1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.app.admin; 18 19 import static android.nfc.Flags.FLAG_NFC_STATE_CHANGE_SECURITY_LOG_EVENT_ENABLED; 20 21 import android.Manifest; 22 import android.annotation.FlaggedApi; 23 import android.annotation.IntDef; 24 import android.annotation.NonNull; 25 import android.annotation.Nullable; 26 import android.annotation.RequiresPermission; 27 import android.annotation.SystemApi; 28 import android.annotation.TestApi; 29 import android.compat.annotation.UnsupportedAppUsage; 30 import android.content.ComponentName; 31 import android.os.Build; 32 import android.os.Parcel; 33 import android.os.Parcelable; 34 import android.os.SystemProperties; 35 import android.os.UserHandle; 36 import android.util.EventLog.Event; 37 38 import java.io.IOException; 39 import java.lang.annotation.Retention; 40 import java.lang.annotation.RetentionPolicy; 41 import java.util.ArrayList; 42 import java.util.Collection; 43 import java.util.Objects; 44 45 /** 46 * Definitions for working with security logs. 47 * 48 * <p>Device owner apps can control the logging with 49 * {@link DevicePolicyManager#setSecurityLoggingEnabled}. When security logs are enabled, device 50 * owner apps receive periodic callbacks from {@link DeviceAdminReceiver#onSecurityLogsAvailable}, 51 * at which time new batch of logs can be collected via 52 * {@link DevicePolicyManager#retrieveSecurityLogs}. {@link SecurityEvent} describes the type and 53 * format of security logs being collected. 54 */ 55 public class SecurityLog { 56 57 private static final String PROPERTY_LOGGING_ENABLED = "persist.logd.security"; 58 59 /** @hide */ 60 @Retention(RetentionPolicy.SOURCE) 61 @IntDef(prefix = { "TAG_" }, value = { 62 TAG_ADB_SHELL_INTERACTIVE, 63 TAG_ADB_SHELL_CMD, 64 TAG_SYNC_RECV_FILE, 65 TAG_SYNC_SEND_FILE, 66 TAG_APP_PROCESS_START, 67 TAG_KEYGUARD_DISMISSED, 68 TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT, 69 TAG_KEYGUARD_SECURED, 70 TAG_OS_STARTUP, 71 TAG_OS_SHUTDOWN, 72 TAG_LOGGING_STARTED, 73 TAG_LOGGING_STOPPED, 74 TAG_MEDIA_MOUNT, 75 TAG_MEDIA_UNMOUNT, 76 TAG_LOG_BUFFER_SIZE_CRITICAL, 77 TAG_PASSWORD_EXPIRATION_SET, 78 TAG_PASSWORD_COMPLEXITY_SET, 79 TAG_PASSWORD_HISTORY_LENGTH_SET, 80 TAG_MAX_SCREEN_LOCK_TIMEOUT_SET, 81 TAG_MAX_PASSWORD_ATTEMPTS_SET, 82 TAG_KEYGUARD_DISABLED_FEATURES_SET, 83 TAG_REMOTE_LOCK, 84 TAG_USER_RESTRICTION_ADDED, 85 TAG_USER_RESTRICTION_REMOVED, 86 TAG_WIPE_FAILURE, 87 TAG_KEY_GENERATED, 88 TAG_KEY_IMPORT, 89 TAG_KEY_DESTRUCTION, 90 TAG_CERT_AUTHORITY_INSTALLED, 91 TAG_CERT_AUTHORITY_REMOVED, 92 TAG_CRYPTO_SELF_TEST_COMPLETED, 93 TAG_KEY_INTEGRITY_VIOLATION, 94 TAG_CERT_VALIDATION_FAILURE, 95 TAG_CAMERA_POLICY_SET, 96 TAG_PASSWORD_COMPLEXITY_REQUIRED, 97 TAG_PASSWORD_CHANGED, 98 TAG_WIFI_CONNECTION, 99 TAG_WIFI_DISCONNECTION, 100 TAG_BLUETOOTH_CONNECTION, 101 TAG_BLUETOOTH_DISCONNECTION, 102 TAG_PACKAGE_INSTALLED, 103 TAG_PACKAGE_UPDATED, 104 TAG_PACKAGE_UNINSTALLED, 105 TAG_BACKUP_SERVICE_TOGGLED, 106 TAG_NFC_ENABLED, 107 TAG_NFC_DISABLED, 108 }) 109 public @interface SecurityLogTag {} 110 111 /** @hide */ 112 @Retention(RetentionPolicy.SOURCE) 113 @IntDef(prefix = { "LEVEL_" }, value = { 114 LEVEL_INFO, 115 LEVEL_WARNING, 116 LEVEL_ERROR 117 }) 118 public @interface SecurityLogLevel {} 119 120 /** 121 * Indicates that an ADB interactive shell was opened via "adb shell". 122 * There is no extra payload in the log event. 123 */ 124 public static final int TAG_ADB_SHELL_INTERACTIVE = 125 SecurityLogTags.SECURITY_ADB_SHELL_INTERACTIVE; 126 127 /** 128 * Indicates that a shell command was issued over ADB via {@code adb shell <command>} 129 * The log entry contains a {@code String} payload containing the shell command, accessible 130 * via {@link SecurityEvent#getData()}. If security logging is enabled on organization-owned 131 * managed profile devices, the shell command will be redacted to an empty string. 132 */ 133 public static final int TAG_ADB_SHELL_CMD = SecurityLogTags.SECURITY_ADB_SHELL_COMMAND; 134 135 /** 136 * Indicates that a file was pulled from the device via the adb daemon, for example via 137 * {@code adb pull}. The log entry contains a {@code String} payload containing the path of the 138 * pulled file on the device, accessible via {@link SecurityEvent#getData()}. 139 */ 140 public static final int TAG_SYNC_RECV_FILE = SecurityLogTags.SECURITY_ADB_SYNC_RECV; 141 142 /** 143 * Indicates that a file was pushed to the device via the adb daemon, for example via 144 * {@code adb push}. The log entry contains a {@code String} payload containing the destination 145 * path of the pushed file, accessible via {@link SecurityEvent#getData()}. 146 */ 147 public static final int TAG_SYNC_SEND_FILE = SecurityLogTags.SECURITY_ADB_SYNC_SEND; 148 149 /** 150 * Indicates that an app process was started. The log entry contains the following 151 * information about the process encapsulated in an {@link Object} array, accessible via 152 * {@link SecurityEvent#getData()}: 153 * <li> [0] process name ({@code String}) 154 * <li> [1] exact start time in milliseconds according to {@code System.currentTimeMillis()} 155 * ({@code Long}) 156 * <li> [2] app uid ({@code Integer}) 157 * <li> [3] app pid ({@code Integer}) 158 * <li> [4] seinfo tag ({@code String}) 159 * <li> [5] SHA-256 hash of the base APK in hexadecimal ({@code String}) 160 * If security logging is enabled on organization-owned managed profile devices, only events 161 * happening inside the managed profile will be visible. 162 */ 163 public static final int TAG_APP_PROCESS_START = SecurityLogTags.SECURITY_APP_PROCESS_START; 164 165 /** 166 * Indicates that keyguard has been dismissed. This event is only logged if the device 167 * has a secure keyguard. It is logged regardless of how keyguard is dismissed, including 168 * via PIN/pattern/password, biometrics or via a trust agent. 169 * There is no extra payload in the log event. 170 * @see #TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT 171 */ 172 public static final int TAG_KEYGUARD_DISMISSED = SecurityLogTags.SECURITY_KEYGUARD_DISMISSED; 173 174 /** 175 * Indicates that there has been an authentication attempt to dismiss the keyguard. The log 176 * entry contains the following information about the attempt encapsulated in an {@link Object} 177 * array, accessible via {@link SecurityEvent#getData()}: 178 * <li> [0] attempt result ({@code Integer}, 1 for successful, 0 for unsuccessful) 179 * <li> [1] strength of authentication method ({@code Integer}, 1 if strong authentication 180 * method was used, 0 otherwise) 181 */ 182 public static final int TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT = 183 SecurityLogTags.SECURITY_KEYGUARD_DISMISS_AUTH_ATTEMPT; 184 185 /** 186 * Indicates that the device has been locked, either by the user or by a timeout. There is no 187 * extra payload in the log event. 188 */ 189 public static final int TAG_KEYGUARD_SECURED = SecurityLogTags.SECURITY_KEYGUARD_SECURED; 190 191 /** 192 * Indicates that the Android OS has started. The log entry contains the following information 193 * about the startup time software integrity check encapsulated in an {@link Object} array, 194 * accessible via {@link SecurityEvent#getData()}: 195 * <li> [0] Verified Boot state ({@code String}) 196 * <li> [1] dm-verity mode ({@code String}). 197 * <p>Verified Boot state can be one of the following: 198 * <li> {@code green} indicates that there is a full chain of trust extending from the 199 * bootloader to verified partitions including the bootloader, boot partition, and all verified 200 * partitions. 201 * <li> {@code yellow} indicates that the boot partition has been verified using the embedded 202 * certificate and the signature is valid. 203 * <li> {@code orange} indicates that the device may be freely modified. Device integrity is 204 * left to the user to verify out-of-band. 205 * <p>dm-verity mode can be one of the following: 206 * <li> {@code enforcing} indicates that the device will be restarted when corruption is 207 * detected. 208 * <li> {@code eio} indicates that an I/O error will be returned for an attempt to read 209 * corrupted data blocks. 210 * <li> {@code disabled} indicates that integrity check is disabled. 211 * For details see Verified Boot documentation. 212 */ 213 public static final int TAG_OS_STARTUP = SecurityLogTags.SECURITY_OS_STARTUP; 214 215 /** 216 * Indicates that the Android OS has shutdown. There is no extra payload in the log event. 217 */ 218 public static final int TAG_OS_SHUTDOWN = SecurityLogTags.SECURITY_OS_SHUTDOWN; 219 220 /** 221 * Indicates start-up of audit logging. There is no extra payload in the log event. 222 */ 223 public static final int TAG_LOGGING_STARTED = SecurityLogTags.SECURITY_LOGGING_STARTED; 224 225 /** 226 * Indicates shutdown of audit logging. There is no extra payload in the log event. 