1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.app.admin; 18 19 import android.annotation.IntDef; 20 import android.annotation.TestApi; 21 import android.compat.annotation.UnsupportedAppUsage; 22 import android.content.ComponentName; 23 import android.os.Parcel; 24 import android.os.Parcelable; 25 import android.os.SystemProperties; 26 import android.os.UserHandle; 27 import android.util.EventLog.Event; 28 29 import java.io.IOException; 30 import java.lang.annotation.Retention; 31 import java.lang.annotation.RetentionPolicy; 32 import java.util.ArrayList; 33 import java.util.Collection; 34 import java.util.Objects; 35 36 /** 37 * Definitions for working with security logs. 38 * 39 * <p>Device owner apps can control the logging with 40 * {@link DevicePolicyManager#setSecurityLoggingEnabled}. When security logs are enabled, device 41 * owner apps receive periodic callbacks from {@link DeviceAdminReceiver#onSecurityLogsAvailable}, 42 * at which time new batch of logs can be collected via 43 * {@link DevicePolicyManager#retrieveSecurityLogs}. {@link SecurityEvent} describes the type and 44 * format of security logs being collected. 45 */ 46 public class SecurityLog { 47 48 private static final String PROPERTY_LOGGING_ENABLED = "persist.logd.security"; 49 50 /** @hide */ 51 @Retention(RetentionPolicy.SOURCE) 52 @IntDef(prefix = { "TAG_" }, value = { 53 TAG_ADB_SHELL_INTERACTIVE, 54 TAG_ADB_SHELL_CMD, 55 TAG_SYNC_RECV_FILE, 56 TAG_SYNC_SEND_FILE, 57 TAG_APP_PROCESS_START, 58 TAG_KEYGUARD_DISMISSED, 59 TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT, 60 TAG_KEYGUARD_SECURED, 61 TAG_OS_STARTUP, 62 TAG_OS_SHUTDOWN, 63 TAG_LOGGING_STARTED, 64 TAG_LOGGING_STOPPED, 65 TAG_MEDIA_MOUNT, 66 TAG_MEDIA_UNMOUNT, 67 TAG_LOG_BUFFER_SIZE_CRITICAL, 68 TAG_PASSWORD_EXPIRATION_SET, 69 TAG_PASSWORD_COMPLEXITY_SET, 70 TAG_PASSWORD_HISTORY_LENGTH_SET, 71 TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, 72 TAG_MAX_PASSWORD_ATTEMPTS_SET, 73 TAG_KEYGUARD_DISABLED_FEATURES_SET, 74 TAG_REMOTE_LOCK, 75 TAG_USER_RESTRICTION_ADDED, 76 TAG_USER_RESTRICTION_REMOVED, 77 TAG_WIPE_FAILURE, 78 TAG_KEY_GENERATED, 79 TAG_KEY_IMPORT, 80 TAG_KEY_DESTRUCTION, 81 TAG_CERT_AUTHORITY_INSTALLED, 82 TAG_CERT_AUTHORITY_REMOVED, 83 TAG_CRYPTO_SELF_TEST_COMPLETED, 84 TAG_KEY_INTEGRITY_VIOLATION, 85 TAG_CERT_VALIDATION_FAILURE, 86 TAG_CAMERA_POLICY_SET 87 }) 88 public @interface SecurityLogTag {} 89 90 /** @hide */ 91 @Retention(RetentionPolicy.SOURCE) 92 @IntDef(prefix = { "LEVEL_" }, value = { 93 LEVEL_INFO, 94 LEVEL_WARNING, 95 LEVEL_ERROR 96 }) 97 public @interface SecurityLogLevel {} 98 99 /** 100 * Indicates that an ADB interactive shell was opened via "adb shell". 101 * There is no extra payload in the log event. 102 */ 103 public static final int TAG_ADB_SHELL_INTERACTIVE = 104 SecurityLogTags.SECURITY_ADB_SHELL_INTERACTIVE; 105 106 /** 107 * Indicates that a shell command was issued over ADB via {@code adb shell <command>} 108 * The log entry contains a {@code String} payload containing the shell command, accessible 109 * via {@link SecurityEvent#getData()}. If security logging is enabled on organization-owned 110 * managed profile devices, the shell command will be redacted to an empty string. 111 */ 112 public static final int TAG_ADB_SHELL_CMD = SecurityLogTags.SECURITY_ADB_SHELL_COMMAND; 113 114 /** 115 * Indicates that a file was pulled from the device via the adb daemon, for example via 116 * {@code adb pull}. The log entry contains a {@code String} payload containing the path of the 117 * pulled file on the device, accessible via {@link SecurityEvent#getData()}. 118 */ 119 public static final int TAG_SYNC_RECV_FILE = SecurityLogTags.SECURITY_ADB_SYNC_RECV; 120 121 /** 122 * Indicates that a file was pushed to the device via the adb daemon, for example via 123 * {@code adb push}. The log entry contains a {@code String} payload containing the destination 124 * path of the pushed file, accessible via {@link SecurityEvent#getData()}. 