Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 103f93a7 authored by Alex Johnston's avatar Alex Johnston
Browse files

Make FRP APIs callable by Settings 

Background
* If the device is an organization-owned managed
  profile device and a FRP policy is set, the
  factory reset protection data is no longer
  erased from factory reset in Settings.

Changes
* Added isNotEmpty method to FRP policy.
* Allow Settings to call
  getFactoryResetProtectionPolicy
  by checking for the MASTER_CLEAR permission.

Bug: 148847767
Test: manual testing
      atest com.android.server.devicepolicy.DevicePolicyManagerTest
Change-Id: I04f178255dd215579087c33b675b40eed7a6eac7
parent 52a836d4

core/java/android/app/admin/DevicePolicyManager.java

+5 −3
Original line number Original line Diff line number Diff line
@@ -4424,11 +4424,13 @@ public class DevicePolicyManager { 
     * the current factory reset protection (FRP) policy set previously by

     * the current factory reset protection (FRP) policy set previously by

     * {@link #setFactoryResetProtectionPolicy}.

     * {@link #setFactoryResetProtectionPolicy}.

     * <p>

     * <p>

     * This method can also be called by the FRP management agent on device, in which case,

     * This method can also be called by the FRP management agent on device or with the permission

     * it can pass {@code null} as the ComponentName.

     * {@link android.Manifest.permission#MASTER_CLEAR}, in which case, it can pass {@code null}

     * as the ComponentName.

     *

     *

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with or

     * @param admin Which {@link DeviceAdminReceiver} this request is associated with or

     *              {@code null} if called by the FRP management agent on device.

     *              {@code null} if called by the FRP management agent on device or with the

     *              permission {@link android.Manifest.permission#MASTER_CLEAR}.

     * @return The current FRP policy object or {@code null} if no policy is set.

     * @return The current FRP policy object or {@code null} if no policy is set.

     * @throws SecurityException if {@code admin} is not a device owner, a profile owner of

     * @throws SecurityException if {@code admin} is not a device owner, a profile owner of

     *                           an organization-owned device or the FRP management agent.

     *                           an organization-owned device or the FRP management agent.

core/java/android/app/admin/FactoryResetProtectionPolicy.java

+18 −0
Original line number Original line Diff line number Diff line
@@ -43,6 +43,12 @@ import java.util.List; 
 * reset protection policy for the device by calling the {@code DevicePolicyManager} method

 * reset protection policy for the device by calling the {@code DevicePolicyManager} method

 * {@link DevicePolicyManager#setFactoryResetProtectionPolicy(ComponentName,

 * {@link DevicePolicyManager#setFactoryResetProtectionPolicy(ComponentName,

 * FactoryResetProtectionPolicy)}}.

 * FactoryResetProtectionPolicy)}}.

 * <p>

 * Normally factory reset protection does not kick in if the device is factory reset via Settings.

 * This is also the case when a device owner sets factory reset protection policy. However,

 * when a profile owner of an organization-owned device sets factory reset protection policy that

 * locks the device to specific accounts, the policy will take effect even if factory reset is

 * performed from Settings.

 *

 *

 * @see DevicePolicyManager#setFactoryResetProtectionPolicy

 * @see DevicePolicyManager#setFactoryResetProtectionPolicy

 * @see DevicePolicyManager#getFactoryResetProtectionPolicy

 * @see DevicePolicyManager#getFactoryResetProtectionPolicy
@@ -236,4 +242,16 @@ public final class FactoryResetProtectionPolicy implements Parcelable { 
        }

        }

    }

    }





    /**

     * Returns if the policy will result in factory reset protection being locked to

     * admin-specified accounts.

     * <p>

     * When a device has a non-empty factory reset protection policy, trusted factory reset

     * via Settings will no longer remove factory reset protection from the device.

     * @hide

     */

    public boolean isNotEmpty() {

        return !mFactoryResetProtectionAccounts.isEmpty() && mFactoryResetProtectionEnabled;

    }



}
 
}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+3 −1
Original line number Original line Diff line number Diff line
@@ -7137,7 +7137,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
        ActiveAdmin admin;

        ActiveAdmin admin;

        synchronized (getLockObject()) {

        synchronized (getLockObject()) {

            if (who == null) {

            if (who == null) {

                if ((frpManagementAgentUid != mInjector.binderGetCallingUid())) {

                if ((frpManagementAgentUid != mInjector.binderGetCallingUid())

                        && (mContext.checkCallingPermission(permission.MASTER_CLEAR)

                        != PackageManager.PERMISSION_GRANTED)) {

                    throw new SecurityException(

                    throw new SecurityException(

                            "Must be called by the FRP management agent on device");

                            "Must be called by the FRP management agent on device");

                }

                }