227 */ 228 public static final int TAG_LOGGING_STOPPED = SecurityLogTags.SECURITY_LOGGING_STOPPED; 229 230 /** 231 * Indicates that removable media has been mounted on the device. The log entry contains the 232 * following information about the event, encapsulated in an {@link Object} array and 233 * accessible via {@link SecurityEvent#getData()}: 234 * <li> [0] mount point ({@code String}) 235 * <li> [1] volume label ({@code String}). Redacted to empty string on organization-owned 236 * managed profile devices. 237 */ 238 public static final int TAG_MEDIA_MOUNT = SecurityLogTags.SECURITY_MEDIA_MOUNTED; 239 240 /** 241 * Indicates that removable media was unmounted from the device. The log entry contains the 242 * following information about the event, encapsulated in an {@link Object} array and 243 * accessible via {@link SecurityEvent#getData()}: 244 * <li> [0] mount point ({@code String}) 245 * <li> [1] volume label ({@code String}). Redacted to empty string on organization-owned 246 * managed profile devices. 247 */ 248 public static final int TAG_MEDIA_UNMOUNT = SecurityLogTags.SECURITY_MEDIA_UNMOUNTED; 249 250 /** 251 * Indicates that the audit log buffer has reached 90% of its capacity. There is no extra 252 * payload in the log event. 253 */ 254 public static final int TAG_LOG_BUFFER_SIZE_CRITICAL = 255 SecurityLogTags.SECURITY_LOG_BUFFER_SIZE_CRITICAL; 256 257 /** 258 * Indicates that an admin has set a password expiration timeout. The log entry contains the 259 * following information about the event, encapsulated in an {@link Object} array and accessible 260 * via {@link SecurityEvent#getData()}: 261 * <li> [0] admin package name ({@code String}) 262 * <li> [1] admin user ID ({@code Integer}) 263 * <li> [2] target user ID ({@code Integer}) 264 * <li> [3] new password expiration timeout in milliseconds ({@code Long}). 265 * @see DevicePolicyManager#setPasswordExpirationTimeout(ComponentName, long) 266 */ 267 public static final int TAG_PASSWORD_EXPIRATION_SET = 268 SecurityLogTags.SECURITY_PASSWORD_EXPIRATION_SET; 269 270 /** 271 * Indicates that an admin has set a requirement for password complexity. The log entry contains 272 * the following information about the event, encapsulated in an {@link Object} array and 273 * accessible via {@link SecurityEvent#getData()}: 274 * <li> [0] admin package name ({@code String}) 275 * <li> [1] admin user ID ({@code Integer}) 276 * <li> [2] target user ID ({@code Integer}) 277 * <li> [3] minimum password length ({@code Integer}) 278 * <li> [4] password quality constraint ({@code Integer}) 279 * <li> [5] minimum number of letters ({@code Integer}) 280 * <li> [6] minimum number of non-letters ({@code Integer}) 281 * <li> [7] minimum number of digits ({@code Integer}) 282 * <li> [8] minimum number of uppercase letters ({@code Integer}) 283 * <li> [9] minimum number of lowercase letters ({@code Integer}) 284 * <li> [10] minimum number of symbols ({@code Integer}) 285 * 286 * @see DevicePolicyManager#setPasswordMinimumLength(ComponentName, int) 287 * @see DevicePolicyManager#setPasswordQuality(ComponentName, int) 288 * @see DevicePolicyManager#setPasswordMinimumLetters(ComponentName, int) 289 * @see DevicePolicyManager#setPasswordMinimumNonLetter(ComponentName, int) 290 * @see DevicePolicyManager#setPasswordMinimumLowerCase(ComponentName, int) 291 * @see DevicePolicyManager#setPasswordMinimumUpperCase(ComponentName, int) 292 * @see DevicePolicyManager#setPasswordMinimumNumeric(ComponentName, int) 293 * @see DevicePolicyManager#setPasswordMinimumSymbols(ComponentName, int) 294 */ 295 public static final int TAG_PASSWORD_COMPLEXITY_SET = 296 SecurityLogTags.SECURITY_PASSWORD_COMPLEXITY_SET; 297 298 /** 299 * Indicates that an admin has set a password history length. The log entry contains the 300 * following information about the event encapsulated in an {@link Object} array, accessible 301 * via {@link SecurityEvent#getData()}: 302 * <li> [0] admin package name ({@code String}) 303 * <li> [1] admin user ID ({@code Integer}) 304 * <li> [2] target user ID ({@code Integer}) 305 * <li> [3] new password history length value ({@code Integer}) 306 * @see DevicePolicyManager#setPasswordHistoryLength(ComponentName, int) 307 */ 308 public static final int TAG_PASSWORD_HISTORY_LENGTH_SET = 309 SecurityLogTags.SECURITY_PASSWORD_HISTORY_LENGTH_SET; 310 311 /** 312 * Indicates that an admin has set a maximum screen lock