Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Michal Karpinski | 6235a94 | 2016-03-15 12:07:23 +0000 | [diff] [blame] | 17 | package android.app.admin; |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 18 | |
| 19 | import android.annotation.IntDef; |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 20 | import android.annotation.TestApi; |
Mathew Inwood | 61e8ae6 | 2018-08-14 14:17:44 +0100 | [diff] [blame] | 21 | import android.annotation.UnsupportedAppUsage; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 22 | import android.content.ComponentName; |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 23 | import android.os.Parcel; |
| 24 | import android.os.Parcelable; |
| 25 | import android.os.SystemProperties; |
| 26 | import android.util.EventLog.Event; |
| 27 | |
| 28 | import java.io.IOException; |
| 29 | import java.lang.annotation.Retention; |
| 30 | import java.lang.annotation.RetentionPolicy; |
| 31 | import java.util.Collection; |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 32 | import java.util.Objects; |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 33 | |
Pavel Grafov | 73f747b | 2017-04-10 19:29:41 +0100 | [diff] [blame] | 34 | /** |
| 35 | * Definitions for working with security logs. |
| 36 | * |
| 37 | * <p>Device owner apps can control the logging with |
| 38 | * {@link DevicePolicyManager#setSecurityLoggingEnabled}. When security logs are enabled, device |
| 39 | * owner apps receive periodic callbacks from {@link DeviceAdminReceiver#onSecurityLogsAvailable}, |
| 40 | * at which time new batch of logs can be collected via |
| 41 | * {@link DevicePolicyManager#retrieveSecurityLogs}. {@link SecurityEvent} describes the type and |
| 42 | * format of security logs being collected. |
| 43 | */ |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 44 | public class SecurityLog { |
| 45 | |
| 46 | private static final String PROPERTY_LOGGING_ENABLED = "persist.logd.security"; |
| 47 | |
| 48 | /** @hide */ |
| 49 | @Retention(RetentionPolicy.SOURCE) |
Jeff Sharkey | ce8db99 | 2017-12-13 20:05:05 -0700 | [diff] [blame] | 50 | @IntDef(prefix = { "TAG_" }, value = { |
| 51 | TAG_ADB_SHELL_INTERACTIVE, |
| 52 | TAG_ADB_SHELL_CMD, |
| 53 | TAG_SYNC_RECV_FILE, |
| 54 | TAG_SYNC_SEND_FILE, |
| 55 | TAG_APP_PROCESS_START, |
| 56 | TAG_KEYGUARD_DISMISSED, |
| 57 | TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT, |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 58 | TAG_KEYGUARD_SECURED, |
| 59 | TAG_OS_STARTUP, |
| 60 | TAG_OS_SHUTDOWN, |
| 61 | TAG_LOGGING_STARTED, |
| 62 | TAG_LOGGING_STOPPED, |
| 63 | TAG_MEDIA_MOUNT, |
| 64 | TAG_MEDIA_UNMOUNT, |
| 65 | TAG_LOG_BUFFER_SIZE_CRITICAL, |
| 66 | TAG_PASSWORD_EXPIRATION_SET, |
| 67 | TAG_PASSWORD_COMPLEXITY_SET, |
| 68 | TAG_PASSWORD_HISTORY_LENGTH_SET, |
| 69 | TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, |
| 70 | TAG_MAX_PASSWORD_ATTEMPTS_SET, |
| 71 | TAG_KEYGUARD_DISABLED_FEATURES_SET, |
| 72 | TAG_REMOTE_LOCK, |
| 73 | TAG_USER_RESTRICTION_ADDED, |
| 74 | TAG_USER_RESTRICTION_REMOVED, |
| 75 | TAG_WIPE_FAILURE, |
| 76 | TAG_KEY_GENERATED, |
| 77 | TAG_KEY_IMPORT, |
| 78 | TAG_KEY_DESTRUCTION, |
| 79 | TAG_CERT_AUTHORITY_INSTALLED, |
| 80 | TAG_CERT_AUTHORITY_REMOVED, |
Pavel Grafov | b745540 | 2018-01-30 21:17:08 +0000 | [diff] [blame] | 81 | TAG_CRYPTO_SELF_TEST_COMPLETED, |
Pavel Grafov | f8839ea | 2018-02-06 11:28:52 +0000 | [diff] [blame] | 82 | TAG_KEY_INTEGRITY_VIOLATION, |
| 83 | TAG_CERT_VALIDATION_FAILURE, |
Jeff Sharkey | ce8db99 | 2017-12-13 20:05:05 -0700 | [diff] [blame] | 84 | }) |
| 85 | public @interface SecurityLogTag {} |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 86 | |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 87 | /** @hide */ |
| 88 | @Retention(RetentionPolicy.SOURCE) |
| 89 | @IntDef(prefix = { "LEVEL_" }, value = { |
| 90 | LEVEL_INFO, |
| 91 | LEVEL_WARNING, |
| 92 | LEVEL_ERROR |
| 93 | }) |
| 94 | public @interface SecurityLogLevel {} |
| 95 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 96 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 97 | * Indicates that an ADB interactive shell was opened via "adb shell". |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 98 | * There is no extra payload in the log event. |
| 99 | */ |
| 100 | public static final int TAG_ADB_SHELL_INTERACTIVE = |
| 101 | SecurityLogTags.SECURITY_ADB_SHELL_INTERACTIVE; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 102 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 103 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 104 | * Indicates that a shell command was issued over ADB via {@code adb shell <command>} |
| 105 | * The log entry contains a {@code String} payload containing the shell command, accessible |
| 106 | * via {@link SecurityEvent#getData()}. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 107 | */ |
| 108 | public static final int TAG_ADB_SHELL_CMD = SecurityLogTags.SECURITY_ADB_SHELL_COMMAND; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 109 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 110 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 111 | * Indicates that a file was pulled from the device via the adb daemon, for example via |
| 112 | * {@code adb pull}. The log entry contains a {@code String} payload containing the path of the |
| 113 | * pulled file on the device, accessible via {@link SecurityEvent#getData()}. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 114 | */ |
| 115 | public static final int TAG_SYNC_RECV_FILE = SecurityLogTags.SECURITY_ADB_SYNC_RECV; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 116 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 117 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 118 | * Indicates that a file was pushed to the device via the adb daemon, for example via |
| 119 | * {@code adb push}. The log entry contains a {@code String} payload containing the destination |
| 120 | * path of the pushed file, accessible via {@link SecurityEvent#getData()}. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 121 | */ |
| 122 | public static final int TAG_SYNC_SEND_FILE = SecurityLogTags.SECURITY_ADB_SYNC_SEND; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 123 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 124 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 125 | * Indicates that an app process was started. The log entry contains the following |
Rubin Xu | 232990d | 2016-02-18 15:55:21 +0000 | [diff] [blame] | 126 | * information about the process encapsulated in an {@link Object} array, accessible via |
| 127 | * {@link SecurityEvent#getData()}: |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 128 | * <li> [0] process name ({@code String}) |
| 129 | * <li> [1] exact start time in milliseconds according to {@code System.currentTimeMillis()} |
| 130 | * ({@code Long}) |
| 131 | * <li> [2] app uid ({@code Integer}) |
| 132 | * <li> [3] app pid ({@code Integer}) |
| 133 | * <li> [4] seinfo tag ({@code String}) |
| 134 | * <li> [5] SHA-256 hash of the base APK in hexadecimal ({@code String}) |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 135 | */ |
| 136 | public static final int TAG_APP_PROCESS_START = SecurityLogTags.SECURITY_APP_PROCESS_START; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 137 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 138 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 139 | * Indicates that keyguard has been dismissed. |
Michal Karpinski | 31502d3 | 2016-01-25 16:43:07 +0000 | [diff] [blame] | 140 | * There is no extra payload in the log event. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 141 | */ |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 142 | public static final int TAG_KEYGUARD_DISMISSED = SecurityLogTags.SECURITY_KEYGUARD_DISMISSED; |
| 143 | |
Michal Karpinski | 31502d3 | 2016-01-25 16:43:07 +0000 | [diff] [blame] | 144 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 145 | * Indicates that there has been an authentication attempt to dismiss the keyguard. The log |
| 146 | * entry contains the following information about the attempt encapsulated in an {@link Object} |
| 147 | * array, accessible via {@link SecurityEvent#getData()}: |
| 148 | * <li> [0] attempt result ({@code Integer}, 1 for successful, 0 for unsuccessful) |
| 149 | * <li> [1] strength of authentication method ({@code Integer}, 1 if strong authentication |
| 150 | * method was used, 0 otherwise) |
Michal Karpinski | 31502d3 | 2016-01-25 16:43:07 +0000 | [diff] [blame] | 151 | */ |
| 152 | public static final int TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT = |
| 153 | SecurityLogTags.SECURITY_KEYGUARD_DISMISS_AUTH_ATTEMPT; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 154 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 155 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 156 | * Indicates that the device has been locked, either by the user or by a timeout. There is no |
