Auditor icon indicating copy to clipboard operation
Auditor copied to clipboard
verified publisher icon GrapheneOS

OEM unlocking allowed status incorrect

Open S734M opened this issue 7 months ago • 2 comments

Hi,

After performing a device audit the "information provided by the verified OS" section lists "OEM unlocking allowed" as returning "no" when it is in fact allowed on the device being audited.

This appears to be because the call:

SystemProperties.get("sys.oem_unlock_allowed", "0");

Results in the following denial:

auditd : avc=type=1400 audit(0.0:21191): avc: denied { read } for comm="getprop" name="u:object_r:userdebug_or_eng_prop:s0" dev="tmpfs" ino=469 scontext=u:r:untrusted_app:s0:c109,c256,c512,c768 context=u:object_r:userdebug_or_eng_prop:s0 tclass=file permissive=0 app=app.attestation.auditor

This seems to be reproducible on all of my devices, let me know if you need anymore information.

Thankyou

S734M avatar Apr 29 '25 21:04 S734M

Seems like this is another thing we'll need to migrate to an extension API for system apps as a GrapheneOS exclusive feature.

thestinger avatar Apr 29 '25 21:04 thestinger

This change appears to have happened with Android 15 QPR2.

thestinger avatar Apr 29 '25 21:04 thestinger