Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 31938e13 authored by Vlad Marica's avatar Vlad Marica
Browse files

Ignore OEM Unlocking when wiping PDB during factory reset on V+ 

On Android V and newer, the PDB will no longer wipe itself on start,
even if OEM Unlocking is enabled, so trusted factory resets must
wipe it.

Bug: 336362291
Flag: EXEMPT bugfix
Test: atest & manual testing
Change-Id: I67cc0fc3e7470c5ddddd03d23942706345361f8f
parent f440ce59

src/com/android/settings/MainClearConfirm.java

+10 −3
Original line number Diff line number Diff line
@@ -151,15 +151,20 @@ public class MainClearConfirm extends InstrumentedFragment { 
        if (pdbManager == null) {

            return false;

        }



        // The persistent data block will persist if the device is still being provisioned.

        if (isDeviceStillBeingProvisioned()) {

            return false;

        }

        // If OEM unlock is allowed, the persistent data block will be wiped during FR

        // process. If disabled, it will be wiped here instead.

        if (isOemUnlockedAllowed()) {



        // If OEM unlock is allowed, the persistent data block will be wiped during the FR

        // process on devices without FRP Hardening. If disabled, it will be wiped here instead.

        // On devices with FRP Hardening, the persistent data block should always be wiped,

        // regardless of the OEM Unlocking state.

        if (!android.security.Flags.frpEnforcement() && isOemUnlockedAllowed()) {

            return false;

        }



        final DevicePolicyManager dpm = (DevicePolicyManager) getActivity()

                .getSystemService(Context.DEVICE_POLICY_SERVICE);

        // Do not erase the factory reset protection data (from Settings) if factory reset
@@ -167,6 +172,7 @@ public class MainClearConfirm extends InstrumentedFragment { 
        if (!dpm.isFactoryResetProtectionPolicySupported()) {

            return false;

        }



        // Do not erase the factory reset protection data (from Settings) if the

        // device is an organization-owned managed profile device and a factory

        // reset protection policy has been set.
@@ -175,6 +181,7 @@ public class MainClearConfirm extends InstrumentedFragment { 
                && frpPolicy.isNotEmpty()) {

            return false;

        }



        return true;

    }

tests/robotests/src/com/android/settings/MainClearConfirmTest.java

+32 −9
Original line number Diff line number Diff line
@@ -25,6 +25,10 @@ import static org.mockito.Mockito.when; 
import android.app.admin.DevicePolicyManager;

import android.app.admin.FactoryResetProtectionPolicy;

import android.content.Context;

import android.platform.test.annotations.DisableFlags;

import android.platform.test.annotations.EnableFlags;

import android.platform.test.flag.junit.SetFlagsRule;

import android.security.Flags;

import android.service.persistentdata.PersistentDataBlockManager;

import android.view.LayoutInflater;

import android.widget.TextView;
@@ -32,6 +36,7 @@ import android.widget.TextView; 
import androidx.fragment.app.FragmentActivity;



import org.junit.Before;

import org.junit.Rule;

import org.junit.Test;

import org.junit.runner.RunWith;

import org.mockito.Mock;
@@ -48,6 +53,9 @@ import java.util.ArrayList; 
})

public class MainClearConfirmTest {



    @Rule

    public final SetFlagsRule mSetFlagsRule = new SetFlagsRule();



    private FragmentActivity mActivity;



    @Mock
@@ -66,6 +74,9 @@ public class MainClearConfirmTest { 
        MockitoAnnotations.initMocks(this);

        mActivity = Robolectric.setupActivity(FragmentActivity.class);

        mMainClearConfirm = spy(new MainClearConfirm());



        when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))

                .thenReturn(mDevicePolicyManager);

    }



    @Test
@@ -110,12 +121,29 @@ public class MainClearConfirmTest { 
    }



    @Test

    public void shouldWipePersistentDataBlock_oemUnlockAllowed_shouldReturnFalse() {

    @DisableFlags(Flags.FLAG_FRP_ENFORCEMENT)

    public void shouldWipePersistentDataBlock_oemUnlockAllowedAndFlagDiscabled_shouldReturnFalse() {

        when(mMainClearConfirm.getActivity()).thenReturn(mMockActivity);



        when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);

        doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();

        doReturn(true).when(mMainClearConfirm).isOemUnlockedAllowed();



        assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(

                mPersistentDataBlockManager)).isFalse();

        assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(mPersistentDataBlockManager))

                .isFalse();

    }



    @Test

    @EnableFlags(Flags.FLAG_FRP_ENFORCEMENT)

    public void shouldWipePersistentDataBlock_oemUnlockAllowedAndFlagEnabled_shouldReturnTrue() {

        when(mMainClearConfirm.getActivity()).thenReturn(mMockActivity);



        when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);

        doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();

        doReturn(true).when(mMainClearConfirm).isOemUnlockedAllowed();



        assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(mPersistentDataBlockManager))

                .isTrue();

    }



    @Test
@@ -124,8 +152,7 @@ public class MainClearConfirmTest { 


        doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();

        doReturn(false).when(mMainClearConfirm).isOemUnlockedAllowed();

        when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))

                .thenReturn(mDevicePolicyManager);



        when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(false);



        assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(
@@ -144,8 +171,6 @@ public class MainClearConfirmTest { 
                .setFactoryResetProtectionAccounts(accounts)

                .setFactoryResetProtectionEnabled(true)

                .build();

        when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))

                .thenReturn(mDevicePolicyManager);

        when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);

        when(mDevicePolicyManager.getFactoryResetProtectionPolicy(null)).thenReturn(frp);

        when(mDevicePolicyManager.isOrganizationOwnedDeviceWithManagedProfile()).thenReturn(true);
@@ -161,8 +186,6 @@ public class MainClearConfirmTest { 
        doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();

        doReturn(false).when(mMainClearConfirm).isOemUnlockedAllowed();



        when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))

                .thenReturn(mDevicePolicyManager);

        when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);

        when(mDevicePolicyManager.getFactoryResetProtectionPolicy(null)).thenReturn(null);

        when(mDevicePolicyManager.isOrganizationOwnedDeviceWithManagedProfile()).thenReturn(false);