timeout. The log entry contains the 313 * following information about the event encapsulated in an {@link Object} array, accessible 314 * via {@link SecurityEvent#getData()}: 315 * <li> [0] admin package name ({@code String}) 316 * <li> [1] admin user ID ({@code Integer}) 317 * <li> [2] target user ID ({@code Integer}) 318 * <li> [3] new screen lock timeout in milliseconds ({@code Long}) 319 * @see DevicePolicyManager#setMaximumTimeToLock(ComponentName, long) 320 */ 321 public static final int TAG_MAX_SCREEN_LOCK_TIMEOUT_SET = 322 SecurityLogTags.SECURITY_MAX_SCREEN_LOCK_TIMEOUT_SET; 323 324 /** 325 * Indicates that an admin has set a maximum number of failed password attempts before wiping 326 * data. The log entry contains the following information about the event encapsulated in an 327 * {@link Object} array, accessible via {@link SecurityEvent#getData()}: 328 * <li> [0] admin package name ({@code String}) 329 * <li> [1] admin user ID ({@code Integer}) 330 * <li> [2] target user ID ({@code Integer}) 331 * <li> [3] new maximum number of failed password attempts ({@code Integer}) 332 * @see DevicePolicyManager#setMaximumFailedPasswordsForWipe(ComponentName, int) 333 */ 334 public static final int TAG_MAX_PASSWORD_ATTEMPTS_SET = 335 SecurityLogTags.SECURITY_MAX_PASSWORD_ATTEMPTS_SET; 336 337 /** 338 * Indicates that an admin has set disabled keyguard features. The log entry contains the 339 * following information about the event encapsulated in an {@link Object} array, accessible via 340 * {@link SecurityEvent#getData()}: 341 * <li> [0] admin package name ({@code String}) 342 * <li> [1] admin user ID ({@code Integer}) 343 * <li> [2] target user ID ({@code Integer}) 344 * <li> [3] disabled keyguard feature mask ({@code Integer}). 345 * @see DevicePolicyManager#setKeyguardDisabledFeatures(ComponentName, int) 346 */ 347 public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET = 348 SecurityLogTags.SECURITY_KEYGUARD_DISABLED_FEATURES_SET; 349 350 /** 351 * Indicates that an admin remotely locked the device or profile. The log entry contains the 352 * following information about the event encapsulated in an {@link Object} array, accessible via 353 * {@link SecurityEvent#getData()}: 354 * <li> [0] admin package name ({@code String}), 355 * <li> [1] admin user ID ({@code Integer}). 356 * <li> [2] target user ID ({@code Integer}) 357 */ 358 public static final int TAG_REMOTE_LOCK = SecurityLogTags.SECURITY_REMOTE_LOCK; 359 360 /** 361 * Indicates a failure to wipe device or user data. There is no extra payload in the log event. 362 */ 363 public static final int TAG_WIPE_FAILURE = SecurityLogTags.SECURITY_WIPE_FAILED; 364 365 /** 366 * Indicates that a cryptographic key was generated. The log entry contains the following 367 * information about the event, encapsulated in an {@link Object} array and accessible via 368 * {@link SecurityEvent#getData()}: 369 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 370 * <li> [1] alias of the key ({@code String}) 371 * <li> [2] requesting process uid ({@code Integer}). 372 * 373 * If security logging is enabled on organization-owned managed profile devices, only events 374 * happening inside the managed profile will be visible. 375 */ 376 public static final int TAG_KEY_GENERATED = 377 SecurityLogTags.SECURITY_KEY_GENERATED; 378 379 /** 380 * Indicates that a cryptographic key was imported. The log entry contains the following 381 * information about the event, encapsulated in an {@link Object} array and accessible via 382 * {@link SecurityEvent#getData()}: 383 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 384 * <li> [1] alias of the key ({@code String}) 385 * <li> [2] requesting process uid ({@code Integer}). 386 * 387 * If security logging is enabled on organization-owned managed profile devices, only events 388 * happening inside the managed profile will be visible. 389 */ 390 public static final int TAG_KEY_IMPORT = SecurityLogTags.SECURITY_KEY_IMPORTED; 391 392 /** 393 * Indicates that a cryptographic key was destroyed. The log entry contains the following 394 * information about the event, encapsulated in an {@link Object} array and accessible via 395 * {@link SecurityEvent#getData()}: 396 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 397 * <li> [1] alias of the key ({@code String}) 398 * <li> [2] requesting process uid ({@code Integer}). 