Ignore OEM Unlocking when wiping PDB during factory reset on V+
On Android V and newer, the PDB will no longer wipe itself on start, even if OEM Unlocking is enabled, so trusted factory resets must wipe it. Bug: 336362291 Flag: EXEMPT bugfix Test: atest & manual testing Change-Id: I67cc0fc3e7470c5ddddd03d23942706345361f8f
This commit is contained in:
Vlad Marica
@@ -151,15 +151,20 @@ public class MainClearConfirm extends InstrumentedFragment {
|
|||||||
if (pdbManager == null) {
|
if (pdbManager == null) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// The persistent data block will persist if the device is still being provisioned.
|
// The persistent data block will persist if the device is still being provisioned.
|
||||||
if (isDeviceStillBeingProvisioned()) {
|
if (isDeviceStillBeingProvisioned()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
// If OEM unlock is allowed, the persistent data block will be wiped during FR
|
|
||||||
// process. If disabled, it will be wiped here instead.
|
// If OEM unlock is allowed, the persistent data block will be wiped during the FR
|
||||||
if (isOemUnlockedAllowed()) {
|
// process on devices without FRP Hardening. If disabled, it will be wiped here instead.
|
||||||
|
// On devices with FRP Hardening, the persistent data block should always be wiped,
|
||||||
|
// regardless of the OEM Unlocking state.
|
||||||
|
if (!android.security.Flags.frpEnforcement() && isOemUnlockedAllowed()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
final DevicePolicyManager dpm = (DevicePolicyManager) getActivity()
|
final DevicePolicyManager dpm = (DevicePolicyManager) getActivity()
|
||||||
.getSystemService(Context.DEVICE_POLICY_SERVICE);
|
.getSystemService(Context.DEVICE_POLICY_SERVICE);
|
||||||
// Do not erase the factory reset protection data (from Settings) if factory reset
|
// Do not erase the factory reset protection data (from Settings) if factory reset
|
||||||
@@ -167,6 +172,7 @@ public class MainClearConfirm extends InstrumentedFragment {
|
|||||||
if (!dpm.isFactoryResetProtectionPolicySupported()) {
|
if (!dpm.isFactoryResetProtectionPolicySupported()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Do not erase the factory reset protection data (from Settings) if the
|
// Do not erase the factory reset protection data (from Settings) if the
|
||||||
// device is an organization-owned managed profile device and a factory
|
// device is an organization-owned managed profile device and a factory
|
||||||
// reset protection policy has been set.
|
// reset protection policy has been set.
|
||||||
@@ -175,6 +181,7 @@ public class MainClearConfirm extends InstrumentedFragment {
|
|||||||
&& frpPolicy.isNotEmpty()) {
|
&& frpPolicy.isNotEmpty()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -25,6 +25,10 @@ import static org.mockito.Mockito.when;
|
|||||||
import android.app.admin.DevicePolicyManager;
|
import android.app.admin.DevicePolicyManager;
|
||||||
import android.app.admin.FactoryResetProtectionPolicy;
|
import android.app.admin.FactoryResetProtectionPolicy;
|
||||||
import android.content.Context;
|
import android.content.Context;
|
||||||
|
import android.platform.test.annotations.DisableFlags;
|
||||||
|
import android.platform.test.annotations.EnableFlags;
|
||||||
|
import android.platform.test.flag.junit.SetFlagsRule;
|
||||||
|
import android.security.Flags;
|
||||||
import android.service.persistentdata.PersistentDataBlockManager;
|
import android.service.persistentdata.PersistentDataBlockManager;
|
||||||
import android.view.LayoutInflater;
|
import android.view.LayoutInflater;
|
||||||
import android.widget.TextView;
|
import android.widget.TextView;
|
||||||
@@ -32,6 +36,7 @@ import android.widget.TextView;
|
|||||||
import androidx.fragment.app.FragmentActivity;
|
import androidx.fragment.app.FragmentActivity;
|
||||||
|
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.junit.runner.RunWith;
|
import org.junit.runner.RunWith;
|
||||||
import org.mockito.Mock;
|
import org.mockito.Mock;
|
||||||
@@ -48,6 +53,9 @@ import java.util.ArrayList;
|
|||||||
})
|
})
|
||||||
public class MainClearConfirmTest {
|
public class MainClearConfirmTest {
|
||||||
|
|
||||||
|
@Rule
|
||||||
|
public final SetFlagsRule mSetFlagsRule = new SetFlagsRule();
|
||||||
|
|
||||||
private FragmentActivity mActivity;
|
private FragmentActivity mActivity;
|
||||||
|
|
||||||
@Mock
|
@Mock
|
||||||
@@ -66,6 +74,9 @@ public class MainClearConfirmTest {
|
|||||||
MockitoAnnotations.initMocks(this);
|
MockitoAnnotations.initMocks(this);
|
||||||