| 157 | * extra payload in the log event. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 158 | */ |
Michal Karpinski | 31502d3 | 2016-01-25 16:43:07 +0000 | [diff] [blame] | 159 | public static final int TAG_KEYGUARD_SECURED = SecurityLogTags.SECURITY_KEYGUARD_SECURED; |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 160 | |
| 161 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 162 | * Indicates that the Android OS has started. The log entry contains the following information |
| 163 | * about the startup time software integrity check encapsulated in an {@link Object} array, |
| 164 | * accessible via {@link SecurityEvent#getData()}: |
| 165 | * <li> [0] Verified Boot state ({@code String}) |
| 166 | * <li> [1] dm-verity mode ({@code String}). |
| 167 | * <p>Verified Boot state can be one of the following: |
| 168 | * <li> {@code green} indicates that there is a full chain of trust extending from the |
| 169 | * bootloader to verified partitions including the bootloader, boot partition, and all verified |
| 170 | * partitions. |
| 171 | * <li> {@code yellow} indicates that the boot partition has been verified using the embedded |
| 172 | * certificate and the signature is valid. |
| 173 | * <li> {@code orange} indicates that the device may be freely modified. Device integrity is |
| 174 | * left to the user to verify out-of-band. |
| 175 | * <p>dm-verity mode can be one of the following: |
| 176 | * <li> {@code enforcing} indicates that the device will be restarted when corruption is |
| 177 | * detected. |
| 178 | * <li> {@code eio} indicates that an I/O error will be returned for an attempt to read |
| 179 | * corrupted data blocks. |
| 180 | * For details see Verified Boot documentation. |
| 181 | */ |
| 182 | public static final int TAG_OS_STARTUP = SecurityLogTags.SECURITY_OS_STARTUP; |
| 183 | |
| 184 | /** |
| 185 | * Indicates that the Android OS has shutdown. There is no extra payload in the log event. |
| 186 | */ |
| 187 | public static final int TAG_OS_SHUTDOWN = SecurityLogTags.SECURITY_OS_SHUTDOWN; |
| 188 | |
| 189 | /** |
| 190 | * Indicates start-up of audit logging. There is no extra payload in the log event. |
| 191 | */ |
| 192 | public static final int TAG_LOGGING_STARTED = SecurityLogTags.SECURITY_LOGGING_STARTED; |
| 193 | |
| 194 | /** |
| 195 | * Indicates shutdown of audit logging. There is no extra payload in the log event. |
| 196 | */ |
| 197 | public static final int TAG_LOGGING_STOPPED = SecurityLogTags.SECURITY_LOGGING_STOPPED; |
| 198 | |
| 199 | /** |
| 200 | * Indicates that removable media has been mounted on the device. The log entry contains the |
| 201 | * following information about the event, encapsulated in an {@link Object} array and |
| 202 | * accessible via {@link SecurityEvent#getData()}: |
| 203 | * <li> [0] mount point ({@code String}) |
| 204 | * <li> [1] volume label ({@code String}). |
| 205 | */ |
| 206 | public static final int TAG_MEDIA_MOUNT = SecurityLogTags.SECURITY_MEDIA_MOUNTED; |
| 207 | |
| 208 | /** |
| 209 | * Indicates that removable media was unmounted from the device. The log entry contains the |
| 210 | * following information about the event, encapsulated in an {@link Object} array and |
| 211 | * accessible via {@link SecurityEvent#getData()}: |
| 212 | * <li> [0] mount point ({@code String}) |
| 213 | * <li> [1] volume label ({@code String}). |
| 214 | */ |
| 215 | public static final int TAG_MEDIA_UNMOUNT = SecurityLogTags.SECURITY_MEDIA_UNMOUNTED; |
| 216 | |
| 217 | /** |
| 218 | * Indicates that the audit log buffer has reached 90% of its capacity. There is no extra |
| 219 | * payload in the log event. |
| 220 | */ |
| 221 | public static final int TAG_LOG_BUFFER_SIZE_CRITICAL = |
| 222 | SecurityLogTags.SECURITY_LOG_BUFFER_SIZE_CRITICAL; |
| 223 | |
| 224 | /** |
| 225 | * Indicates that an admin has set a password expiration timeout. The log entry contains the |
| 226 | * following information about the event, encapsulated in an {@link Object} array and accessible |
| 227 | * via {@link SecurityEvent#getData()}: |
| 228 | * <li> [0] admin package name ({@code String}) |
| 229 | * <li> [1] admin user ID ({@code Integer}) |
| 230 | * <li> [2] target user ID ({@code Integer}) |
| 231 | * <li> [3] new password expiration timeout in milliseconds ({@code Long}). |
| 232 | * @see DevicePolicyManager#setPasswordExpirationTimeout(ComponentName, long) |
| 233 | */ |
