Merge \\"Added UM.DISALLOW_OEM_UNLOCK, Removed Global.OEM_UNLOCK_DISALLOWED.\\" into nyc-mr1-dev am: 695a1c50a2

am: e64f60a455

Change-Id: Iedc9544179d3c3de8616375e51f7a60ddd1c8c3b

9 files changed, 44 insertions, 34 deletions

diff --git a/core/java/android/os/UserManager.java b/core/java/android/os/UserManager.java
index 5dea3d661ae3..b9193b271906 100644
--- a/core/java/android/os/UserManager.java
+++ b/core/java/android/os/UserManager.java
@@ -603,6 +603,17 @@ public class UserManager {
     public static final String DISALLOW_SET_USER_ICON = "no_set_user_icon";
 
     /**
+     * Specifies if a user is not allowed to enable the oem unlock setting. The default value is
+     * <code>false</code>.
+     *
+     * @see DevicePolicyManager#addUserRestriction(ComponentName, String)
+     * @see DevicePolicyManager#clearUserRestriction(ComponentName, String)
+     * @see #getUserRestrictions()
+     * @hide
+     */
+    public static final String DISALLOW_OEM_UNLOCK = "no_oem_unlock";
+
+    /**
      * Allows apps in the parent profile to handle web links from the managed profile.
      *
      * This user restriction has an effect only in a managed profile.
diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java
index a3fc71edf111..7d3fb6463ae9 100755
--- a/core/java/android/provider/Settings.java
+++ b/core/java/android/provider/Settings.java
@@ -9123,15 +9123,6 @@ public final class Settings {
         public static final String ENABLE_CELLULAR_ON_BOOT = "enable_cellular_on_boot";
 
         /**
-         * Whether toggling OEM unlock is disallowed. If disallowed, it is not possible to enable or
-         * disable OEM unlock.
-         * <p>
-         * Type: int (0: allow OEM unlock setting. 1: disallow OEM unlock)
-         * @hide
-         */
-        public static final String OEM_UNLOCK_DISALLOWED = "oem_unlock_disallowed";
-
-        /**
          * The maximum allowed notification enqueue rate in Hertz.
          *
          * Should be a float, and includes both posts and updates.
diff --git a/core/res/res/values/config.xml b/core/res/res/values/config.xml
index cd56f0f519f7..8b3939c79cc8 100644
--- a/core/res/res/values/config.xml
+++ b/core/res/res/values/config.xml
@@ -2538,4 +2538,9 @@
 
     <!-- Package name for the device provisioning package. -->
     <string name="config_deviceProvisioningPackage"></string>
+
+    <!-- User restrictions set when the first user is created.
+         Note: Also update appropriate overlay files. -->
+    <string-array translatable="false" name="config_defaultFirstUserRestrictions">
+    </string-array>
 </resources>
diff --git a/core/res/res/values/symbols.xml b/core/res/res/values/symbols.xml
index 5045f337fb2d..e7eafb7215e7 100644
--- a/core/res/res/values/symbols.xml
+++ b/core/res/res/values/symbols.xml
@@ -2670,4 +2670,7 @@
   <java-symbol type="integer" name="config_defaultNightDisplayAutoMode" />
   <java-symbol type="integer" name="config_defaultNightDisplayCustomStartTime" />
   <java-symbol type="integer" name="config_defaultNightDisplayCustomEndTime" />
+
+  <!-- Default first user restrictions -->
+  <java-symbol type="array" name="config_defaultFirstUserRestrictions" />
 </resources>
diff --git a/packages/SettingsProvider/res/values/defaults.xml b/packages/SettingsProvider/res/values/defaults.xml
index 108814e66348..978ca9466ff1 100644
--- a/packages/SettingsProvider/res/values/defaults.xml
+++ b/packages/SettingsProvider/res/values/defaults.xml
@@ -216,7 +216,4 @@
 
     <!-- Default setting for ability to add users from the lock screen -->
     <bool name="def_add_users_from_lockscreen">false</bool>
-
-    <!-- Default setting for disallow oem unlock. -->
-    <bool name="def_oem_unlock_disallow">false</bool>
 </resources>
diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
index 950c7d33b672..28e9a45cc40e 100644
--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
@@ -2330,14 +2330,7 @@ public class SettingsProvider extends ContentProvider {
                 }
 
                 if (currentVersion == 127) {
-                    // Version 127: Disable OEM unlock setting by default on some devices.
-                    final SettingsState globalSettings = getGlobalSettingsLocked();
-                    String defaultOemUnlockDisabled = (getContext().getResources()
-                            .getBoolean(R.bool.def_oem_unlock_disallow) ? "1" : "0");
-                    globalSettings.insertSettingLocked(
-                            Settings.Global.OEM_UNLOCK_DISALLOWED,
-                            defaultOemUnlockDisabled,
-                            SettingsState.SYSTEM_PACKAGE_NAME);
+                    // version 127 is no longer used.
                     currentVersion = 128;
                 }
 
diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java
index e233b1c84bc6..080b46c24a2f 100644
--- a/services/core/java/com/android/server/PersistentDataBlockService.java
+++ b/services/core/java/com/android/server/PersistentDataBlockService.java
@@ -157,11 +157,10 @@ public class PersistentDataBlockService extends SystemService {
         }
     }
 
