From 2257fda5638923d5888b9ab051765c6bd886a634 Mon Sep 17 00:00:00 2001
From: Rubin Xu <rubinxu@google.com>
Date: Fri, 6 Oct 2017 12:07:32 +0100
Subject: [PATCH] Always synchronize the OEM unlock allowed bit to the FRP
 partition

For devices using OEMLock HAL, OEM unlock allowed bit is maintained by the HAL.
However PersistentDataBlockService will only look at the OEM unlock allowed bit
on the pst partition to make sure FRP data is cleared on a unlockable device.
As a short term fix, make sure the OEM unlock allowed bit on both the HAL and pst
partition is always in sync.

Bug: 67043266
Test: On walleye/taimen, add an account, enable OEM unlock, factory reset
      via fastboot, and observe FRP is not enforced.

Change-Id: Id4a0d81d7a424e17c2751e7e65582b51c14bd073
---
 .../android/server/oemlock/OemLockService.java  | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/services/core/java/com/android/server/oemlock/OemLockService.java b/services/core/java/com/android/server/oemlock/OemLockService.java
index 40c663942e1d0..5b3d1eca03bd0 100644
--- a/services/core/java/com/android/server/oemlock/OemLockService.java
+++ b/services/core/java/com/android/server/oemlock/OemLockService.java
@@ -31,6 +31,7 @@ import android.os.UserManager;
 import android.os.UserManagerInternal;
 import android.os.UserManagerInternal.UserRestrictionsListener;
 import android.service.oemlock.IOemLockService;
+import android.service.persistentdata.PersistentDataBlockManager;
 import android.util.Slog;
 
 import com.android.server.LocalServices;
@@ -98,6 +99,7 @@ public class OemLockService extends SystemService {
                         !newRestrictions.getBoolean(UserManager.DISALLOW_FACTORY_RESET);
                 if (!unlockAllowedByAdmin) {
                     mOemLock.setOemUnlockAllowedByDevice(false);
+                    setPersistentDataBlockOemUnlockAllowedBit(false);
                 }
             }
         }
@@ -158,6 +160,7 @@ public class OemLockService extends SystemService {
                 }
 
                 mOemLock.setOemUnlockAllowedByDevice(allowedByUser);
+                setPersistentDataBlockOemUnlockAllowedBit(allowedByUser);
             } finally {
                 Binder.restoreCallingIdentity(token);
             }
@@ -202,6 +205,20 @@ public class OemLockService extends SystemService {
         }
     };
 
+    /**
+     * Always synchronize the OemUnlockAllowed bit to the FRP partition, which
+     * is used to erase FRP information on a unlockable device.
+     */
+    private void setPersistentDataBlockOemUnlockAllowedBit(boolean allowed) {
+        final PersistentDataBlockManager pdbm = (PersistentDataBlockManager)
+                mContext.getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);
+        // if mOemLock is PersistentDataBlockLock, then the bit should have already been set
+        if (pdbm != null && !(mOemLock instanceof PersistentDataBlockLock)) {
+            Slog.i(TAG, "Update OEM Unlock bit in pst partition to " + allowed);
+            pdbm.setOemUnlockEnabled(allowed);
+        }
+    }
+
     private boolean isOemUnlockAllowedByAdmin() {
         return !UserManager.get(mContext)
                 .hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET, UserHandle.SYSTEM);