| 234 | public static final int TAG_PASSWORD_EXPIRATION_SET = |
| 235 | SecurityLogTags.SECURITY_PASSWORD_EXPIRATION_SET; |
| 236 | |
| 237 | /** |
| 238 | * Indicates that an admin has set a requirement for password complexity. The log entry contains |
| 239 | * the following information about the event, encapsulated in an {@link Object} array and |
| 240 | * accessible via {@link SecurityEvent#getData()}: |
| 241 | * <li> [0] admin package name ({@code String}) |
| 242 | * <li> [1] admin user ID ({@code Integer}) |
| 243 | * <li> [2] target user ID ({@code Integer}) |
| 244 | * <li> [3] minimum password length ({@code Integer}) |
| 245 | * <li> [4] password quality constraint ({@code Integer}) |
| 246 | * <li> [5] minimum number of letters ({@code Integer}) |
| 247 | * <li> [6] minimum number of non-letters ({@code Integer}) |
| 248 | * <li> [7] minimum number of digits ({@code Integer}) |
| 249 | * <li> [8] minimum number of uppercase letters ({@code Integer}) |
| 250 | * <li> [9] minimum number of lowercase letters ({@code Integer}) |
| 251 | * <li> [10] minimum number of symbols ({@code Integer}) |
| 252 | * |
| 253 | * @see DevicePolicyManager#setPasswordMinimumLength(ComponentName, int) |
| 254 | * @see DevicePolicyManager#setPasswordQuality(ComponentName, int) |
| 255 | * @see DevicePolicyManager#setPasswordMinimumLetters(ComponentName, int) |
| 256 | * @see DevicePolicyManager#setPasswordMinimumNonLetter(ComponentName, int) |
| 257 | * @see DevicePolicyManager#setPasswordMinimumLowerCase(ComponentName, int) |
| 258 | * @see DevicePolicyManager#setPasswordMinimumUpperCase(ComponentName, int) |
| 259 | * @see DevicePolicyManager#setPasswordMinimumNumeric(ComponentName, int) |
| 260 | * @see DevicePolicyManager#setPasswordMinimumSymbols(ComponentName, int) |
| 261 | */ |
| 262 | public static final int TAG_PASSWORD_COMPLEXITY_SET = |
| 263 | SecurityLogTags.SECURITY_PASSWORD_COMPLEXITY_SET; |
| 264 | |
| 265 | /** |
| 266 | * Indicates that an admin has set a password history length. The log entry contains the |
| 267 | * following information about the event encapsulated in an {@link Object} array, accessible |
| 268 | * via {@link SecurityEvent#getData()}: |
| 269 | * <li> [0] admin package name ({@code String}) |
| 270 | * <li> [1] admin user ID ({@code Integer}) |
| 271 | * <li> [2] target user ID ({@code Integer}) |
| 272 | * <li> [3] new password history length value ({@code Integer}) |
| 273 | * @see DevicePolicyManager#setPasswordHistoryLength(ComponentName, int) |
| 274 | */ |
| 275 | public static final int TAG_PASSWORD_HISTORY_LENGTH_SET = |
| 276 | SecurityLogTags.SECURITY_PASSWORD_HISTORY_LENGTH_SET; |
| 277 | |
| 278 | /** |
| 279 | * Indicates that an admin has set a maximum screen lock timeout. The log entry contains the |
| 280 | * following information about the event encapsulated in an {@link Object} array, accessible |
| 281 | * via {@link SecurityEvent#getData()}: |
| 282 | * <li> [0] admin package name ({@code String}) |
| 283 | * <li> [1] admin user ID ({@code Integer}) |
| 284 | * <li> [2] target user ID ({@code Integer}) |
| 285 | * <li> [3] new screen lock timeout in milliseconds ({@code Long}) |
| 286 | * @see DevicePolicyManager#setMaximumTimeToLock(ComponentName, long) |
| 287 | */ |
| 288 | public static final int TAG_MAX_SCREEN_LOCK_TIMEOUT_SET = |
| 289 | SecurityLogTags.SECURITY_MAX_SCREEN_LOCK_TIMEOUT_SET; |
| 290 | |
| 291 | /** |
| 292 | * Indicates that an admin has set a maximum number of failed password attempts before wiping |
| 293 | * data. The log entry contains the following information about the event encapsulated in an |
| 294 | * {@link Object} array, accessible via {@link SecurityEvent#getData()}: |
| 295 | * <li> [0] admin package name ({@code String}) |
| 296 | * <li> [1] admin user ID ({@code Integer}) |
| 297 | * <li> [2] target user ID ({@code Integer}) |
| 298 | * <li> [3] new maximum number of failed password attempts ({@code Integer}) |
Benjamin Miller | edbc4c4 | 2018-02-22 08:49:21 +0000 | [diff] [blame] | 299 | * @see DevicePolicyManager#setMaximumFailedPasswordsForWipe(ComponentName, int) |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 300 | */ |
| 301 | public static final int TAG_MAX_PASSWORD_ATTEMPTS_SET = |
| 302 | SecurityLogTags.SECURITY_MAX_PASSWORD_ATTEMPTS_SET; |
| 303 | |
| 304 | /** |
| 305 | * Indicates that an admin has set disabled keyguard features. The log entry contains the |
| 306 | * following information about the event encapsulated in an {@link Object} array, accessible via |
