Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d2b21047 authored by Amith Yamasani's avatar Amith Yamasani
Browse files

Add a separate read permission for oem unlock state 

New privileged permission READ_OEM_UNLOCK_STATE added
for system privileged apps.

Changing the unlock state still requires the old
permission OEM_UNLOCK_STATE, which is signature protected.

Bug: 28953956
Change-Id: Iedd2ad1d2d1dc3ae91122d7c406e3ee623a47d61
parent 5548733e

api/system-current.txt

+1 −0
Original line number Diff line number Diff line
@@ -169,6 +169,7 @@ package android { 
    field public static final java.lang.String READ_INSTALL_SESSIONS = "android.permission.READ_INSTALL_SESSIONS";

    field public static final java.lang.String READ_LOGS = "android.permission.READ_LOGS";

    field public static final java.lang.String READ_NETWORK_USAGE_HISTORY = "android.permission.READ_NETWORK_USAGE_HISTORY";

    field public static final java.lang.String READ_OEM_UNLOCK_STATE = "android.permission.READ_OEM_UNLOCK_STATE";

    field public static final java.lang.String READ_PHONE_STATE = "android.permission.READ_PHONE_STATE";

    field public static final java.lang.String READ_PRIVILEGED_PHONE_STATE = "android.permission.READ_PRIVILEGED_PHONE_STATE";

    field public static final java.lang.String READ_SEARCH_INDEXABLES = "android.permission.READ_SEARCH_INDEXABLES";

core/res/AndroidManifest.xml

+5 −0
Original line number Diff line number Diff line
@@ -1416,6 +1416,11 @@ 
    <permission android:name="android.permission.DVB_DEVICE"

        android:protectionLevel="signature|privileged" />



    <!-- @SystemApi Allows reading the OEM unlock state

         @hide <p>Not for use by third-party applications. -->

    <permission android:name="android.permission.READ_OEM_UNLOCK_STATE"

        android:protectionLevel="signature|privileged" />



    <!-- @hide Allows enabling/disabling OEM unlock

   <p>Not for use by third-party applications. -->

    <permission android:name="android.permission.OEM_UNLOCK_STATE"

services/core/java/com/android/server/PersistentDataBlockService.java

+16 −6
Original line number Diff line number Diff line
@@ -125,10 +125,20 @@ public class PersistentDataBlockService extends SystemService { 
        SystemProperties.set(OEM_UNLOCK_PROP, enabled ? "1" : "0");

    }



    private void enforceOemUnlockPermission() {

    private void enforceOemUnlockReadPermission() {

        if (mContext.checkCallingOrSelfPermission(Manifest.permission.READ_OEM_UNLOCK_STATE)

                == PackageManager.PERMISSION_DENIED

                && mContext.checkCallingOrSelfPermission(Manifest.permission.OEM_UNLOCK_STATE)

                == PackageManager.PERMISSION_DENIED) {

            throw new SecurityException("Can't access OEM unlock state. Requires "

                    + "READ_OEM_UNLOCK_STATE or OEM_UNLOCK_STATE permission.");

        }

    }



    private void enforceOemUnlockWritePermission() {

        mContext.enforceCallingOrSelfPermission(

                Manifest.permission.OEM_UNLOCK_STATE,

                "Can't access OEM unlock state");

                "Can't modify OEM unlock state");

    }



    private void enforceUid(int callingUid) {
@@ -425,7 +435,7 @@ public class PersistentDataBlockService extends SystemService { 


        @Override

        public void wipe() {

            enforceOemUnlockPermission();

            enforceOemUnlockWritePermission();



            synchronized (mLock) {

                int ret = nativeWipe(mDataBlockFile);
@@ -442,7 +452,7 @@ public class PersistentDataBlockService extends SystemService { 
            if (ActivityManager.isUserAMonkey()) {

                return;

            }

            enforceOemUnlockPermission();

            enforceOemUnlockWritePermission();

            enforceIsAdmin();



            synchronized (mLock) {
@@ -453,13 +463,13 @@ public class PersistentDataBlockService extends SystemService { 


        @Override

        public boolean getOemUnlockEnabled() {

            enforceOemUnlockPermission();

            enforceOemUnlockReadPermission();

            return doGetOemUnlockEnabled();

        }



        @Override

        public int getFlashLockState() {

            enforceOemUnlockPermission();

            enforceOemUnlockReadPermission();

            String locked = SystemProperties.get(FLASH_LOCK_PROP);

            switch (locked) {

                case FLASH_LOCK_LOCKED: