Merge "Merge "Key revocation check is permissive when device is unlocked" am: a9384cdc9b am: 3f638d9a3f" into qt-qpr1-dev-plus-aosp am: 5882228ab8

Change-Id: I39879ca88d139e51e71f2fa7050ff2ee5a67b96b
2020-02-19 23:13:15 +00:00
parent 74ca3b31d4 5882228ab8
commit 7e66d1c563
3 changed files with 16 additions and 5 deletions
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -410,6 +410,7 @@ applications that come with the platform
    <privapp-permissions package="com.android.dynsystem">
        <permission name="android.permission.REBOOT"/>
        <permission name="android.permission.MANAGE_DYNAMIC_SYSTEM"/>
+        <permission name="android.permission.READ_OEM_UNLOCK_STATE"/>
    </privapp-permissions>
    <privapp-permissions package="com.android.settings">
        <permission name="android.permission.INSTALL_DYNAMIC_SYSTEM"/>
--- a/packages/DynamicSystemInstallationService/AndroidManifest.xml
+++ b/packages/DynamicSystemInstallationService/AndroidManifest.xml
@@ -7,6 +7,7 @@
    <uses-permission android:name="android.permission.MANAGE_DYNAMIC_SYSTEM" />
    <uses-permission android:name="android.permission.REBOOT" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
+    <uses-permission android:name="android.permission.READ_OEM_UNLOCK_STATE" />

    <application
        android:allowBackup="false"
--- a/packages/DynamicSystemInstallationService/src/com/android/dynsystem/InstallationAsyncTask.java
+++ b/packages/DynamicSystemInstallationService/src/com/android/dynsystem/InstallationAsyncTask.java
@@ -23,6 +23,7 @@ import android.os.AsyncTask;
 import android.os.MemoryFile;
 import android.os.ParcelFileDescriptor;
 import android.os.image.DynamicSystemManager;
+import android.service.persistentdata.PersistentDataBlockManager;
 import android.util.Log;
 import android.webkit.URLUtil;

@@ -133,6 +134,7 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
    private final DynamicSystemManager mDynSystem;
    private final ProgressListener mListener;
    private final boolean mIsNetworkUrl;
+    private final boolean mIsDeviceBootloaderUnlocked;
    private DynamicSystemManager.Session mInstallationSession;
    private KeyRevocationList mKeyRevocationList;

@@ -160,6 +162,13 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
        mDynSystem = dynSystem;
        mListener = listener;
        mIsNetworkUrl = URLUtil.isNetworkUrl(mUrl);
+        PersistentDataBlockManager pdbManager =
+                (PersistentDataBlockManager)
+                        mContext.getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);
+        mIsDeviceBootloaderUnlocked =
+                (pdbManager != null)
+                        && (pdbManager.getFlashLockState()
+                                == PersistentDataBlockManager.FLASH_LOCK_UNLOCKED);
    }

    @Override
@@ -272,7 +281,6 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
                    String.format(Locale.US, "Unsupported URL: %s", mUrl));
        }

-        // TODO(yochiang): Bypass this check if device is unlocked
        try {
            String listUrl = mContext.getString(R.string.key_revocation_list_url);
            mKeyRevocationList = KeyRevocationList.fromUrl(new URL(listUrl));
@@ -287,11 +295,12 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog

    private void imageValidationThrowOrWarning(ImageValidationException e)
            throws ImageValidationException {
-        if (mIsNetworkUrl) {
-            throw e;
-        } else {
-            // If DSU is being installed from a local file URI, then be permissive
+        if (mIsDeviceBootloaderUnlocked || !mIsNetworkUrl) {
+            // If device is OEM unlocked or DSU is being installed from a local file URI,
+            // then be permissive.
            Log.w(TAG, e.toString());
+        } else {
+            throw e;
        }
    }