399 * 400 * If security logging is enabled on organization-owned managed profile devices, only events 401 * happening inside the managed profile will be visible. 402 */ 403 public static final int TAG_KEY_DESTRUCTION = SecurityLogTags.SECURITY_KEY_DESTROYED; 404 405 /** 406 * Indicates that a new root certificate has been installed into system's trusted credential 407 * storage. The log entry contains the following information about the event, encapsulated in an 408 * {@link Object} array and accessible via {@link SecurityEvent#getData()}: 409 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 410 * <li> [1] subject of the certificate ({@code String}). 411 * <li> [2] which user the certificate is installed for ({@code Integer}), only available from 412 * version {@link android.os.Build.VERSION_CODES#R}. 413 * 414 * If security logging is enabled on organization-owned managed profile devices, only events 415 * happening inside the managed profile will be visible. 416 */ 417 public static final int TAG_CERT_AUTHORITY_INSTALLED = 418 SecurityLogTags.SECURITY_CERT_AUTHORITY_INSTALLED; 419 420 /** 421 * Indicates that a new root certificate has been removed from system's trusted credential 422 * storage. The log entry contains the following information about the event, encapsulated in an 423 * {@link Object} array and accessible via {@link SecurityEvent#getData()}: 424 * <li> [0] result ({@code Integer}, 0 if operation failed, 1 if succeeded) 425 * <li> [1] subject of the certificate ({@code String}). 426 * <li> [2] which user the certificate is removed from ({@code Integer}), only available from 427 * version {@link android.os.Build.VERSION_CODES#R}. 428 * 429 * If security logging is enabled on organization-owned managed profile devices, only events 430 * happening inside the managed profile will be visible. 431 */ 432 public static final int TAG_CERT_AUTHORITY_REMOVED = 433 SecurityLogTags.SECURITY_CERT_AUTHORITY_REMOVED; 434 435 /** 436 * Indicates that an admin has set a user restriction. The log entry contains the following 437 * information about the event, encapsulated in an {@link Object} array and accessible via 438 * {@link SecurityEvent#getData()}: 439 * <li> [0] admin package name ({@code String}) 440 * <li> [1] admin user ID ({@code Integer}) 441 * <li> [2] user restriction ({@code String}) 442 * @see DevicePolicyManager#addUserRestriction(ComponentName, String) 443 */ 444 public static final int TAG_USER_RESTRICTION_ADDED = 445 SecurityLogTags.SECURITY_USER_RESTRICTION_ADDED; 446 447 /** 448 * Indicates that an admin has removed a user restriction. The log entry contains the following 449 * information about the event, encapsulated in an {@link Object} array and accessible via 450 * {@link SecurityEvent#getData()}: 451 * <li> [0] admin package name ({@code String}) 452 * <li> [1] admin user ID ({@code Integer}) 453 * <li> [2] user restriction ({@code String}) 454 * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) 455 */ 456 public static final int TAG_USER_RESTRICTION_REMOVED = 457 SecurityLogTags.SECURITY_USER_RESTRICTION_REMOVED; 458 459 /** 460 * Indicates that cryptographic functionality self test has completed. The log entry contains an 461 * {@code Integer} payload, indicating the result of the test (0 if the test failed, 1 if 462 * succeeded) and accessible via {@link SecurityEvent#getData()}. 463 */ 464 public static final int TAG_CRYPTO_SELF_TEST_COMPLETED = 465 SecurityLogTags.SECURITY_CRYPTO_SELF_TEST_COMPLETED; 466 467 /** 468 * Indicates a failed cryptographic key integrity check. The log entry contains the following 469 * information about the event, encapsulated in an {@link Object} array and accessible via 470 * {@link SecurityEvent#getData()}: 471 * <li> [0] alias of the key ({@code String}) 472 * <li> [1] owner application uid ({@code Integer}). 473 * 474 * If security logging is enabled on organization-owned managed profile devices, only events 475 * happening inside the managed profile will be visible. 476 */ 477 public static final int TAG_KEY_INTEGRITY_VIOLATION = 478 SecurityLogTags.SECURITY_KEY_INTEGRITY_VIOLATION; 479 480 /** 481 * Indicates a failure to validate X.509v3 certificate. The log entry contains a {@code String} 482 * payload indicating the failure reason, accessible via {@link SecurityEvent#getData()}. 483 */ 484 public static final int TAG_CERT_VALIDATION_FAILURE = 485 SecurityLogTags.SECURITY_CERT_VALIDATION_FAILURE; 486 487 /** 488 * Indicates that the admin has set policy to disable camera. 