| 307 | * {@link SecurityEvent#getData()}: |
| 308 | * <li> [0] admin package name ({@code String}) |
| 309 | * <li> [1] admin user ID ({@code Integer}) |
| 310 | * <li> [2] target user ID ({@code Integer}) |
| 311 | * <li> [3] disabled keyguard feature mask ({@code Integer}). |
| 312 | * @see DevicePolicyManager#setKeyguardDisabledFeatures(ComponentName, int) |
| 313 | */ |
| 314 | public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET = |
| 315 | SecurityLogTags.SECURITY_KEYGUARD_DISABLED_FEATURES_SET; |
| 316 | |
| 317 | /** |
| 318 | * Indicates that an admin remotely locked the device or profile. The log entry contains the |
| 319 | * following information about the event encapsulated in an {@link Object} array, accessible via |
| 320 | * {@link SecurityEvent#getData()}: |
| 321 | * <li> [0] admin package name ({@code String}), |
| 322 | * <li> [1] admin user ID ({@code Integer}). |
Pavel Grafov | c6fe1e0 | 2018-02-14 22:05:07 +0000 | [diff] [blame] | 323 | * <li> [2] target user ID ({@code Integer}) |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 324 | */ |
| 325 | public static final int TAG_REMOTE_LOCK = SecurityLogTags.SECURITY_REMOTE_LOCK; |
| 326 | |
| 327 | /** |
| 328 | * Indicates a failure to wipe device or user data. There is no extra payload in the log event. |
| 329 | */ |
| 330 | public static final int TAG_WIPE_FAILURE = SecurityLogTags.SECURITY_WIPE_FAILED; |
| 331 | |
| 332 | /** |
| 333 | * Indicates that an authentication key was generated. The log entry contains the following |
| 334 | * information about the event, encapsulated in an {@link Object} array and accessible via |
| 335 | * {@link SecurityEvent#getData()}: |
| 336 | * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) |
| 337 | * <li> [1] alias of the key ({@code String}) |
| 338 | * <li> [2] requesting process uid ({@code Integer}). |
| 339 | */ |
| 340 | public static final int TAG_KEY_GENERATED = |
| 341 | SecurityLogTags.SECURITY_KEY_GENERATED; |
| 342 | |
| 343 | /** |
| 344 | * Indicates that a cryptographic key was imported. The log entry contains the following |
| 345 | * information about the event, encapsulated in an {@link Object} array and accessible via |
| 346 | * {@link SecurityEvent#getData()}: |
| 347 | * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) |
| 348 | * <li> [1] alias of the key ({@code String}) |
| 349 | * <li> [2] requesting process uid ({@code Integer}). |
| 350 | */ |
| 351 | public static final int TAG_KEY_IMPORT = SecurityLogTags.SECURITY_KEY_IMPORTED; |
| 352 | |
| 353 | /** |
| 354 | * Indicates that a cryptographic key was destroyed. The log entry contains the following |
| 355 | * information about the event, encapsulated in an {@link Object} array and accessible via |
| 356 | * {@link SecurityEvent#getData()}: |
| 357 | * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) |
| 358 | * <li> [1] alias of the key ({@code String}) |
| 359 | * <li> [2] requesting process uid ({@code Integer}). |
| 360 | */ |
| 361 | public static final int TAG_KEY_DESTRUCTION = SecurityLogTags.SECURITY_KEY_DESTROYED; |
| 362 | |
| 363 | /** |
| 364 | * Indicates that a new root certificate has been installed into system's trusted credential |
| 365 | * storage. The log entry contains the following information about the event, encapsulated in an |
| 366 | * {@link Object} array and accessible via {@link SecurityEvent#getData()}: |
| 367 | * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) |
| 368 | * <li> [1] subject of the certificate ({@code String}). |
| 369 | */ |
| 370 | public static final int TAG_CERT_AUTHORITY_INSTALLED = |
| 371 | SecurityLogTags.SECURITY_CERT_AUTHORITY_INSTALLED; |
| 372 | |
| 373 | /** |
Benjamin Miller | edbc4c4 | 2018-02-22 08:49:21 +0000 | [diff] [blame] | 374 | * Indicates that a new root certificate has been removed from system's trusted credential |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 375 | * storage. The log entry contains the following information about the event, encapsulated in an |
| 376 | * {@link Object} array and accessible via {@link SecurityEvent#getData()}: |
| 377 | * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) |
| 378 | * <li> [1] subject of the certificate ({@code String}). |
| 379 | */ |
| 380 | public static final int TAG_CERT_AUTHORITY_REMOVED = |
| 381 | SecurityLogTags.SECURITY_CERT_AUTHORITY_REMOVED; |
| 382 | |
| 383 | /** |