-    private void enforceFactoryResetAllowed() {
-        final boolean isOemUnlockRestricted = UserManager.get(mContext)
-                .hasUserRestriction(UserManager.DISALLOW_FACTORY_RESET);
-        if (isOemUnlockRestricted) {
-            throw new SecurityException("OEM unlock is disallowed by DISALLOW_FACTORY_RESET");
+    private void enforceUserRestriction(String userRestriction) {
+        if (UserManager.get(mContext).hasUserRestriction(userRestriction)) {
+            throw new SecurityException(
+                    "OEM unlock is disallowed by user restriction: " + userRestriction);
         }
     }
 
@@ -467,13 +466,9 @@ public class PersistentDataBlockService extends SystemService {
             enforceIsAdmin();
 
             if (enabled) {
-                // Do not allow oem unlock to be enabled if it has been disallowed.
-                if (Settings.Global.getInt(getContext().getContentResolver(),
-                        Settings.Global.OEM_UNLOCK_DISALLOWED, 0) == 1) {
-                    throw new SecurityException(
-                            "OEM unlock has been disallowed by OEM_UNLOCK_DISALLOWED.");
-                }
-                enforceFactoryResetAllowed();
+                // Do not allow oem unlock to be enabled if it's disallowed by a user restriction.
+                enforceUserRestriction(UserManager.DISALLOW_OEM_UNLOCK);
+                enforceUserRestriction(UserManager.DISALLOW_FACTORY_RESET);
             }
             synchronized (mLock) {
                 doSetOemUnlockEnabledLocked(enabled);
diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
index 5c7e87f5154c..68ccbdfceca9 100644
--- a/services/core/java/com/android/server/pm/UserManagerService.java
+++ b/services/core/java/com/android/server/pm/UserManagerService.java
@@ -1799,6 +1799,18 @@ public class UserManagerService extends IUserManager.Stub {
         mUserVersion = USER_VERSION;
 
         Bundle restrictions = new Bundle();
+        try {
+            final String[] defaultFirstUserRestrictions = mContext.getResources().getStringArray(
+                    com.android.internal.R.array.config_defaultFirstUserRestrictions);
+            for (String userRestriction : defaultFirstUserRestrictions) {
+                if (UserRestrictionsUtils.isValidRestriction(userRestriction)) {
+                    restrictions.putBoolean(userRestriction, true);
+                }
+            }
+        } catch (Resources.NotFoundException e) {
+            Log.e(LOG_TAG, "Couldn't find resource: config_defaultFirstUserRestrictions", e);
+        }
+
         synchronized (mRestrictionsLock) {
             mBaseUserRestrictions.append(UserHandle.USER_SYSTEM, restrictions);
         }
diff --git a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
index c082143e9b5f..04997570b89e 100644
--- a/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
+++ b/services/core/java/com/android/server/pm/UserRestrictionsUtils.java
@@ -104,7 +104,8 @@ public class UserRestrictionsUtils {
             UserManager.DISALLOW_RUN_IN_BACKGROUND,
             UserManager.DISALLOW_DATA_ROAMING,
             UserManager.DISALLOW_SET_USER_ICON,
-            UserManager.DISALLOW_SET_WALLPAPER
+            UserManager.DISALLOW_SET_WALLPAPER,
+            UserManager.DISALLOW_OEM_UNLOCK
     });
 
     /**
@@ -138,7 +139,8 @@ public class UserRestrictionsUtils {
      */
     private static final Set<String> IMMUTABLE_BY_OWNERS = Sets.newArraySet(
             UserManager.DISALLOW_RECORD_AUDIO,
-            UserManager.DISALLOW_WALLPAPER
+            UserManager.DISALLOW_WALLPAPER,
+            UserManager.DISALLOW_OEM_UNLOCK
     );
 
     /**
@@ -426,6 +428,7 @@ public class UserRestrictionsUtils {
                             newValue ? 1 : 0);
                     break;
                 case UserManager.DISALLOW_FACTORY_RESET:
+                case UserManager.DISALLOW_OEM_UNLOCK:
                     if (newValue) {
                         PersistentDataBlockManager manager = (PersistentDataBlockManager) context
                                 .getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);