489 * The log entry contains the following information about the event, encapsulated in an 490 * {@link Object} array and accessible via {@link SecurityEvent#getData()}: 491 * <li> [0] admin package name ({@code String}) 492 * <li> [1] admin user ID ({@code Integer}) 493 * <li> [2] target user ID ({@code Integer}) 494 * <li> [3] whether the camera is disabled or not ({@code Integer}, 1 if it's disabled, 495 * 0 if enabled) 496 */ 497 public static final int TAG_CAMERA_POLICY_SET = 498 SecurityLogTags.SECURITY_CAMERA_POLICY_SET; 499 500 /** 501 * Indicates that an admin has set a password complexity requirement, using the platform's 502 * pre-defined complexity levels. The log entry contains the following information about the 503 * event, encapsulated in an {@link Object} array and accessible via 504 * {@link SecurityEvent#getData()}: 505 * <li> [0] admin package name ({@code String}) 506 * <li> [1] admin user ID ({@code Integer}) 507 * <li> [2] target user ID ({@code Integer}) 508 * <li> [3] Password complexity ({@code Integer}) 509 * 510 * @see DevicePolicyManager#setRequiredPasswordComplexity(int) 511 */ 512 public static final int TAG_PASSWORD_COMPLEXITY_REQUIRED = 513 SecurityLogTags.SECURITY_PASSWORD_COMPLEXITY_REQUIRED; 514 515 /** 516 * Indicates that a user has just changed their lockscreen password. 517 * The log entry contains the following information about the 518 * event, encapsulated in an {@link Object} array and accessible via 519 * {@link SecurityEvent#getData()}: 520 * <li> [0] complexity for the new password ({@code Integer}) 521 * <li> [1] target user ID ({@code Integer}) 522 * 523 * <p>Password complexity levels are defined as in 524 * {@link DevicePolicyManager#getPasswordComplexity()} 525 */ 526 public static final int TAG_PASSWORD_CHANGED = SecurityLogTags.SECURITY_PASSWORD_CHANGED; 527 528 /** 529 * Indicates that an event occurred as the device attempted to connect to 530 * a managed WiFi network. The log entry contains the following information about the 531 * event, encapsulated in an {@link Object} array and accessible via 532 * {@link SecurityEvent#getData()}: 533 * <li> [0] Last 2 octets of the network BSSID ({@code String}, in the form "xx:xx:xx:xx:AA:BB") 534 * <li> [1] Type of event that occurred ({@code String}). Event types are CONNECTED, 535 * DISCONNECTED, ASSOCIATING, ASSOCIATED, EAP_METHOD_SELECTED, EAP_FAILURE, 536 * SSID_TEMP_DISABLED, and OPEN_SSL_FAILURE. 537 * <li> [2] Optional human-readable failure reason, empty string if none ({@code String}) 538 */ 539 public static final int TAG_WIFI_CONNECTION = SecurityLogTags.SECURITY_WIFI_CONNECTION; 540 541 /** 542 * Indicates that the device disconnects from a managed WiFi network. 543 * The log entry contains the following information about the 544 * event, encapsulated in an {@link Object} array and accessible via 545 * {@link SecurityEvent#getData()}: 546 * <li> [0] Last 2 octets of the network BSSID ({@code String}, in the form "xx:xx:xx:xx:AA:BB") 547 * <li> [1] Optional human-readable disconnection reason, empty string if none ({@code String}) 548 */ 549 public static final int TAG_WIFI_DISCONNECTION = SecurityLogTags.SECURITY_WIFI_DISCONNECTION; 550 551 /** 552 * Indicates that the device attempts to connect to a Bluetooth device. 553 * The log entry contains the following information about the 554 * event, encapsulated in an {@link Object} array and accessible via 555 * {@link SecurityEvent#getData()}: 556 * <li> [0] The MAC address of the Bluetooth device ({@code String}) 557 * <li> [1] Whether the connection is successful ({@code Integer}, 1 if successful, 0 otherwise) 558 * <li> [2] Optional human-readable failure reason, empty string if none ({@code String}) 559 */ 560 public static final int TAG_BLUETOOTH_CONNECTION = 561 SecurityLogTags.SECURITY_BLUETOOTH_CONNECTION; 562 563 /** 564 * Indicates that the device disconnects from a connected Bluetooth device. 565 * The log entry contains the following information about the 566 * event, encapsulated in an {@link Object} array and accessible via 567 * {@link SecurityEvent#getData()}: 568 * <li> [0] The MAC address of the connected Bluetooth device ({@code String}) 569 * <li> [1] Optional human-readable disconnection reason, empty string if none ({@code String}) 570 */ 571 public static final int TAG_BLUETOOTH_DISCONNECTION = 572 SecurityLogTags.SECURITY_BLUETOOTH_DISCONNECTION; 573 574 /** 575 * Indicates that a package is installed. 