125 */ 126 public static final int TAG_SYNC_SEND_FILE = SecurityLogTags.SECURITY_ADB_SYNC_SEND; 127 128 /** 129 * Indicates that an app process was started. The log entry contains the following 130 * information about the process encapsulated in an {@link Object} array, accessible via 131 * {@link SecurityEvent#getData()}: 132 * <li> [0] process name ({@code String}) 133 * <li> [1] exact start time in milliseconds according to {@code System.currentTimeMillis()} 134 * ({@code Long}) 135 * <li> [2] app uid ({@code Integer}) 136 * <li> [3] app pid ({@code Integer}) 137 * <li> [4] seinfo tag ({@code String}) 138 * <li> [5] SHA-256 hash of the base APK in hexadecimal ({@code String}) 139 * If security logging is enabled on organization-owned managed profile devices, only events 140 * happening inside the managed profile will be visible. 141 */ 142 public static final int TAG_APP_PROCESS_START = SecurityLogTags.SECURITY_APP_PROCESS_START; 143 144 /** 145 * Indicates that keyguard has been dismissed. This event is only logged if the device 146 * has a secure keyguard. It is logged regardless of how keyguard is dismissed, including 147 * via PIN/pattern/password, biometrics or via a trust agent. 148 * There is no extra payload in the log event. 149 * @see #TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT 150 */ 151 public static final int TAG_KEYGUARD_DISMISSED = SecurityLogTags.SECURITY_KEYGUARD_DISMISSED; 152 153 /** 154 * Indicates that there has been an authentication attempt to dismiss the keyguard. The log 155 * entry contains the following information about the attempt encapsulated in an {@link Object} 156 * array, accessible via {@link SecurityEvent#getData()}: 157 * <li> [0] attempt result ({@code Integer}, 1 for successful, 0 for unsuccessful) 158 * <li> [1] strength of authentication method ({@code Integer}, 1 if strong authentication 159 * method was used, 0 otherwise) 160 */ 161 public static final int TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT = 162 SecurityLogTags.SECURITY_KEYGUARD_DISMISS_AUTH_ATTEMPT; 163 164 /** 165 * Indicates that the device has been locked, either by the user or by a timeout. There is no 166 * extra payload in the log event. 167 */ 168 public static final int TAG_KEYGUARD_SECURED = SecurityLogTags.SECURITY_KEYGUARD_SECURED; 169 170 /** 171 * Indicates that the Android OS has started. The log entry contains the following information 172 * about the startup time software integrity check encapsulated in an {@link Object} array, 173 * accessible via {@link SecurityEvent#getData()}: 174 * <li> [0] Verified Boot state ({@code String}) 175 * <li> [1] dm-verity mode ({@code String}). 176 * <p>Verified Boot state can be one of the following: 177 * <li> {@code green} indicates that there is a full chain of trust extending from the 178 * bootloader to verified partitions including the bootloader, boot partition, and all verified 179 * partitions. 180 * <li> {@code yellow} indicates that the boot partition has been verified using the embedded 181 * certificate and the signature is valid. 182 * <li> {@code orange} indicates that the device may be freely modified. Device integrity is 183 * left to the user to verify out-of-band. 184 * <p>dm-verity mode can be one of the following: 185 * <li> {@code enforcing} indicates that the device will be restarted when corruption is 186 * detected. 187 * <li> {@code eio} indicates that an I/O error will be returned for an attempt to read 188 * corrupted data blocks. 189 * For details see Verified Boot documentation. 190 */ 191 public static final int TAG_OS_STARTUP = SecurityLogTags.SECURITY_OS_STARTUP; 192 193 /** 194 * Indicates that the Android OS has shutdown. There is no extra payload in the log event. 195 */ 196 public static final int TAG_OS_SHUTDOWN = SecurityLogTags.SECURITY_OS_SHUTDOWN; 197 198 /** 199 * Indicates start-up of audit logging. There is no extra payload in the log event. 200 */ 201 public static final int TAG_LOGGING_STARTED = SecurityLogTags.SECURITY_LOGGING_STARTED; 202 203 /** 204 * Indicates shutdown of audit logging. There is no extra payload in the log event. 205 */ 206 public static final int TAG_LOGGING_STOPPED = SecurityLogTags.SECURITY_LOGGING_STOPPED; 207 208 /** 209 * Indicates that removable media has been mounted on the device. The log entry contains the 210 * following information about the event, encapsulated in an {@link Object} array and 211 * accessible via {@link SecurityEvent#getData()}: 212 * <li> [0] mount point ({@code String}) 213 * <li> [1] volume label ({@code String}). Redacted to empty string on organization-owned 214 * managed profile devices. 215 */ 216 public static final int TAG_MEDIA_MOUNT = SecurityLogTags.SECURITY_MEDIA_MOUNTED; 217 218 /** 219 * Indicates that removable media was unmounted from the device. The log entry contains the 220 * following information about the event, encapsulated in an {@link Object} array and 221 * accessible via {@link SecurityEvent#getData()}: 222 * <li> [0] mount point ({@code String}) 223 * <li> [1] volume label ({@code String}). Redacted to empty string on organization-owned 224 * managed profile devices. 225 */ 226 public static final int TAG_MEDIA_UNMOUNT = SecurityLogTags.SECURITY_MEDIA_UNMOUNTED; 227 228 /** 229 * Indicates that the audit log buffer has reached 90% of its capacity. There is no extra 230 * payload in the log event. 231 */ 232 public static final int TAG_LOG_BUFFER_SIZE_CRITICAL = 233 SecurityLogTags.SECURITY_LOG_BUFFER_SIZE_CRITICAL; 234 235 /** 236 * Indicates that an admin has set a password expiration timeout. The log entry contains the 237 * following information about the event, encapsulated in an {@link Object} array and accessible 238 * via {@link SecurityEvent#getData()}: 239 * <li> [0] admin package name ({@code String}) 240 * <li> [1] admin user ID ({@code Integer}) 241 * <li> [2] target user ID ({@code Integer}) 242 * <li> [3] new password expiration timeout in milliseconds ({@code Long}). 243 * @see DevicePolicyManager#setPasswordExpirationTimeout(ComponentName, long) 244 */ 245 public static final int TAG_PASSWORD_EXPIRATION_SET = 246 SecurityLogTags.SECURITY_PASSWORD_EXPIRATION_SET; 247 248 /** 249 * Indicates that an admin has set a requirement for password complexity. The log entry contains 250 * the following information about the event, encapsulated in an {@link Object} array and 251 * accessible via {@link SecurityEvent#getData()}: 252 * <li> [0] admin package name ({@code String}) 253 * <li> [1] admin user ID ({@code Integer}) 254 * <li> [2] target user ID ({@code Integer}) 255 * <li> [3] minimum password length ({@code Integer}) 256 * <li> [4] password quality constraint ({@code Integer}) 257 * <li> [5] minimum number of letters ({@code Integer}) 258 * <li> [6] minimum number of non-letters ({@code Integer}) 259 * <li> [7] minimum number of digits ({@code Integer}) 260 * <li> [8] minimum number of uppercase letters ({@code Integer}) 261 * <li> [9] minimum number of lowercase letters ({@code Integer}) 262 * <li> [10] minimum number of symbols ({@code Integer}) 263 * 264 * @see DevicePolicyManager#setPasswordMinimumLength(ComponentName, int) 265 * @see DevicePolicyManager#setPasswordQuality(ComponentName, int) 266 * @see DevicePolicyManager#setPasswordMinimumLetters(ComponentName, int) 267 * @see DevicePolicyManager#setPasswordMinimumNonLetter(ComponentName, int) 268 * @see DevicePolicyManager#setPasswordMinimumLowerCase(ComponentName, int) 269 * @see DevicePolicyManager#setPasswordMinimumUpperCase(ComponentName, int) 270 * @see DevicePolicyManager#setPasswordMinimumNumeric(ComponentName, int) 271 * @see DevicePolicyManager#setPasswordMinimumSymbols(ComponentName, int) 272 */ 273 public static final int TAG_PASSWORD_COMPLEXITY_SET = 274 SecurityLogTags.SECURITY_PASSWORD_COMPLEXITY_SET; 275 276 /** 277 * Indicates that an admin has set a password history length. The log entry contains the 278 * following information about the event encapsulated in an {@link Object} array, accessible 279 * via {@link SecurityEvent#getData()}: 280 * <li> [0] admin package name ({@code String}) 281 * <li> [1] admin user ID ({@code Integer}) 282 * <li> [2] target user ID ({@code Integer}) 283 * <li> [3] new password history length value ({@code Integer}) 284 * @see DevicePolicyManager#setPasswordHistoryLength(ComponentName, int) 285 */ 286 public static final int TAG_PASSWORD_HISTORY_LENGTH_SET = 287 SecurityLogTags.SECURITY_PASSWORD_HISTORY_LENGTH_SET; 288 289 /** 290 * Indicates that an admin has set a maximum screen lock timeout. The log entry contains the 291 * following information about the event encapsulated in an {@link Object} array, accessible 292 * via {@link SecurityEvent#getData()}: 293 * <li> [0] admin package name ({@code String}) 294 * <li> [1] admin user ID ({@code Integer}) 295 * <li> [2] target user ID ({@code Integer}) 296 * <li> [3] new screen lock timeout in milliseconds ({@code Long}) 297 * @see DevicePolicyManager#setMaximumTimeToLock(ComponentName, long) 298 */ 299 public static final int TAG_MAX_SCREEN_LOCK_TIMEOUT_SET = 300 SecurityLogTags.SECURITY_MAX_SCREEN_LOCK_TIMEOUT_SET; 301 302 /** 303 * Indicates that an admin has set a maximum number of failed password attempts before wiping 304 * data. The log entry contains the following information about the event encapsulated in an 305 * {@link Object} array, accessible via {@link SecurityEvent#getData()}: 306 * <li> [0] admin package name ({@code String}) 307 * <li> [1] admin user ID ({@code Integer}) 308 * <li> [2] target user ID ({@code Integer}) 309 * <li> [3] new maximum number of failed password attempts ({@code Integer}) 310 * @see DevicePolicyManager#setMaximumFailedPasswordsForWipe(ComponentName, int) 311 */ 312 public static final int TAG_MAX_PASSWORD_ATTEMPTS_SET = 313 SecurityLogTags.SECURITY_MAX_PASSWORD_ATTEMPTS_SET; 314 315 /** 316 * Indicates that an admin has set disabled keyguard features. The log entry contains the 317 * following information about the event encapsulated in an {@link Object} array, accessible via 318 * {@link SecurityEvent#getData()}: 319 * <li> [0] admin package name ({@code String}) 320 * <li> [1] admin user ID ({@code Integer}) 321 * <li> [2] target user ID ({@code Integer}) 322 * <li> [3] disabled keyguard feature mask ({@code Integer}). 323 * @see DevicePolicyManager#setKeyguardDisabledFeatures(ComponentName, int) 324 */ 325 public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET = 326 SecurityLogTags.SECURITY_KEYGUARD_DISABLED_FEATURES_SET; 327 328 /** 329 * Indicates that an admin remotely locked the device or profile. The log entry contains the 330 * following information about the event encapsulated in an {@link Object} array, accessible via 331 * {@link SecurityEvent#getData()}: 332 * <li> [0] admin package name ({@code String}), 333 * <li> [1] admin user ID ({@code Integer}). 334 * <li> [2] target user ID ({@code Integer}) 335 */ 336 public static final int TAG_REMOTE_LOCK = SecurityLogTags.SECURITY_REMOTE_LOCK; 337 338 /** 339 * Indicates a failure to wipe device or user data. There is no extra payload in the log event. 340 */ 341 public static final int TAG_WIPE_FAILURE = SecurityLogTags.SECURITY_WIPE_FAILED; 342 343 /** 344 * Indicates that an authentication key was generated. The log entry contains the following 345 * information about the event, encapsulated in an {@link Object} array and accessible via 346 * {@link SecurityEvent#getData()}: 347 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 348 * <li> [1] alias of the key ({@code String}) 349 * <li> [2] requesting process uid ({@code Integer}). 350 * 351 * If security logging is enabled on organization-owned managed profile devices, only events 352 * happening inside the managed profile will be visible. 353 */ 354 public static final int TAG_KEY_GENERATED = 355 SecurityLogTags.SECURITY_KEY_GENERATED; 356 357 /** 358 * Indicates that a cryptographic key was imported. The log entry contains the following 359 * information about the event, encapsulated in an {@link Object} array and accessible via 360 * {@link SecurityEvent#getData()}: 361 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 362 * <li> [1] alias of the key ({@code String}) 363 * <li> [2] requesting process uid ({@code Integer}). 364 * 365 * If security logging is enabled on organization-owned managed profile devices, only events 366 * happening inside the managed profile will be visible. 