Reset protection in PersistentDataBlockManager

Add method to allow authorized data block wipe in support of factory
reset protection. This will allow ManagedProvisioning to respond to
and pass factory reset protection challenges during automated device
setup.
- Adds the wipeIfAllowed method to clear the data block
- Creates a protected-broadcast to send to allowed package

Bug: 19792435
Change-Id: I897f2ea2afb1222a1fc8ac49290ee45ea4d3f2d7

2 files changed, 77 insertions, 0 deletions

diff --git a/core/java/android/service/persistentdata/IPersistentDataBlockService.aidl b/core/java/android/service/persistentdata/IPersistentDataBlockService.aidl
index 52db223..0071a33 100644
--- a/core/java/android/service/persistentdata/IPersistentDataBlockService.aidl
+++ b/core/java/android/service/persistentdata/IPersistentDataBlockService.aidl
@@ -16,6 +16,8 @@
 
 package android.service.persistentdata;
 
+import android.app.PendingIntent;
+import android.os.Bundle;
 import android.os.ParcelFileDescriptor;
 
 /**
@@ -30,6 +32,7 @@ interface IPersistentDataBlockService {
     int write(in byte[] data);
     byte[] read();
     void wipe();
+    void wipeIfAllowed(in Bundle bundle, in PendingIntent pi);
     int getDataBlockSize();
     long getMaximumDataBlockSize();
 
diff --git a/core/java/android/service/persistentdata/PersistentDataBlockManager.java b/core/java/android/service/persistentdata/PersistentDataBlockManager.java
index 0ffdf68..31570c6 100644
--- a/core/java/android/service/persistentdata/PersistentDataBlockManager.java
+++ b/core/java/android/service/persistentdata/PersistentDataBlockManager.java
@@ -17,6 +17,8 @@
 package android.service.persistentdata;
 
 import android.annotation.SystemApi;
+import android.app.PendingIntent;
+import android.os.Bundle;
 import android.os.RemoteException;
 import android.util.Slog;
 
@@ -41,6 +43,56 @@ import android.util.Slog;
 @SystemApi
 public class PersistentDataBlockManager {
     private static final String TAG = PersistentDataBlockManager.class.getSimpleName();
+
+    /**
+     * Broadcast action that will be called when the {@link #wipeIfAllowed(Bundle,PendingIntent)}
+     * method is called.  A broadcast with this action will be sent to the package allowed to write
+     * to the persistent data block. Packages receiving this broadcasts should respond by using the
+     * {@link android.app.PendingIntent} sent in the {@link #EXTRA_WIPE_IF_ALLOWED_CALLBACK} extra.
+     */
+    public static final String ACTION_WIPE_IF_ALLOWED
+            = "android.service.persistentdata.action.WIPE_IF_ALLOWED";
+
+    /**
+     * A {@link android.os.Parcelable} extra of type {@link android.app.PendingIntent} used to
+     * response to {@link #wipeIfAllowed(Bundle,PendingIntent)}. This extra will set in broadcasts
+     * with an action of {@link #ACTION_WIPE_IF_ALLOWED}.
+     */
+    public static final String EXTRA_WIPE_IF_ALLOWED_CALLBACK
+            = "android.service.persistentdata.extra.WIPE_IF_ALLOWED_CALLBACK";
+
+    /**
+     * Result code indicating that the data block was wiped.
+     *
+     * <p>This value is set as result code of the {@link android.app.PendingIntent} argument to
+     * {@link #wipeIfAllowed(Bundle,PendingIntent)}
+     */
+    public static final int STATUS_SUCCESS = 0;
+
+    /**
+     * Result code indicating that a remote exception was received while processing the request.
+     *
+     * <p>This value is set as result code of the {@link android.app.PendingIntent} argument to
+     * {@link #wipeIfAllowed(Bundle,PendingIntent)}
+     */
+    public static final int STATUS_ERROR_REMOTE_EXCEPTION = 1;
+
+    /**
+     * Result code indicating that a network error occurred while processing the request.
+     *
+     * <p>This value is set as result code of the {@link android.app.PendingIntent} argument to
+     * {@link #wipeIfAllowed(Bundle,PendingIntent)}
+     */
+    public static final int STATUS_ERROR_NETWORK_ERROR = 2;
+
+    /**
+     * Result code indicating that the data block could not be cleared with the provided data.
+     *
+     * <p>This value is set as result code of the {@link android.app.PendingIntent} argument to
+     * {@link #wipeIfAllowed(Bundle,PendingIntent)}
+     */
+    public static final int STATUS_ERROR_NOT_COMPLIANT = 3;
+
     private IPersistentDataBlockService sService;
 
     public PersistentDataBlockManager(IPersistentDataBlockService service) {
@@ -118,6 +170,28 @@ public class PersistentDataBlockManager {
     }
 
     /**
+     * Attempt to wipe the data block by sending a broadcast to the package allowed to modify the
+     * datablock. The allowed package can refuse to wipe the data block based on the contents of
+     * the specified bundle. This bundle may contain data used by the allowed package to wipe the
+     * partition such as account credentials or an authorization token.
+     * @param bundle data used to wipe the data block. The contents of this bundle depend on the
+     *    allowed package receiving the data.
+     * @param pi intent called when attempt finished. The result code of this intent will be set
+     *    to one of {@link #STATUS_SUCCESS}, {@link #STATUS_ERROR_REMOTE_EXCEPTION},
+     *    {@link #STATUS_ERROR_NETWORK_ERROR}, or {@link #STATUS_ERROR_NOT_COMPLIANT}.
+     */
+    public void wipeIfAllowed(Bundle bundle, PendingIntent pi) {
+        if (pi == null) {
+            throw new NullPointerException();
+        }
+        try {
+            sService.wipeIfAllowed(bundle, pi);
+        } catch (RemoteException e) {
+            onError("wiping persistent partition");
+        }
+    }
+
+    /**
      * Writes a byte enabling or disabling the ability to "OEM unlock" the device.
      */
     public void setOemUnlockEnabled(boolean enabled) {