576 * The log entry contains the following information about the 577 * event, encapsulated in an {@link Object} array and accessible via 578 * {@link SecurityEvent#getData()}: 579 * <li> [0] Name of the package being installed ({@code String}) 580 * <li> [1] Package version code ({@code Long}) 581 * <li> [2] UserId of the user that installed this package ({@code Integer}) 582 */ 583 public static final int TAG_PACKAGE_INSTALLED = SecurityLogTags.SECURITY_PACKAGE_INSTALLED; 584 585 /** 586 * Indicates that a package is updated. 587 * The log entry contains the following information about the 588 * event, encapsulated in an {@link Object} array and accessible via 589 * {@link SecurityEvent#getData()}: 590 * <li> [0] Name of the package being updated ({@code String}) 591 * <li> [1] Package version code ({@code Long}) 592 * <li> [2] UserId of the user that updated this package ({@code Integer}) 593 */ 594 public static final int TAG_PACKAGE_UPDATED = SecurityLogTags.SECURITY_PACKAGE_UPDATED; 595 596 /** 597 * Indicates that a package is uninstalled. 598 * The log entry contains the following information about the 599 * event, encapsulated in an {@link Object} array and accessible via 600 * {@link SecurityEvent#getData()}: 601 * <li> [0] Name of the package being uninstalled ({@code String}) 602 * <li> [1] Package version code ({@code Long}) 603 * <li> [2] UserId of the user that uninstalled this package ({@code Integer}) 604 */ 605 public static final int TAG_PACKAGE_UNINSTALLED = SecurityLogTags.SECURITY_PACKAGE_UNINSTALLED; 606 607 /** 608 * Indicates that an admin has enabled or disabled backup service. The log entry contains the 609 * following information about the event encapsulated in an {@link Object} array, accessible 610 * via {@link SecurityEvent#getData()}: 611 * <li> [0] admin package name ({@code String}) 612 * <li> [1] admin user ID ({@code Integer}) 613 * <li> [2] backup service state ({@code Integer}, 1 for enabled, 0 for disabled) 614 * @see DevicePolicyManager#setBackupServiceEnabled(ComponentName, boolean) 615 */ 616 public static final int TAG_BACKUP_SERVICE_TOGGLED = 617 SecurityLogTags.SECURITY_BACKUP_SERVICE_TOGGLED; 618 619 /** 620 * Indicates that NFC service is enabled. There is no extra payload in the log event. 621 */ 622 @FlaggedApi(FLAG_NFC_STATE_CHANGE_SECURITY_LOG_EVENT_ENABLED) 623 public static final int TAG_NFC_ENABLED = SecurityLogTags.SECURITY_NFC_ENABLED; 624 625 /** 626 * Indicates that NFC service is disabled. There is no extra payload in the log event. 627 */ 628 @FlaggedApi(FLAG_NFC_STATE_CHANGE_SECURITY_LOG_EVENT_ENABLED) 629 public static final int TAG_NFC_DISABLED = SecurityLogTags.SECURITY_NFC_DISABLED; 630 /** 631 * Event severity level indicating that the event corresponds to normal workflow. 632 */ 633 public static final int LEVEL_INFO = 1; 634 635 /** 636 * Event severity level indicating that the event may require admin attention. 637 */ 638 public static final int LEVEL_WARNING = 2; 639 640 /** 641 * Event severity level indicating that the event requires urgent admin action. 642 */ 643 public static final int LEVEL_ERROR = 3; 644 645 /** 646 * Returns if security logging is enabled. Log producers should only write new logs if this is 647 * true. Under the hood this is the logical AND of whether device owner exists and whether 648 * it enables logging by setting the system property {@link #PROPERTY_LOGGING_ENABLED}. 649 * @hide 650 */ isLoggingEnabled()651 public static native boolean isLoggingEnabled(); 652 653 /** 654 * @hide 655 */ setLoggingEnabledProperty(boolean enabled)656 public static void setLoggingEnabledProperty(boolean enabled) { 657 SystemProperties.set(PROPERTY_LOGGING_ENABLED, enabled ? "true" : "false"); 658 } 659 660 /** 661 * @hide 662 */ getLoggingEnabledProperty()663 public static boolean getLoggingEnabledProperty() { 664 return SystemProperties.getBoolean(PROPERTY_LOGGING_ENABLED, false); 665 } 666 667 /** 668 * A class representing a security event log entry. 669 */ 670 public static final class SecurityEvent implements Parcelable { 671 private Event mEvent; 672 private long mId; 673 674 /** 675 * Constructor used by native classes to generate SecurityEvent instances. 676 * @hide 677 */ 678 @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553) SecurityEvent(byte[] data)679 /* package */ SecurityEvent(byte[] data) { 680 this(0, data); 681 } 682 683 /** 684 * Constructor used by Parcelable.Creator to generate SecurityEvent instances. 