| 384 | * Indicates that an admin has set a user restriction. The log entry contains the following |
| 385 | * information about the event, encapsulated in an {@link Object} array and accessible via |
| 386 | * {@link SecurityEvent#getData()}: |
| 387 | * <li> [0] admin package name ({@code String}) |
| 388 | * <li> [1] admin user ID ({@code Integer}) |
| 389 | * <li> [2] user restriction ({@code String}) |
| 390 | * @see DevicePolicyManager#addUserRestriction(ComponentName, String) |
| 391 | */ |
| 392 | public static final int TAG_USER_RESTRICTION_ADDED = |
| 393 | SecurityLogTags.SECURITY_USER_RESTRICTION_ADDED; |
| 394 | |
| 395 | /** |
| 396 | * Indicates that an admin has removed a user restriction. The log entry contains the following |
| 397 | * information about the event, encapsulated in an {@link Object} array and accessible via |
| 398 | * {@link SecurityEvent#getData()}: |
| 399 | * <li> [0] admin package name ({@code String}) |
| 400 | * <li> [1] admin user ID ({@code Integer}) |
| 401 | * <li> [2] user restriction ({@code String}) |
| 402 | * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) |
| 403 | */ |
| 404 | public static final int TAG_USER_RESTRICTION_REMOVED = |
| 405 | SecurityLogTags.SECURITY_USER_RESTRICTION_REMOVED; |
| 406 | |
| 407 | /** |
Pavel Grafov | b745540 | 2018-01-30 21:17:08 +0000 | [diff] [blame] | 408 | * Indicates that cryptographic functionality self test has completed. The log entry contains an |
| 409 | * {@code Integer} payload, indicating the result of the test (0 if the test failed, 1 if |
| 410 | * succeeded) and accessible via {@link SecurityEvent#getData()}. |
| 411 | */ |
| 412 | public static final int TAG_CRYPTO_SELF_TEST_COMPLETED = |
| 413 | SecurityLogTags.SECURITY_CRYPTO_SELF_TEST_COMPLETED; |
| 414 | |
| 415 | /** |
Pavel Grafov | f8839ea | 2018-02-06 11:28:52 +0000 | [diff] [blame] | 416 | * Indicates a failed cryptographic key integrity check. The log entry contains the following |
| 417 | * information about the event, encapsulated in an {@link Object} array and accessible via |
| 418 | * {@link SecurityEvent#getData()}: |
| 419 | * <li> [0] alias of the key ({@code String}) |
| 420 | * <li> [1] owner application uid ({@code Integer}). |
| 421 | */ |
| 422 | public static final int TAG_KEY_INTEGRITY_VIOLATION = |
| 423 | SecurityLogTags.SECURITY_KEY_INTEGRITY_VIOLATION; |
| 424 | |
| 425 | /** |
| 426 | * Indicates a failure to validate X.509v3 certificate. The log entry contains a {@code String} |
| 427 | * payload indicating the failure reason, accessible via {@link SecurityEvent#getData()}. |
| 428 | */ |
| 429 | public static final int TAG_CERT_VALIDATION_FAILURE = |
| 430 | SecurityLogTags.SECURITY_CERT_VALIDATION_FAILURE; |
| 431 | |
| 432 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 433 | * Event severity level indicating that the event corresponds to normal workflow. |
| 434 | */ |
| 435 | public static final int LEVEL_INFO = 1; |
| 436 | |
| 437 | /** |
| 438 | * Event severity level indicating that the event may require admin attention. |
| 439 | */ |
| 440 | public static final int LEVEL_WARNING = 2; |
| 441 | |
| 442 | /** |
| 443 | * Event severity level indicating that the event requires urgent admin action. |
| 444 | */ |
| 445 | public static final int LEVEL_ERROR = 3; |
| 446 | |
| 447 | /** |
Michal Karpinski | 6235a94 | 2016-03-15 12:07:23 +0000 | [diff] [blame] | 448 | * Returns if security logging is enabled. Log producers should only write new logs if this is |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 449 | * true. Under the hood this is the logical AND of whether device owner exists and whether |
| 450 | * it enables logging by setting the system property {@link #PROPERTY_LOGGING_ENABLED}. |
| 451 | * @hide |
| 452 | */ |
| 453 | public static native boolean isLoggingEnabled(); |
| 454 | |
| 455 | /** |
| 456 | * @hide |
| 457 | */ |
| 458 | public static void setLoggingEnabledProperty(boolean enabled) { |
| 459 | SystemProperties.set(PROPERTY_LOGGING_ENABLED, enabled ? "true" : "false"); |
| 460 | } |
| 461 | |
| 462 | /** |
| 463 | * @hide |
| 464 | */ |
| 465 | public static boolean getLoggingEnabledProperty() { |
| 466 | return SystemProperties.getBoolean(PROPERTY_LOGGING_ENABLED, false); |
| 467 | } |
| 468 | |
| 469 | /** |
| 470 | * A class representing a security event log entry. |
| 471 | */ |
