commit ff311b4739ce7b26a93615d0368cd24542b5268b
author Pavel Grafov <pgrafov@google.com> Wed Jan 24 20:34:37 2018 +0000
committer Pavel Grafov <pgrafov@google.com> Mon Jan 29 20:11:06 2018 +0000
tree bbd8d7f377536d42aae50777ac7ce011314b1f55
parent b6de2e0eb9774e45833e0dc82a741bc9f50da90e

Log key import, destruction and generation failure for audit.

This is required by NIAP audit logging requirements.
import and destruction events contain key name and uid.

Keystore is added to "log" secondary group to be able to write
to security buffer.

Test: manual, imported and deleted key via Settings while
      monitoring adb shell su - logcat -b security
Bug:70886042
Change-Id: Iebb29380da5251ff66609884e615aabc379cd389

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 96d8f4d..89c31a5 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -25,12 +25,15 @@
 #include <algorithm>
 #include <sstream>
 
+#include <android-base/scopeguard.h>
 #include <binder/IInterface.h>
 #include <binder/IPCThreadState.h>
 #include <binder/IPermissionController.h>
 #include <binder/IServiceManager.h>
+#include <log/log_event_list.h>
 
 #include <private/android_filesystem_config.h>
+#include <private/android_logger.h>
 
 #include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
 
@@ -61,6 +64,11 @@
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";
 
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
+constexpr int SEC_TAG_KEY_IMPORTED = 210025;
+
 struct BIGNUM_Delete {
     void operator()(BIGNUM* p) const { BN_free(p); }
 };
@@ -735,6 +743,13 @@
     // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
     uid_t originalUid = IPCThreadState::self()->getCallingUid();
     uid = getEffectiveUid(uid);
+    auto logOnScopeExit = android::base::make_scope_guard([&] {
+        if (__android_log_security()) {
+            android_log_event_list(SEC_TAG_AUTH_KEY_GENERATED)
+                << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+                << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+        }
+    });
     KeyStoreServiceReturnCode rc =
         checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
     if (!rc.isOk()) {
@@ -950,6 +965,13 @@
                            int32_t* aidl_return) {
 
     uid = getEffectiveUid(uid);
+    auto logOnScopeExit = android::base::make_scope_guard([&] {
+        if (__android_log_security()) {
+            android_log_event_list(SEC_TAG_KEY_IMPORTED)
+                << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+                << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+        }
+    });
     KeyStoreServiceReturnCode rc =
         checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
     if (!rc.isOk()) {