367 */ 368 public static final int TAG_KEY_IMPORT = SecurityLogTags.SECURITY_KEY_IMPORTED; 369 370 /** 371 * Indicates that a cryptographic key was destroyed. The log entry contains the following 372 * information about the event, encapsulated in an {@link Object} array and accessible via 373 * {@link SecurityEvent#getData()}: 374 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 375 * <li> [1] alias of the key ({@code String}) 376 * <li> [2] requesting process uid ({@code Integer}). 377 * 378 * If security logging is enabled on organization-owned managed profile devices, only events 379 * happening inside the managed profile will be visible. 380 */ 381 public static final int TAG_KEY_DESTRUCTION = SecurityLogTags.SECURITY_KEY_DESTROYED; 382 383 /** 384 * Indicates that a new root certificate has been installed into system's trusted credential 385 * storage. The log entry contains the following information about the event, encapsulated in an 386 * {@link Object} array and accessible via {@link SecurityEvent#getData()}: 387 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 388 * <li> [1] subject of the certificate ({@code String}). 389 * <li> [2] which user the certificate is installed for ({@code Integer}), only available from 390 * version {@link android.os.Build.VERSION_CODES#R}. 391 * 392 * If security logging is enabled on organization-owned managed profile devices, only events 393 * happening inside the managed profile will be visible. 394 */ 395 public static final int TAG_CERT_AUTHORITY_INSTALLED = 396 SecurityLogTags.SECURITY_CERT_AUTHORITY_INSTALLED; 397 398 /** 399 * Indicates that a new root certificate has been removed from system's trusted credential 400 * storage. The log entry contains the following information about the event, encapsulated in an 401 * {@link Object} array and accessible via {@link SecurityEvent#getData()}: 402 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 403 * <li> [1] subject of the certificate ({@code String}). 404 * <li> [2] which user the certificate is removed from ({@code Integer}), only available from 405 * version {@link android.os.Build.VERSION_CODES#R}. 406 * 407 * If security logging is enabled on organization-owned managed profile devices, only events 408 * happening inside the managed profile will be visible. 409 */ 410 public static final int TAG_CERT_AUTHORITY_REMOVED = 411 SecurityLogTags.SECURITY_CERT_AUTHORITY_REMOVED; 412 413 /** 414 * Indicates that an admin has set a user restriction. The log entry contains the following 415 * information about the event, encapsulated in an {@link Object} array and accessible via 416 * {@link SecurityEvent#getData()}: 417 * <li> [0] admin package name ({@code String}) 418 * <li> [1] admin user ID ({@code Integer}) 419 * <li> [2] user restriction ({@code String}) 420 * @see DevicePolicyManager#addUserRestriction(ComponentName, String) 421 */ 422 public static final int TAG_USER_RESTRICTION_ADDED = 423 SecurityLogTags.SECURITY_USER_RESTRICTION_ADDED; 424 425 /** 426 * Indicates that an admin has removed a user restriction. The log entry contains the following 427 * information about the event, encapsulated in an {@link Object} array and accessible via 428 * {@link SecurityEvent#getData()}: 429 * <li> [0] admin package name ({@code String}) 430 * <li> [1] admin user ID ({@code Integer}) 431 * <li> [2] user restriction ({@code String}) 432 * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) 433 */ 434 public static final int TAG_USER_RESTRICTION_REMOVED = 435 SecurityLogTags.SECURITY_USER_RESTRICTION_REMOVED; 436 437 /** 438 * Indicates that cryptographic functionality self test has completed. The log entry contains an 439 * {@code Integer} payload, indicating the result of the test (0 if the test failed, 1 if 440 * succeeded) and accessible via {@link SecurityEvent#getData()}. 441 */ 442 public static final int TAG_CRYPTO_SELF_TEST_COMPLETED = 443 SecurityLogTags.SECURITY_CRYPTO_SELF_TEST_COMPLETED; 444 445 /** 446 * Indicates a failed cryptographic key integrity check. The log entry contains the following 447 * information about the event, encapsulated in an {@link Object} array and accessible via 448 * {@link SecurityEvent#getData()}: 449 * <li> [0] alias of the key ({@code String}) 450 * <li> [1] owner application uid ({@code Integer}). 451 * 452 * If security logging is enabled on organization-owned managed profile devices, only events 453 * happening inside the managed profile will be visible. 454 */ 455 public static final int TAG_KEY_INTEGRITY_VIOLATION = 456 SecurityLogTags.SECURITY_KEY_INTEGRITY_VIOLATION; 457 458 /** 459 * Indicates a failure to validate X.509v3 certificate. The log entry contains a {@code String} 460 * payload indicating the failure reason, accessible via {@link SecurityEvent#getData()}. 461 */ 462 public static final int TAG_CERT_VALIDATION_FAILURE = 463 SecurityLogTags.SECURITY_CERT_VALIDATION_FAILURE; 464 465 /** 466 * Indicates that the admin has set policy to disable camera. 467 * The log entry contains the following information about the event, encapsulated in an 468 * {@link Object} array and accessible via {@link SecurityEvent#getData()}: 469 * <li> [0] admin package name ({@code String}) 470 * <li> [1] admin user ID ({@code Integer}) 471 * <li> [2] target user ID ({@code Integer}) 472 * <li> [3] whether the camera is disabled or not ({@code Integer}, 1 if it's disabled, 473 * 0 if enabled) 474 */ 475 public static final int TAG_CAMERA_POLICY_SET = 476 SecurityLogTags.SECURITY_CAMERA_POLICY_SET; 477 478 /** 479 * Event severity level indicating that the event corresponds to normal workflow. 480 */ 481 public static final int LEVEL_INFO = 1; 482 483 /** 484 * Event severity level indicating that the event may require admin attention. 485 */ 486 public static final int LEVEL_WARNING = 2; 487 488 /** 489 * Event severity level indicating that the event requires urgent admin action. 490 */ 491 public static final int LEVEL_ERROR = 3; 492 493 /** 494 * Returns if security logging is enabled. Log producers should only write new logs if this is 495 * true. Under the hood this is the logical AND of whether device owner exists and whether 496 * it enables logging by setting the system property {@link #PROPERTY_LOGGING_ENABLED}. 497 * @hide 498 */ isLoggingEnabled()499 public static native boolean isLoggingEnabled(); 500 501 /** 502 * @hide 503 */ setLoggingEnabledProperty(boolean enabled)504 public static void setLoggingEnabledProperty(boolean enabled) { 505 SystemProperties.set(PROPERTY_LOGGING_ENABLED, enabled ? "true" : "false"); 506 } 507 508 /** 509 * @hide 510 */ getLoggingEnabledProperty()511 public static boolean getLoggingEnabledProperty() { 512 return SystemProperties.getBoolean(PROPERTY_LOGGING_ENABLED, false); 513 } 514 515 /** 516 * A class representing a security event log entry. 517 */ 518 public static final class SecurityEvent implements Parcelable { 519 private Event mEvent; 520 private long mId; 521 522 /** 523 * Constructor used by native classes to generate SecurityEvent instances. 524 * @hide 525 */ 526 @UnsupportedAppUsage SecurityEvent(byte[] data)527 /* package */ SecurityEvent(byte[] data) { 528 this(0, data); 529 } 530 531 /** 532 * Constructor used by Parcelable.Creator to generate SecurityEvent instances. 533 * @hide 534 */ SecurityEvent(Parcel source)535 /* package */ SecurityEvent(Parcel source) { 536 this(source.readLong(), source.createByteArray()); 537 } 538 539 /** @hide */ 540 @TestApi SecurityEvent(long id, byte[] data)541 public SecurityEvent(long id, byte[] data) { 542 mId = id; 543 mEvent = Event.fromBytes(data); 544 } 545 546 /** 547 * Returns the timestamp in nano seconds when this event was logged. 548 */ getTimeNanos()549 public long getTimeNanos() { 550 return mEvent.getTimeNanos(); 551 } 552 553 /** 554 * Returns the tag of this log entry, which specifies entry's semantics. 555 */ getTag()556 public @SecurityLogTag int getTag() { 557 return mEvent.getTag(); 558 } 559 560 /** 561 * Returns the payload contained in this log entry or {@code null} if there is no payload. 562 */ getData()563 public Object getData() { 564 return mEvent.getData(); 565 } 566 567 /** @hide */ getIntegerData(int index)568 public int getIntegerData(int index) { 569 return (Integer) ((Object[]) mEvent.getData())[index]; 570 } 571 572 /** @hide */ getStringData(int index)573 public String getStringData(int index) { 574 return (String) ((Object[]) mEvent.getData())[index]; 575 } 576 577 /** 578 * @hide 579 */ setId(long id)580 public void setId(long id) { 581 this.mId = id; 582 } 583 584 /** 585 * Returns the id of the event, where the id monotonically increases for each event. The id 586 * is reset when the device reboots, and when security logging is enabled. 587 */ getId()588 public long getId() { 589 return mId; 590 } 591 592 /** 593 * Returns severity level for the event. 594 */ getLogLevel()595 public @SecurityLogLevel int getLogLevel() { 596 switch (getTag()) { 597 case TAG_ADB_SHELL_INTERACTIVE: 598 case TAG_ADB_SHELL_CMD: 599 case TAG_SYNC_RECV_FILE: 600 case TAG_SYNC_SEND_FILE: 601 case TAG_APP_PROCESS_START: 602 case TAG_KEYGUARD_DISMISSED: 603 case TAG_KEYGUARD_SECURED: 604 case TAG_OS_STARTUP: 605 case TAG_OS_SHUTDOWN: 606 case TAG_LOGGING_STARTED: 607 case TAG_LOGGING_STOPPED: 608 case TAG_MEDIA_MOUNT: 609 case TAG_MEDIA_UNMOUNT: 610 case TAG_PASSWORD_EXPIRATION_SET: 611 case TAG_PASSWORD_COMPLEXITY_SET: 612 case TAG_PASSWORD_HISTORY_LENGTH_SET: 613 case TAG_MAX_SCREEN_LOCK_TIMEOUT_SET: 614 case TAG_MAX_PASSWORD_ATTEMPTS_SET: 615 case TAG_USER_RESTRICTION_ADDED: 616 case TAG_USER_RESTRICTION_REMOVED: 617 case TAG_CAMERA_POLICY_SET: 618 return LEVEL_INFO; 619 case TAG_CERT_AUTHORITY_REMOVED: 620 case TAG_CRYPTO_SELF_TEST_COMPLETED: 621 return getSuccess() ? LEVEL_INFO : LEVEL_ERROR; 622 case TAG_CERT_AUTHORITY_INSTALLED: 623 case TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT: 624 case TAG_KEY_IMPORT: 625 case TAG_KEY_DESTRUCTION: 626 case TAG_KEY_GENERATED: 627 return getSuccess() ? LEVEL_INFO : LEVEL_WARNING; 628 case TAG_LOG_BUFFER_SIZE_CRITICAL: 629 case TAG_WIPE_FAILURE: 630 case TAG_KEY_INTEGRITY_VIOLATION: 631 return LEVEL_ERROR; 632 case TAG_CERT_VALIDATION_FAILURE: 633 return LEVEL_WARNING; 634 default: 635 return LEVEL_INFO; 636 } 637 } 638 639 // Success/failure if present is encoded as an integer in the first (0th) element of data. getSuccess()640 private boolean getSuccess() { 641 final Object data = getData(); 642 if (data == null || !(data instanceof Object[])) { 643 return false; 644 } 645 646 final Object[] array = (Object[]) data; 647 return array.length >= 1 && array[0] instanceof Integer && (Integer) array[0] != 0; 648 } 649 650 /** 651 * Returns a copy of the security event suitable to be consumed by the provided user. 652 * This method will either return the original event itself if the event does not contain 653 * any sensitive data; or a copy of itself but with sensitive information redacted; or 654 * {@code null} if the entire event should not be accessed by the given user. 655 * 656 * @param accessingUser which user this security event is to be accessed, must be a 657 * concrete user id. 658 * @hide 659 */ redact(int accessingUser)660 public SecurityEvent redact(int accessingUser) { 661 // Which user the event is associated with, for the purpose of log redaction. 662 final int userId; 663 switch (getTag()) { 664 case SecurityLog.TAG_ADB_SHELL_CMD: 665 return new SecurityEvent(getId(), mEvent.withNewData("").getBytes()); 666 case SecurityLog.TAG_MEDIA_MOUNT: 667 case SecurityLog.TAG_MEDIA_UNMOUNT: 668 // Partial redaction 669 String mountPoint; 670 try { 671 mountPoint = getStringData(0); 672 } catch (Exception e) { 673 return null; 674 } 675 return new SecurityEvent(getId(), 676 mEvent.withNewData(new Object[] {mountPoint, ""}).getBytes()); 677 case SecurityLog.TAG_APP_PROCESS_START: 678 try { 679 userId = UserHandle.getUserId(getIntegerData(2)); 680 } catch (Exception e) { 681 return null; 682 } 683 break; 684 case SecurityLog.TAG_CERT_AUTHORITY_INSTALLED: 685 case SecurityLog.TAG_CERT_AUTHORITY_REMOVED: 686 try { 687 userId = getIntegerData(2); 688 } catch (Exception e) { 689 return null; 690 } 691 break; 692 case SecurityLog.TAG_KEY_GENERATED: 693 case SecurityLog.TAG_KEY_IMPORT: 694 case SecurityLog.TAG_KEY_DESTRUCTION: 695 try { 696 userId = UserHandle.getUserId(getIntegerData(2)); 697 } catch (Exception e) { 698 return null; 699 } 700 break; 701 case SecurityLog.TAG_KEY_INTEGRITY_VIOLATION: 702 try { 703 userId = UserHandle.getUserId(getIntegerData(1)); 704 } catch (Exception e) { 705 return null; 706 } 707 break; 708 default: 709 userId = UserHandle.USER_NULL; 710 } 711 // If the event is not user-specific, or matches the accessing user, return it 712 // unmodified, else redact by returning null 713 if (userId == UserHandle.USER_NULL || accessingUser == userId) { 714 return this; 715 } else { 716 return null; 717 } 718 } 719 720 @Override describeContents()721 public int describeContents() { 722 return 0; 723 } 724 725 @Override writeToParcel(Parcel dest, int flags)726 public void writeToParcel(Parcel dest, int flags) { 727 dest.writeLong(mId); 728 dest.writeByteArray(mEvent.getBytes()); 729 } 730 731 public static final @android.annotation.NonNull Parcelable.Creator<SecurityEvent> CREATOR = 732 new Parcelable.Creator<SecurityEvent>() { 733 @Override 734 public SecurityEvent createFromParcel(Parcel source) { 735 return new SecurityEvent(source); 736 } 737 738 @Override 739 public SecurityEvent[] newArray(int size) { 740 return new SecurityEvent[size]; 741 } 742 }; 743 744 /** 745 * @hide 746 */ 747 @Override equals(Object o)748 public boolean equals(Object o) { 749 if (this == o) return true; 750 if (o == null || getClass() != o.getClass()) return false; 751 SecurityEvent other = (SecurityEvent) o; 752 return mEvent.equals(other.mEvent) && mId == other.mId; 753 } 754 755 /** 756 * @hide 757 */ 758 @Override hashCode()759 public int hashCode() { 760 return Objects.hash(mEvent, mId); 761 } 762 763 /** @hide */ eventEquals(SecurityEvent other)764 public boolean eventEquals(SecurityEvent other) { 765 return other != null && mEvent.equals(other.mEvent); 766 } 767 } 768 769 /** 770 * Redacts events in-place according to which user will consume the events. 771 * 772 * @param accessingUser which user will consume the redacted events, or UserHandle.USER_ALL if 773 * redaction should be skipped. 774 * @hide 775 */ redactEvents(ArrayList<SecurityEvent> logList, int accessingUser)776 public static void redactEvents(ArrayList<SecurityEvent> logList, int accessingUser) { 777 if (accessingUser == UserHandle.USER_ALL) return; 778 int end = 0; 779 for (int i = 0; i < logList.size(); i++) { 780 SecurityEvent event = logList.get(i); 781 event = event.redact(accessingUser); 782 if (event != null) { 783 logList.set(end, event); 784 end++; 785 } 786 } 787 for (int i = logList.size() - 1; i >= end; i--) { 788 logList.remove(i); 789 } 790 } 791 792 /** 793 * Retrieve all security logs and return immediately. 794 * @hide 795 */ readEvents(Collection<SecurityEvent> output)796 public static native void readEvents(Collection<SecurityEvent> output) throws IOException; 797 798 /** 799 * Retrieve all security logs since the given timestamp in nanoseconds and return immediately. 800 * @hide 801 */ readEventsSince(long timestamp, Collection<SecurityEvent> output)802 public static native void readEventsSince(long timestamp, Collection<SecurityEvent> output) 803 throws IOException; 804 805 /** 806 * Retrieve all security logs before the last reboot. May return corrupted data due to 807 * unreliable pstore. 808 * @hide 809 */ readPreviousEvents(Collection<SecurityEvent> output)810 public static native void readPreviousEvents(Collection<SecurityEvent> output) 811 throws IOException; 812 813 /** 814 * Retrieve all security logs whose timestamp is equal to or greater than the given timestamp in 815 * nanoseconds. This method will block until either the last log earlier than the given 816 * timestamp is about to be pruned, or after a 2-hour timeout has passed. 817 * @hide 818 */ readEventsOnWrapping(long timestamp, Collection<SecurityEvent> output)819 public static native void readEventsOnWrapping(long timestamp, Collection<SecurityEvent> output) 820 throws IOException; 821 822 /** 823 * Write a log entry to the underlying storage, with a string payload. 824 * @hide 825 */ writeEvent(int tag, String str)826 public static native int writeEvent(int tag, String str); 827 828 /** 829 * Write a log entry to the underlying storage, with several payloads. 830 * Supported types of payload are: integer, long, float, string plus array of supported types. 831 * @hide 832 */ writeEvent(int tag, Object... payloads)833 public static native int writeEvent(int tag, Object... payloads); 834 } 835