Pavel Grafov | 94243c2 | 2021-04-21 18:03:11 +0100 | [diff] [blame^] | 1 | // Copyright 2021, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! This module implements functions to log audit events to binary security log buffer for NIAP |
| 16 | //! compliance. |
| 17 | |
| 18 | use crate::globals::LOGS_HANDLER; |
| 19 | use android_system_keystore2::aidl::android::system::keystore2::{ |
| 20 | Domain::Domain, KeyDescriptor::KeyDescriptor, |
| 21 | }; |
| 22 | use libc::uid_t; |
| 23 | use log_event_list::{LogContext, LogIdSecurity}; |
| 24 | |
| 25 | const TAG_KEY_GENERATED: u32 = 210024; |
| 26 | const TAG_KEY_IMPORTED: u32 = 210025; |
| 27 | const TAG_KEY_DESTROYED: u32 = 210026; |
| 28 | |
| 29 | const NAMESPACE_MASK: i64 = 0x80000000; |
| 30 | |
| 31 | /// For app domain returns calling app uid, for SELinux domain returns masked namespace. |
| 32 | fn key_owner(key: &KeyDescriptor, calling_app: uid_t) -> i32 { |
| 33 | match key.domain { |
| 34 | Domain::APP => calling_app as i32, |
| 35 | Domain::SELINUX => (key.nspace | NAMESPACE_MASK) as i32, |
| 36 | _ => { |
| 37 | log::info!("Not logging audit event for key with unexpected domain"); |
| 38 | 0 |
| 39 | } |
| 40 | } |
| 41 | } |
| 42 | |
| 43 | /// Logs key generation event to NIAP audit log. |
| 44 | pub fn log_key_generated(key: &KeyDescriptor, calling_app: uid_t, success: bool) { |
| 45 | log_key_event(TAG_KEY_GENERATED, key, calling_app, success); |
| 46 | } |
| 47 | |
| 48 | /// Logs key import event to NIAP audit log. |
| 49 | pub fn log_key_imported(key: &KeyDescriptor, calling_app: uid_t, success: bool) { |
| 50 | log_key_event(TAG_KEY_IMPORTED, key, calling_app, success); |
| 51 | } |
| 52 | |
| 53 | /// Logs key deletion event to NIAP audit log. |
| 54 | pub fn log_key_deleted(key: &KeyDescriptor, calling_app: uid_t, success: bool) { |
| 55 | log_key_event(TAG_KEY_DESTROYED, key, calling_app, success); |
| 56 | } |
| 57 | |
| 58 | fn log_key_event(tag: u32, key: &KeyDescriptor, calling_app: uid_t, success: bool) { |
| 59 | if let Some(ctx) = LogContext::new(LogIdSecurity, tag) { |
| 60 | let event = ctx |
| 61 | .append_i32(if success { 1 } else { 0 }) |
| 62 | .append_str(key.alias.as_ref().map_or("none", String::as_str)) |
| 63 | .append_i32(key_owner(key, calling_app)); |
| 64 | LOGS_HANDLER.queue_lo(move |_| { |
| 65 | event.write(); |
| 66 | }); |
| 67 | } |
| 68 | } |