Only update block_devmode when the device is owned.
The previous code would reset the block_devmode even when no owner is
present, which is incorrect and leads to the flag incorrectly getting
cleared prematurely during OOBE.
BUG=chromium:375772
TEST=Manual: Set block_devmode=1, go through recovery, boot into OOBE, switch to dev. Dev-mode should be blocked.
Change-Id: Id2a39187c32e07039becffc881754570fd0f867f
Reviewed-on: https://chromium-review.googlesource.com/201630
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Chris Masone <cmasone@chromium.org>
Commit-Queue: Mattias Nissler <mnissler@chromium.org>
diff --git a/session_manager_impl.cc b/session_manager_impl.cc
index 4b87b3c..33cc1d6 100644
--- a/session_manager_impl.cc
+++ b/session_manager_impl.cc
@@ -77,21 +77,6 @@
// The name of the flag that indicates whether dev mode should be blocked.
const char kCrossystemBlockDevmode[] = "block_devmode";
-// Applies system settings as specified in |settings|.
-static void UpdateSystemSettings(
- const enterprise_management::ChromeDeviceSettingsProto& settings) {
- int block_devmode_setting =
- settings.system_settings().block_devmode() ? 1 : 0;
- int block_devmode_value = VbGetSystemPropertyInt(kCrossystemBlockDevmode);
- if (block_devmode_value == -1)
- LOG(ERROR) << "Failed to read block_devmode flag!";
-
- if (block_devmode_setting != block_devmode_value) {
- if (VbSetSystemPropertyInt(kCrossystemBlockDevmode, block_devmode_setting))
- LOG(ERROR) << "Failed to write block_devmode flag!";
- }
-}
-
} // namespace
SessionManagerImpl::Error::Error() : set_(false) {}
@@ -215,7 +200,7 @@
if (device_policy_->Initialize()) {
device_local_account_policy_->UpdateDeviceSettings(
device_policy_->GetSettings());
- UpdateSystemSettings(device_policy_->GetSettings());
+ UpdateSystemSettings();
return true;
}
return false;
@@ -567,7 +552,7 @@
success);
device_local_account_policy_->UpdateDeviceSettings(
device_policy_->GetSettings());
- UpdateSystemSettings(device_policy_->GetSettings());
+ UpdateSystemSettings();
}
void SessionManagerImpl::OnKeyPersisted(bool success) {
@@ -658,4 +643,21 @@
return it == user_sessions_.end() ? NULL : it->second->policy_service.get();
}
+void SessionManagerImpl::UpdateSystemSettings() {
+ // Only write settings when device ownership is established.
+ if (!owner_key_.IsPopulated())
+ return;
+
+ int block_devmode_setting =
+ device_policy_->GetSettings().system_settings().block_devmode() ? 1 : 0;
+ int block_devmode_value = VbGetSystemPropertyInt(kCrossystemBlockDevmode);
+ if (block_devmode_value == -1)
+ LOG(ERROR) << "Failed to read block_devmode flag!";
+
+ if (block_devmode_setting != block_devmode_value) {
+ if (VbSetSystemPropertyInt(kCrossystemBlockDevmode, block_devmode_setting))
+ LOG(ERROR) << "Failed to write block_devmode flag!";
+ }
+}
+
} // namespace login_manager
diff --git a/session_manager_impl.h b/session_manager_impl.h
index 0ca8056..891d3b3 100644
--- a/session_manager_impl.h
+++ b/session_manager_impl.h
@@ -191,6 +191,9 @@
PolicyService* GetPolicyService(const std::string& user_email);
+ // Updates system settings according to |device_policy_|.
+ void UpdateSystemSettings();
+
bool session_started_;
bool session_stopping_;
bool screen_locked_;
