Merge \"Add a separate read permission for oem unlock state\" into nyc-dev
am: 718f321369
Change-Id: I934a06f985319d4520044aff7adf4329f0c27953
diff --git a/api/system-current.txt b/api/system-current.txt
index 9f2a411..59b9208 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -169,6 +169,7 @@
field public static final java.lang.String READ_INSTALL_SESSIONS = "android.permission.READ_INSTALL_SESSIONS";
field public static final java.lang.String READ_LOGS = "android.permission.READ_LOGS";
field public static final java.lang.String READ_NETWORK_USAGE_HISTORY = "android.permission.READ_NETWORK_USAGE_HISTORY";
+ field public static final java.lang.String READ_OEM_UNLOCK_STATE = "android.permission.READ_OEM_UNLOCK_STATE";
field public static final java.lang.String READ_PHONE_STATE = "android.permission.READ_PHONE_STATE";
field public static final java.lang.String READ_PRIVILEGED_PHONE_STATE = "android.permission.READ_PRIVILEGED_PHONE_STATE";
field public static final java.lang.String READ_SEARCH_INDEXABLES = "android.permission.READ_SEARCH_INDEXABLES";
diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index 6c289dc..b03ba20 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -1416,6 +1416,11 @@
<permission android:name="android.permission.DVB_DEVICE"
android:protectionLevel="signature|privileged" />
+ <!-- @SystemApi Allows reading the OEM unlock state
+ @hide <p>Not for use by third-party applications. -->
+ <permission android:name="android.permission.READ_OEM_UNLOCK_STATE"
+ android:protectionLevel="signature|privileged" />
+
<!-- @hide Allows enabling/disabling OEM unlock
<p>Not for use by third-party applications. -->
<permission android:name="android.permission.OEM_UNLOCK_STATE"
diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java
index 2085f32..680547a 100644
--- a/services/core/java/com/android/server/PersistentDataBlockService.java
+++ b/services/core/java/com/android/server/PersistentDataBlockService.java
@@ -125,10 +125,20 @@
SystemProperties.set(OEM_UNLOCK_PROP, enabled ? "1" : "0");
}
- private void enforceOemUnlockPermission() {
+ private void enforceOemUnlockReadPermission() {
+ if (mContext.checkCallingOrSelfPermission(Manifest.permission.READ_OEM_UNLOCK_STATE)
+ == PackageManager.PERMISSION_DENIED
+ && mContext.checkCallingOrSelfPermission(Manifest.permission.OEM_UNLOCK_STATE)
+ == PackageManager.PERMISSION_DENIED) {
+ throw new SecurityException("Can't access OEM unlock state. Requires "
+ + "READ_OEM_UNLOCK_STATE or OEM_UNLOCK_STATE permission.");
+ }
+ }
+
+ private void enforceOemUnlockWritePermission() {
mContext.enforceCallingOrSelfPermission(
Manifest.permission.OEM_UNLOCK_STATE,
- "Can't access OEM unlock state");
+ "Can't modify OEM unlock state");
}
private void enforceUid(int callingUid) {
@@ -425,7 +435,7 @@
@Override
public void wipe() {
- enforceOemUnlockPermission();
+ enforceOemUnlockWritePermission();
synchronized (mLock) {
int ret = nativeWipe(mDataBlockFile);
@@ -442,7 +452,7 @@
if (ActivityManager.isUserAMonkey()) {
return;
}
- enforceOemUnlockPermission();
+ enforceOemUnlockWritePermission();
enforceIsAdmin();
synchronized (mLock) {
@@ -453,13 +463,13 @@
@Override
public boolean getOemUnlockEnabled() {
- enforceOemUnlockPermission();
+ enforceOemUnlockReadPermission();
return doGetOemUnlockEnabled();
}
@Override
public int getFlashLockState() {
- enforceOemUnlockPermission();
+ enforceOemUnlockReadPermission();
String locked = SystemProperties.get(FLASH_LOCK_PROP);
switch (locked) {
case FLASH_LOCK_LOCKED: