Snap for 4577102 from 5eec4382f2f49f87e3329daabf1db6ebe651e8fc to pi-release

Change-Id: I6799b5fef79712a248ecad3f118a924b43ec4b59
author: android-build-team Robot <android-build-team-robot@google.com> 2018-01-31 17:23:25 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-01-31 17:23:25 +0000
commit: baaddcd7c850985938f6f189ec081576c5b5b67b (patch)
tree: 4fa63a4fbed4a4ceb62528770ed77e550e4ff8e1
parent: e5ffa7781d8d111e3db4763a995d763b7d110005 (diff)
parent: 5eec4382f2f49f87e3329daabf1db6ebe651e8fc (diff)
download: security-baaddcd7c850985938f6f189ec081576c5b5b67b.tar.gz
3 files changed, 40 insertions, 3 deletions
diff --git a/keystore/KeyStore.cpp b/keystore/KeyStore.cpp
index c9ae30fc..0efc4a39 100644
--- a/keystore/KeyStore.cpp
+++ b/keystore/KeyStore.cpp
@@ -28,11 +28,22 @@
 
 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
 #include <android/security/IKeystoreService.h>
+#include <log/log_event_list.h>
+
+#include <private/android_logger.h>
 
 #include "keystore_utils.h"
 #include "permissions.h"
 #include <keystore/keystore_hidl_support.h>
 
+namespace {
+
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_KEY_DESTROYED = 210026;
+
+}  // anonymous namespace
+
 namespace keystore {
 
 const char* KeyStore::kOldMasterKey = ".masterkey";
@@ -381,8 +392,12 @@ ResponseCode KeyStore::del(const char* filename, const BlobType type, uid_t user
         auto ret = KS_HANDLE_HIDL_ERROR(dev->deleteKey(blob2hidlVec(keyBlob)));
 
         // A device doesn't have to implement delete_key.
-        if (ret != ErrorCode::OK && ret != ErrorCode::UNIMPLEMENTED)
-            return ResponseCode::SYSTEM_ERROR;
+        bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
+        if (__android_log_security() && uidAlias.isOk()) {
+            android_log_event_list(SEC_TAG_KEY_DESTROYED)
+                << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY;
+        }
+        if (!success) return ResponseCode::SYSTEM_ERROR;
     }
 
     rc =
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 96d8f4d3..89c31a54 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -25,12 +25,15 @@
 #include <algorithm>
 #include <sstream>
 
+#include <android-base/scopeguard.h>
 #include <binder/IInterface.h>
 #include <binder/IPCThreadState.h>
 #include <binder/IPermissionController.h>
 #include <binder/IServiceManager.h>
+#include <log/log_event_list.h>
 
 #include <private/android_filesystem_config.h>
+#include <private/android_logger.h>
 
 #include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
 
@@ -61,6 +64,11 @@ constexpr size_t kMaxOperations = 15;
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";
 
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
+constexpr int SEC_TAG_KEY_IMPORTED = 210025;
+
 struct BIGNUM_Delete {
     void operator()(BIGNUM* p) const { BN_free(p); }
 };
@@ -735,6 +743,13 @@ KeyStoreService::generateKey(const String16& name, const KeymasterArguments& par
     // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
     uid_t originalUid = IPCThreadState::self()->getCallingUid();
     uid = getEffectiveUid(uid);
+    auto logOnScopeExit = android::base::make_scope_guard([&] {
+        if (__android_log_security()) {
+            android_log_event_list(SEC_TAG_AUTH_KEY_GENERATED)
+                << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+                << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+        }
+    });
     KeyStoreServiceReturnCode rc =
         checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
     if (!rc.isOk()) {
@@ -950,6 +965,13 @@ KeyStoreService::importKey(const String16& name, const KeymasterArguments& param
                            int32_t* aidl_return) {
 
     uid = getEffectiveUid(uid);
+    auto logOnScopeExit = android::base::make_scope_guard([&] {
+        if (__android_log_security()) {
+            android_log_event_list(SEC_TAG_KEY_IMPORTED)
+                << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+                << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+        }
+    });
     KeyStoreServiceReturnCode rc =
         checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
     if (!rc.isOk()) {
diff --git a/keystore/keystore.rc b/keystore/keystore.rc
index 5dac9377..132039a8 100644
--- a/keystore/keystore.rc
+++ b/keystore/keystore.rc
@@ -1,5 +1,5 @@
 service keystore /system/bin/keystore /data/misc/keystore
     class main
     user keystore
-    group keystore drmrpc readproc
+    group keystore drmrpc readproc log
     writepid /dev/cpuset/foreground/tasks
author	android-build-team Robot <android-build-team-robot@google.com>	2018-01-31 17:23:25 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-01-31 17:23:25 +0000
commit	baaddcd7c850985938f6f189ec081576c5b5b67b (patch)
tree	4fa63a4fbed4a4ceb62528770ed77e550e4ff8e1
parent	e5ffa7781d8d111e3db4763a995d763b7d110005 (diff)
parent	5eec4382f2f49f87e3329daabf1db6ebe651e8fc (diff)
download	security-baaddcd7c850985938f6f189ec081576c5b5b67b.tar.gz