Add a Global setting for disabling OEM unlocking setting
+ By default, OEM unlocking setting is enabled.
+ Add a check to prevent oem unlock being flipped if the setting isn't
enabled.
Bug: 28163088
Change-Id: I087d8d5a1d99a611a8f66ff71a92ec9ea1da4e9f
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index d80d4be..8dc14c0 100755
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -8759,6 +8759,15 @@
* @hide
*/
public static final String ENABLE_CELLULAR_ON_BOOT = "enable_cellular_on_boot";
+
+ /**
+ * Whether toggling OEM unlock is disallowed. If disallowed, it is not possible to enable or
+ * disable OEM unlock.
+ * <p>
+ * Type: int (0: allow OEM unlock setting. 1: disallow OEM unlock)
+ * @hide
+ */
+ public static final String OEM_UNLOCK_DISALLOWED = "oem_unlock_disallowed";
}
/**
diff --git a/packages/SettingsProvider/res/values/defaults.xml b/packages/SettingsProvider/res/values/defaults.xml
index 978ca94..108814e 100644
--- a/packages/SettingsProvider/res/values/defaults.xml
+++ b/packages/SettingsProvider/res/values/defaults.xml
@@ -216,4 +216,7 @@
<!-- Default setting for ability to add users from the lock screen -->
<bool name="def_add_users_from_lockscreen">false</bool>
+
+ <!-- Default setting for disallow oem unlock. -->
+ <bool name="def_oem_unlock_disallow">false</bool>
</resources>
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 8dc247a..7871fe3 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -1942,7 +1942,7 @@
}
private final class UpgradeController {
- private static final int SETTINGS_VERSION = 127;
+ private static final int SETTINGS_VERSION = 128;
private final int mUserId;
@@ -2197,6 +2197,18 @@
currentVersion = 127;
}
+ if (currentVersion == 127) {
+ // Version 127: Disable OEM unlock setting by default on some devices.
+ final SettingsState globalSettings = getGlobalSettingsLocked();
+ String defaultOemUnlockDisabled = (getContext().getResources()
+ .getBoolean(R.bool.def_oem_unlock_disallow) ? "1" : "0");
+ globalSettings.insertSettingLocked(
+ Settings.Global.OEM_UNLOCK_DISALLOWED,
+ defaultOemUnlockDisabled,
+ SettingsState.SYSTEM_PACKAGE_NAME);
+ currentVersion = 128;
+ }
+
// vXXX: Add new settings above this point.
// Return the current version.
diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java
index 2085f32..502629b 100644
--- a/services/core/java/com/android/server/PersistentDataBlockService.java
+++ b/services/core/java/com/android/server/PersistentDataBlockService.java
@@ -26,6 +26,7 @@
import android.os.SystemProperties;
import android.os.UserHandle;
import android.os.UserManager;
+import android.provider.Settings;
import android.service.persistentdata.IPersistentDataBlockService;
import android.service.persistentdata.PersistentDataBlockManager;
import android.util.Slog;
@@ -437,11 +438,16 @@
}
@Override
- public void setOemUnlockEnabled(boolean enabled) {
+ public void setOemUnlockEnabled(boolean enabled) throws SecurityException {
// do not allow monkey to flip the flag
if (ActivityManager.isUserAMonkey()) {
return;
}
+ // Do not allow oem unlock modification if it has been disallowed.
+ if (Settings.Global.getInt(getContext().getContentResolver(),
+ Settings.Global.OEM_UNLOCK_DISALLOWED, 0) == 1) {
+ throw new SecurityException("OEM unlock has been disallowed.");
+ }
enforceOemUnlockPermission();
enforceIsAdmin();