Jeff Sharkey | 50d1c04 | 2016-02-29 16:34:46 -0700 | [diff] [blame] | 472 | public static final class SecurityEvent implements Parcelable { |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 473 | private Event mEvent; |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 474 | private long mId; |
| 475 | |
| 476 | /** |
| 477 | * Constructor used by native classes to generate SecurityEvent instances. |
| 478 | * @hide |
| 479 | */ |
Mathew Inwood | 61e8ae6 | 2018-08-14 14:17:44 +0100 | [diff] [blame] | 480 | @UnsupportedAppUsage |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 481 | /* package */ SecurityEvent(byte[] data) { |
| 482 | this(0, data); |
| 483 | } |
| 484 | |
| 485 | /** |
| 486 | * Constructor used by Parcelable.Creator to generate SecurityEvent instances. |
| 487 | * @hide |
| 488 | */ |
| 489 | /* package */ SecurityEvent(Parcel source) { |
| 490 | this(source.readLong(), source.createByteArray()); |
| 491 | } |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 492 | |
| 493 | /** @hide */ |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 494 | @TestApi |
| 495 | public SecurityEvent(long id, byte[] data) { |
| 496 | mId = id; |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 497 | mEvent = Event.fromBytes(data); |
| 498 | } |
| 499 | |
| 500 | /** |
| 501 | * Returns the timestamp in nano seconds when this event was logged. |
| 502 | */ |
| 503 | public long getTimeNanos() { |
| 504 | return mEvent.getTimeNanos(); |
| 505 | } |
| 506 | |
| 507 | /** |
| 508 | * Returns the tag of this log entry, which specifies entry's semantics. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 509 | */ |
Jeff Sharkey | ce8db99 | 2017-12-13 20:05:05 -0700 | [diff] [blame] | 510 | public @SecurityLogTag int getTag() { |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 511 | return mEvent.getTag(); |
| 512 | } |
| 513 | |
| 514 | /** |
Pavel Grafov | 739cda8 | 2017-02-02 12:41:20 +0000 | [diff] [blame] | 515 | * Returns the payload contained in this log entry or {@code null} if there is no payload. |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 516 | */ |
| 517 | public Object getData() { |
| 518 | return mEvent.getData(); |
| 519 | } |
| 520 | |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 521 | /** |
| 522 | * @hide |
| 523 | */ |
| 524 | public void setId(long id) { |
| 525 | this.mId = id; |
| 526 | } |
| 527 | |
| 528 | /** |
| 529 | * Returns the id of the event, where the id monotonically increases for each event. The id |
| 530 | * is reset when the device reboots, and when security logging is enabled. |
| 531 | */ |
| 532 | public long getId() { |
| 533 | return mId; |
| 534 | } |
| 535 | |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 536 | /** |
| 537 | * Returns severity level for the event. |
| 538 | */ |
| 539 | public @SecurityLogLevel int getLogLevel() { |
| 540 | switch (mEvent.getTag()) { |
| 541 | case TAG_ADB_SHELL_INTERACTIVE: |
| 542 | case TAG_ADB_SHELL_CMD: |
| 543 | case TAG_SYNC_RECV_FILE: |
| 544 | case TAG_SYNC_SEND_FILE: |
| 545 | case TAG_APP_PROCESS_START: |
| 546 | case TAG_KEYGUARD_DISMISSED: |
| 547 | case TAG_KEYGUARD_SECURED: |
| 548 | case TAG_OS_STARTUP: |
| 549 | case TAG_OS_SHUTDOWN: |
| 550 | case TAG_LOGGING_STARTED: |
| 551 | case TAG_LOGGING_STOPPED: |
| 552 | case TAG_MEDIA_MOUNT: |
| 553 | case TAG_MEDIA_UNMOUNT: |
| 554 | case TAG_PASSWORD_EXPIRATION_SET: |
| 555 | case TAG_PASSWORD_COMPLEXITY_SET: |
| 556 | case TAG_PASSWORD_HISTORY_LENGTH_SET: |
| 557 | case TAG_MAX_SCREEN_LOCK_TIMEOUT_SET: |
| 558 | case TAG_MAX_PASSWORD_ATTEMPTS_SET: |
| 559 | case TAG_USER_RESTRICTION_ADDED: |
| 560 | case TAG_USER_RESTRICTION_REMOVED: |
| 561 | return LEVEL_INFO; |
| 562 | case TAG_CERT_AUTHORITY_REMOVED: |
Pavel Grafov | b745540 | 2018-01-30 21:17:08 +0000 | [diff] [blame] | 563 | case TAG_CRYPTO_SELF_TEST_COMPLETED: |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 564 | return getSuccess() ? LEVEL_INFO : LEVEL_ERROR; |
| 565 | case TAG_CERT_AUTHORITY_INSTALLED: |
| 566 | case TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT: |
| 567 | case TAG_KEY_IMPORT: |
| 568 | case TAG_KEY_DESTRUCTION: |
| 569 | case TAG_KEY_GENERATED: |
| 570 | return getSuccess() ? LEVEL_INFO : LEVEL_WARNING; |
| 571 | case TAG_LOG_BUFFER_SIZE_CRITICAL: |
| 572 | case TAG_WIPE_FAILURE: |
Pavel Grafov | f8839ea | 2018-02-06 11:28:52 +0000 | [diff] [blame] | 573 | case TAG_KEY_INTEGRITY_VIOLATION: |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 574 | return LEVEL_ERROR; |
Pavel Grafov | f8839ea | 2018-02-06 11:28:52 +0000 | [diff] [blame] | 575 | case TAG_CERT_VALIDATION_FAILURE: |
