diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-31 17:23:25 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-31 17:23:25 +0000 |
commit | baaddcd7c850985938f6f189ec081576c5b5b67b (patch) | |
tree | 4fa63a4fbed4a4ceb62528770ed77e550e4ff8e1 | |
parent | e5ffa7781d8d111e3db4763a995d763b7d110005 (diff) | |
parent | 5eec4382f2f49f87e3329daabf1db6ebe651e8fc (diff) | |
download | security-baaddcd7c850985938f6f189ec081576c5b5b67b.tar.gz |
Snap for 4577102 from 5eec4382f2f49f87e3329daabf1db6ebe651e8fc to pi-release
Change-Id: I6799b5fef79712a248ecad3f118a924b43ec4b59
-rw-r--r-- | keystore/KeyStore.cpp | 19 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 22 | ||||
-rw-r--r-- | keystore/keystore.rc | 2 |
3 files changed, 40 insertions, 3 deletions
diff --git a/keystore/KeyStore.cpp b/keystore/KeyStore.cpp index c9ae30fc..0efc4a39 100644 --- a/keystore/KeyStore.cpp +++ b/keystore/KeyStore.cpp @@ -28,11 +28,22 @@ #include <android/hardware/keymaster/3.0/IKeymasterDevice.h> #include <android/security/IKeystoreService.h> +#include <log/log_event_list.h> + +#include <private/android_logger.h> #include "keystore_utils.h" #include "permissions.h" #include <keystore/keystore_hidl_support.h> +namespace { + +// Tags for audit logging. Be careful and don't log sensitive data. +// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags +constexpr int SEC_TAG_KEY_DESTROYED = 210026; + +} // anonymous namespace + namespace keystore { const char* KeyStore::kOldMasterKey = ".masterkey"; @@ -381,8 +392,12 @@ ResponseCode KeyStore::del(const char* filename, const BlobType type, uid_t user auto ret = KS_HANDLE_HIDL_ERROR(dev->deleteKey(blob2hidlVec(keyBlob))); // A device doesn't have to implement delete_key. - if (ret != ErrorCode::OK && ret != ErrorCode::UNIMPLEMENTED) - return ResponseCode::SYSTEM_ERROR; + bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED; + if (__android_log_security() && uidAlias.isOk()) { + android_log_event_list(SEC_TAG_KEY_DESTROYED) + << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY; + } + if (!success) return ResponseCode::SYSTEM_ERROR; } rc = diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 96d8f4d3..89c31a54 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -25,12 +25,15 @@ #include <algorithm> #include <sstream> +#include <android-base/scopeguard.h> #include <binder/IInterface.h> #include <binder/IPCThreadState.h> #include <binder/IPermissionController.h> #include <binder/IServiceManager.h> +#include <log/log_event_list.h> #include <private/android_filesystem_config.h> +#include <private/android_logger.h> #include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h> @@ -61,6 +64,11 @@ constexpr size_t kMaxOperations = 15; constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */ const char* kTimestampFilePath = "timestamp"; +// Tags for audit logging. Be careful and don't log sensitive data. +// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags +constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024; +constexpr int SEC_TAG_KEY_IMPORTED = 210025; + struct BIGNUM_Delete { void operator()(BIGNUM* p) const { BN_free(p); } }; @@ -735,6 +743,13 @@ KeyStoreService::generateKey(const String16& name, const KeymasterArguments& par // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100 uid_t originalUid = IPCThreadState::self()->getCallingUid(); uid = getEffectiveUid(uid); + auto logOnScopeExit = android::base::make_scope_guard([&] { + if (__android_log_security()) { + android_log_event_list(SEC_TAG_AUTH_KEY_GENERATED) + << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR)) + << String8(name) << int32_t(uid) << LOG_ID_SECURITY; + } + }); KeyStoreServiceReturnCode rc = checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED); if (!rc.isOk()) { @@ -950,6 +965,13 @@ KeyStoreService::importKey(const String16& name, const KeymasterArguments& param int32_t* aidl_return) { uid = getEffectiveUid(uid); + auto logOnScopeExit = android::base::make_scope_guard([&] { + if (__android_log_security()) { + android_log_event_list(SEC_TAG_KEY_IMPORTED) + << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR)) + << String8(name) << int32_t(uid) << LOG_ID_SECURITY; + } + }); KeyStoreServiceReturnCode rc = checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED); if (!rc.isOk()) { diff --git a/keystore/keystore.rc b/keystore/keystore.rc index 5dac9377..132039a8 100644 --- a/keystore/keystore.rc +++ b/keystore/keystore.rc @@ -1,5 +1,5 @@ service keystore /system/bin/keystore /data/misc/keystore class main user keystore - group keystore drmrpc readproc + group keystore drmrpc readproc log writepid /dev/cpuset/foreground/tasks |