAllowedByDevice(false);
|
||||||
|
setPersistentDataBlockOemUnlockAllowedBit(false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -158,6 +160,7 @@ public class OemLockService extends SystemService {
|
|||||||
}
|
}
|
||||||
|
|
||||||
mOemLock.setOemUnlockAllowedByDevice(allowedByUser);
|
mOemLock.setOemUnlockAllowedByDevice(allowedByUser);
|
||||||
|
setPersistentDataBlockOemUnlockAllowedBit(allowedByUser);
|
||||||
} finally {
|
} finally {
|
||||||
Binder.restoreCallingIdentity(token);
|
Binder.restoreCallingIdentity(token);
|
||||||
}
|
}
|
||||||
@@ -202,6 +205,20 @@ public class OemLockService extends SystemService {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Always synchronize the OemUnlockAllowed bit to the FRP partition, which
|
||||||
|
* is used to erase FRP information on a unlockable device.
|
||||||
|
*/
|
||||||
|
private void setPersistentDataBlockOemUnlockAllowedBit(boolean allowed) {
|
||||||
|
final PersistentDataBlockManager pdbm = (PersistentDataBlockManager)
|
||||||
|
mContext.getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);
|
||||||
|
// if mOemLock is PersistentDataBlockLock, then the bit should have already been set
|
||||||
|
if (pdbm != null && !(mOemLock instanceof PersistentDataBlockLock)) {
|
||||||
|
Slog.i(TAG, "Update OEM Unlock bit in pst partition to " + allowed);
|
||||||
|
pdbm.setOemUnlockEnabled(allowed);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private boolean isOemUnlockAllowedByAdmin() {
|
private boolean isOemUnlockAllowedByAdmin() {
|
||||||
return !UserManager.get(mContext)
|
return !UserManager.get(mContext)
|
||||||
.hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET, UserHandle.SYSTEM);
|
.hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET, UserHandle.SYSTEM);
|
||||||
|
|||||||
Reference in New Issue
Block a user