mActivity = Robolectric.setupActivity(FragmentActivity.class);
|
mActivity = Robolectric.setupActivity(FragmentActivity.class);
|
||||||
mMainClearConfirm = spy(new MainClearConfirm());
|
mMainClearConfirm = spy(new MainClearConfirm());
|
||||||
|
|
||||||
|
when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))
|
||||||
|
.thenReturn(mDevicePolicyManager);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@@ -110,12 +121,29 @@ public class MainClearConfirmTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void shouldWipePersistentDataBlock_oemUnlockAllowed_shouldReturnFalse() {
|
@DisableFlags(Flags.FLAG_FRP_ENFORCEMENT)
|
||||||
|
public void shouldWipePersistentDataBlock_oemUnlockAllowedAndFlagDiscabled_shouldReturnFalse() {
|
||||||
|
when(mMainClearConfirm.getActivity()).thenReturn(mMockActivity);
|
||||||
|
|
||||||
|
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);
|
||||||
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
||||||
doReturn(true).when(mMainClearConfirm).isOemUnlockedAllowed();
|
doReturn(true).when(mMainClearConfirm).isOemUnlockedAllowed();
|
||||||
|
|
||||||
assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(
|
assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(mPersistentDataBlockManager))
|
||||||
mPersistentDataBlockManager)).isFalse();
|
.isFalse();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@EnableFlags(Flags.FLAG_FRP_ENFORCEMENT)
|
||||||
|
public void shouldWipePersistentDataBlock_oemUnlockAllowedAndFlagEnabled_shouldReturnTrue() {
|
||||||
|
when(mMainClearConfirm.getActivity()).thenReturn(mMockActivity);
|
||||||
|
|
||||||
|
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);
|
||||||
|
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
||||||
|
doReturn(true).when(mMainClearConfirm).isOemUnlockedAllowed();
|
||||||
|
|
||||||
|
assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(mPersistentDataBlockManager))
|
||||||
|
.isTrue();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@@ -124,8 +152,7 @@ public class MainClearConfirmTest {
|
|||||||
|
|
||||||
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
||||||
doReturn(false).when(mMainClearConfirm).isOemUnlockedAllowed();
|
doReturn(false).when(mMainClearConfirm).isOemUnlockedAllowed();
|
||||||
when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))
|
|
||||||
.thenReturn(mDevicePolicyManager);
|
|
||||||
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(false);
|
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(false);
|
||||||
|
|
||||||
assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(
|
assertThat(mMainClearConfirm.shouldWipePersistentDataBlock(
|
||||||
@@ -144,8 +171,6 @@ public class MainClearConfirmTest {
|
|||||||
.setFactoryResetProtectionAccounts(accounts)
|
.setFactoryResetProtectionAccounts(accounts)
|
||||||
.setFactoryResetProtectionEnabled(true)
|
.setFactoryResetProtectionEnabled(true)
|
||||||
.build();
|
.build();
|
||||||
when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))
|
|
||||||
.thenReturn(mDevicePolicyManager);
|
|
||||||
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);
|
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);
|
||||||
when(mDevicePolicyManager.getFactoryResetProtectionPolicy(null)).thenReturn(frp);
|
when(mDevicePolicyManager.getFactoryResetProtectionPolicy(null)).thenReturn(frp);
|
||||||
when(mDevicePolicyManager.isOrganizationOwnedDeviceWithManagedProfile()).thenReturn(true);
|
when(mDevicePolicyManager.isOrganizationOwnedDeviceWithManagedProfile()).thenReturn(true);
|
||||||
@@ -161,8 +186,6 @@ public class MainClearConfirmTest {
|
|||||||
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
doReturn(false).when(mMainClearConfirm).isDeviceStillBeingProvisioned();
|
||||||
doReturn(false).when(mMainClearConfirm).isOemUnlockedAllowed();
|
doReturn(false).when(mMainClearConfirm).isOemUnlockedAllowed();
|
||||||
|
|
||||||
when(mMockActivity.getSystemService(Context.DEVICE_POLICY_SERVICE))
|
|
||||||
.thenReturn(mDevicePolicyManager);
|
|
||||||
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);
|
when(mDevicePolicyManager.isFactoryResetProtectionPolicySupported()).thenReturn(true);
|
||||||
when(mDevicePolicyManager.getFactoryResetProtectionPolicy(null)).thenReturn(null);
|
when(mDevicePolicyManager.getFactoryResetProtectionPolicy(null)).thenReturn(null);
|
||||||
when(mDevicePolicyManager.isOrganizationOwnedDeviceWithManagedProfile()).thenReturn(false);
|
when(mDevicePolicyManager.isOrganizationOwnedDeviceWithManagedProfile()).thenReturn(false);
|
||||||
|
|||||||
Reference in New Issue
Block a user