| 576 | return LEVEL_WARNING; |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 577 | default: |
| 578 | return LEVEL_INFO; |
| 579 | } |
| 580 | } |
| 581 | |
| 582 | // Success/failure if present is encoded as an integer in the first (0th) element of data. |
| 583 | private boolean getSuccess() { |
| 584 | final Object data = getData(); |
| 585 | if (data == null || !(data instanceof Object[])) { |
| 586 | return false; |
| 587 | } |
| 588 | |
| 589 | final Object[] array = (Object[]) data; |
| 590 | return array.length >= 1 && array[0] instanceof Integer && (Integer) array[0] != 0; |
| 591 | } |
| 592 | |
| 593 | |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 594 | @Override |
| 595 | public int describeContents() { |
| 596 | return 0; |
| 597 | } |
| 598 | |
| 599 | @Override |
| 600 | public void writeToParcel(Parcel dest, int flags) { |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 601 | dest.writeLong(mId); |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 602 | dest.writeByteArray(mEvent.getBytes()); |
| 603 | } |
| 604 | |
| 605 | public static final Parcelable.Creator<SecurityEvent> CREATOR = |
| 606 | new Parcelable.Creator<SecurityEvent>() { |
| 607 | @Override |
| 608 | public SecurityEvent createFromParcel(Parcel source) { |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 609 | return new SecurityEvent(source); |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 610 | } |
| 611 | |
| 612 | @Override |
| 613 | public SecurityEvent[] newArray(int size) { |
| 614 | return new SecurityEvent[size]; |
| 615 | } |
| 616 | }; |
Pavel Grafov | 4ce59d4 | 2017-02-25 19:45:43 +0000 | [diff] [blame] | 617 | |
| 618 | /** |
| 619 | * @hide |
| 620 | */ |
| 621 | @Override |
| 622 | public boolean equals(Object o) { |
| 623 | if (this == o) return true; |
| 624 | if (o == null || getClass() != o.getClass()) return false; |
| 625 | SecurityEvent other = (SecurityEvent) o; |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 626 | return mEvent.equals(other.mEvent) && mId == other.mId; |
Pavel Grafov | 4ce59d4 | 2017-02-25 19:45:43 +0000 | [diff] [blame] | 627 | } |
| 628 | |
| 629 | /** |
| 630 | * @hide |
| 631 | */ |
| 632 | @Override |
| 633 | public int hashCode() { |
Naomi Musgrave | db980f4 | 2017-11-28 10:56:47 +0000 | [diff] [blame] | 634 | return Objects.hash(mEvent, mId); |
Pavel Grafov | 4ce59d4 | 2017-02-25 19:45:43 +0000 | [diff] [blame] | 635 | } |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 636 | } |
| 637 | /** |
| 638 | * Retrieve all security logs and return immediately. |
| 639 | * @hide |
| 640 | */ |
| 641 | public static native void readEvents(Collection<SecurityEvent> output) throws IOException; |
| 642 | |
| 643 | /** |
| 644 | * Retrieve all security logs since the given timestamp in nanoseconds and return immediately. |
| 645 | * @hide |
| 646 | */ |
| 647 | public static native void readEventsSince(long timestamp, Collection<SecurityEvent> output) |
| 648 | throws IOException; |
| 649 | |
| 650 | /** |
| 651 | * Retrieve all security logs before the last reboot. May return corrupted data due to |
| 652 | * unreliable pstore. |
| 653 | * @hide |
| 654 | */ |
| 655 | public static native void readPreviousEvents(Collection<SecurityEvent> output) |
| 656 | throws IOException; |
| 657 | |
| 658 | /** |
Pavel Grafov | ce72ef0 | 2018-01-10 17:14:11 +0000 | [diff] [blame] | 659 | * Retrieve all security logs whose timestamp is equal to or greater than the given timestamp in |
| 660 | * nanoseconds. This method will block until either the last log earlier than the given |
Rubin Xu | 75431fb | 2016-01-07 21:12:14 +0000 | [diff] [blame] | 661 | * timestamp is about to be pruned, or after a 2-hour timeout has passed. |
| 662 | * @hide |
| 663 | */ |
| 664 | public static native void readEventsOnWrapping(long timestamp, Collection<SecurityEvent> output) |
| 665 | throws IOException; |
| 666 | |
| 667 | /** |
| 668 | * Write a log entry to the underlying storage, with a string payload. |
| 669 | * @hide |
| 670 | */ |
| 671 | public static native int writeEvent(int tag, String str); |
| 672 | |
| 673 | /** |
| 674 | * Write a log entry to the underlying storage, with several payloads. |
| 675 | * Supported types of payload are: integer, long, float, string plus array of supported types. |
| 676 | * @hide |
| 677 | */ |
| 678 | public static native int writeEvent(int tag, Object... payloads); |
| 679 | } |