Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d2b21047 authored by Amith Yamasani's avatar Amith Yamasani
Browse files

Add a separate read permission for oem unlock state

New privileged permission READ_OEM_UNLOCK_STATE added
for system privileged apps.

Changing the unlock state still requires the old
permission OEM_UNLOCK_STATE, which is signature protected.

Bug: 28953956
Change-Id: Iedd2ad1d2d1dc3ae91122d7c406e3ee623a47d61
parent 5548733e
Loading
Loading
Loading
Loading
+1 −0
Original line number Diff line number Diff line
@@ -169,6 +169,7 @@ package android {
    field public static final java.lang.String READ_INSTALL_SESSIONS = "android.permission.READ_INSTALL_SESSIONS";
    field public static final java.lang.String READ_LOGS = "android.permission.READ_LOGS";
    field public static final java.lang.String READ_NETWORK_USAGE_HISTORY = "android.permission.READ_NETWORK_USAGE_HISTORY";
    field public static final java.lang.String READ_OEM_UNLOCK_STATE = "android.permission.READ_OEM_UNLOCK_STATE";
    field public static final java.lang.String READ_PHONE_STATE = "android.permission.READ_PHONE_STATE";
    field public static final java.lang.String READ_PRIVILEGED_PHONE_STATE = "android.permission.READ_PRIVILEGED_PHONE_STATE";
    field public static final java.lang.String READ_SEARCH_INDEXABLES = "android.permission.READ_SEARCH_INDEXABLES";
+5 −0
Original line number Diff line number Diff line
@@ -1416,6 +1416,11 @@
    <permission android:name="android.permission.DVB_DEVICE"
        android:protectionLevel="signature|privileged" />

    <!-- @SystemApi Allows reading the OEM unlock state
         @hide <p>Not for use by third-party applications. -->
    <permission android:name="android.permission.READ_OEM_UNLOCK_STATE"
        android:protectionLevel="signature|privileged" />

    <!-- @hide Allows enabling/disabling OEM unlock
   <p>Not for use by third-party applications. -->
    <permission android:name="android.permission.OEM_UNLOCK_STATE"
+16 −6
Original line number Diff line number Diff line
@@ -125,10 +125,20 @@ public class PersistentDataBlockService extends SystemService {
        SystemProperties.set(OEM_UNLOCK_PROP, enabled ? "1" : "0");
    }

    private void enforceOemUnlockPermission() {
    private void enforceOemUnlockReadPermission() {
        if (mContext.checkCallingOrSelfPermission(Manifest.permission.READ_OEM_UNLOCK_STATE)
                == PackageManager.PERMISSION_DENIED
                && mContext.checkCallingOrSelfPermission(Manifest.permission.OEM_UNLOCK_STATE)
                == PackageManager.PERMISSION_DENIED) {
            throw new SecurityException("Can't access OEM unlock state. Requires "
                    + "READ_OEM_UNLOCK_STATE or OEM_UNLOCK_STATE permission.");
        }
    }

    private void enforceOemUnlockWritePermission() {
        mContext.enforceCallingOrSelfPermission(
                Manifest.permission.OEM_UNLOCK_STATE,
                "Can't access OEM unlock state");
                "Can't modify OEM unlock state");
    }

    private void enforceUid(int callingUid) {
@@ -425,7 +435,7 @@ public class PersistentDataBlockService extends SystemService {

        @Override
        public void wipe() {
            enforceOemUnlockPermission();
            enforceOemUnlockWritePermission();

            synchronized (mLock) {
                int ret = nativeWipe(mDataBlockFile);
@@ -442,7 +452,7 @@ public class PersistentDataBlockService extends SystemService {
            if (ActivityManager.isUserAMonkey()) {
                return;
            }
            enforceOemUnlockPermission();
            enforceOemUnlockWritePermission();
            enforceIsAdmin();

            synchronized (mLock) {
@@ -453,13 +463,13 @@ public class PersistentDataBlockService extends SystemService {

        @Override
        public boolean getOemUnlockEnabled() {
            enforceOemUnlockPermission();
            enforceOemUnlockReadPermission();
            return doGetOemUnlockEnabled();
        }

        @Override
        public int getFlashLockState() {
            enforceOemUnlockPermission();
            enforceOemUnlockReadPermission();
            String locked = SystemProperties.get(FLASH_LOCK_PROP);
            switch (locked) {
                case FLASH_LOCK_LOCKED: