Log key import, destruction and generation failure for audit.
This is required by NIAP audit logging requirements.
import and destruction events contain key name and uid.
Keystore is added to "log" secondary group to be able to write
to security buffer.
Test: manual, imported and deleted key via Settings while
monitoring adb shell su - logcat -b security
Bug:70886042
Change-Id: Iebb29380da5251ff66609884e615aabc379cd389
diff --git a/keystore/KeyStore.cpp b/keystore/KeyStore.cpp
index d9355b9..144c1c7 100644
--- a/keystore/KeyStore.cpp
+++ b/keystore/KeyStore.cpp
@@ -28,11 +28,22 @@
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
#include <android/security/IKeystoreService.h>
+#include <log/log_event_list.h>
+
+#include <private/android_logger.h>
#include "keystore_utils.h"
#include "permissions.h"
#include <keystore/keystore_hidl_support.h>
+namespace {
+
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_KEY_DESTROYED = 210026;
+
+} // anonymous namespace
+
namespace keystore {
const char* KeyStore::kOldMasterKey = ".masterkey";
@@ -381,8 +392,12 @@
auto ret = KS_HANDLE_HIDL_ERROR(dev->deleteKey(blob2hidlVec(keyBlob)));
// A device doesn't have to implement delete_key.
- if (ret != ErrorCode::OK && ret != ErrorCode::UNIMPLEMENTED)
- return ResponseCode::SYSTEM_ERROR;
+ bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
+ if (__android_log_security() && uidAlias.isOk()) {
+ android_log_event_list(SEC_TAG_KEY_DESTROYED)
+ << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY;
+ }
+ if (!success) return ResponseCode::SYSTEM_ERROR;
}
rc =
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 96d8f4d..89c31a5 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -25,12 +25,15 @@
#include <algorithm>
#include <sstream>
+#include <android-base/scopeguard.h>
#include <binder/IInterface.h>
#include <binder/IPCThreadState.h>
#include <binder/IPermissionController.h>
#include <binder/IServiceManager.h>
+#include <log/log_event_list.h>
#include <private/android_filesystem_config.h>
+#include <private/android_logger.h>
#include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
@@ -61,6 +64,11 @@
constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
const char* kTimestampFilePath = "timestamp";
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
+constexpr int SEC_TAG_KEY_IMPORTED = 210025;
+
struct BIGNUM_Delete {
void operator()(BIGNUM* p) const { BN_free(p); }
};
@@ -735,6 +743,13 @@
// TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
uid_t originalUid = IPCThreadState::self()->getCallingUid();
uid = getEffectiveUid(uid);
+ auto logOnScopeExit = android::base::make_scope_guard([&] {
+ if (__android_log_security()) {
+ android_log_event_list(SEC_TAG_AUTH_KEY_GENERATED)
+ << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+ << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+ }
+ });
KeyStoreServiceReturnCode rc =
checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
if (!rc.isOk()) {
@@ -950,6 +965,13 @@
int32_t* aidl_return) {
uid = getEffectiveUid(uid);
+ auto logOnScopeExit = android::base::make_scope_guard([&] {
+ if (__android_log_security()) {
+ android_log_event_list(SEC_TAG_KEY_IMPORTED)
+ << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+ << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+ }
+ });
KeyStoreServiceReturnCode rc =
checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
if (!rc.isOk()) {
diff --git a/keystore/keystore.rc b/keystore/keystore.rc
index 5dac937..132039a 100644
--- a/keystore/keystore.rc
+++ b/keystore/keystore.rc
@@ -1,5 +1,5 @@
service keystore /system/bin/keystore /data/misc/keystore
class main
user keystore
- group keystore drmrpc readproc
+ group keystore drmrpc readproc log
writepid /dev/cpuset/foreground/tasks