685 * @hide 686 */ SecurityEvent(Parcel source)687 /* package */ SecurityEvent(Parcel source) { 688 this(source.readLong(), source.createByteArray()); 689 } 690 691 /** @hide */ 692 @TestApi SecurityEvent(long id, byte[] data)693 public SecurityEvent(long id, byte[] data) { 694 mId = id; 695 mEvent = Event.fromBytes(data); 696 } 697 698 /** 699 * Returns the timestamp in nano seconds when this event was logged. 700 */ getTimeNanos()701 public long getTimeNanos() { 702 return mEvent.getTimeNanos(); 703 } 704 705 /** 706 * Returns the tag of this log entry, which specifies entry's semantics. 707 */ getTag()708 public @SecurityLogTag int getTag() { 709 return mEvent.getTag(); 710 } 711 712 /** 713 * Returns the payload contained in this log entry or {@code null} if there is no payload. 714 */ getData()715 public Object getData() { 716 return mEvent.getData(); 717 } 718 719 /** @hide */ getIntegerData(int index)720 public int getIntegerData(int index) { 721 return (Integer) ((Object[]) mEvent.getData())[index]; 722 } 723 724 /** @hide */ getStringData(int index)725 public String getStringData(int index) { 726 return (String) ((Object[]) mEvent.getData())[index]; 727 } 728 729 /** 730 * @hide 731 */ setId(long id)732 public void setId(long id) { 733 this.mId = id; 734 } 735 736 /** 737 * Returns the id of the event, where the id monotonically increases for each event. The id 738 * is reset when the device reboots, and when security logging is enabled. 739 */ getId()740 public long getId() { 741 return mId; 742 } 743 744 /** 745 * Returns severity level for the event. 746 */ getLogLevel()747 public @SecurityLogLevel int getLogLevel() { 748 switch (getTag()) { 749 case TAG_ADB_SHELL_INTERACTIVE: 750 case TAG_ADB_SHELL_CMD: 751 case TAG_SYNC_RECV_FILE: 752 case TAG_SYNC_SEND_FILE: 753 case TAG_APP_PROCESS_START: 754 case TAG_KEYGUARD_DISMISSED: 755 case TAG_KEYGUARD_SECURED: 756 case TAG_OS_STARTUP: 757 case TAG_OS_SHUTDOWN: 758 case TAG_LOGGING_STARTED: 759 case TAG_LOGGING_STOPPED: 760 case TAG_MEDIA_MOUNT: 761 case TAG_MEDIA_UNMOUNT: 762 case TAG_PASSWORD_EXPIRATION_SET: 763 case TAG_PASSWORD_COMPLEXITY_SET: 764 case TAG_PASSWORD_HISTORY_LENGTH_SET: 765 case TAG_MAX_SCREEN_LOCK_TIMEOUT_SET: 766 case TAG_MAX_PASSWORD_ATTEMPTS_SET: 767 case TAG_USER_RESTRICTION_ADDED: 768 case TAG_USER_RESTRICTION_REMOVED: 769 case TAG_CAMERA_POLICY_SET: 770 case TAG_PASSWORD_COMPLEXITY_REQUIRED: 771 case TAG_PASSWORD_CHANGED: 772 return LEVEL_INFO; 773 case TAG_CERT_AUTHORITY_REMOVED: 774 case TAG_CRYPTO_SELF_TEST_COMPLETED: 775 return getSuccess() ? LEVEL_INFO : LEVEL_ERROR; 776 case TAG_CERT_AUTHORITY_INSTALLED: 777 case TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT: 778 case TAG_KEY_IMPORT: 779 case TAG_KEY_DESTRUCTION: 780 case TAG_KEY_GENERATED: 781 return getSuccess() ? LEVEL_INFO : LEVEL_WARNING; 782 case TAG_LOG_BUFFER_SIZE_CRITICAL: 783 case TAG_WIPE_FAILURE: 784 case TAG_KEY_INTEGRITY_VIOLATION: 785 return LEVEL_ERROR; 786 case TAG_CERT_VALIDATION_FAILURE: 787 return LEVEL_WARNING; 788 default: 789 return LEVEL_INFO; 790 } 791 } 792 793 // Success/failure if present is encoded as an integer in the first (0th) element of data. getSuccess()794 private boolean getSuccess() { 795 final Object data = getData(); 796 if (data == null || !(data instanceof Object[])) { 797 return false; 798 } 799 800 final Object[] array = (Object[]) data; 801 return array.length >= 1 && array[0] instanceof Integer && (Integer) array[0] != 0; 802 } 803 804 /** 805 * Returns a copy of the security event suitable to be consumed by the provided user. 806 * This method will either return the original event itself if the event does not contain 807 * any sensitive data; or a copy of itself but with sensitive information redacted; or 808 * {@code null} if the entire event should not be accessed by the given user. 809 * 810 * @param accessingUser which user this security event is to be accessed, must be a 811 * concrete user id. 812 * @hide 813 */ redact(int accessingUser)814 public SecurityEvent redact(int accessingUser) { 815 // Which user the event is associated with, for the purpose of log redaction. 816 final int userId; 817 switch (getTag()) { 818 case SecurityLog.TAG_ADB_SHELL_CMD: 819 return new SecurityEvent(getId(), mEvent.withNewData("").getBytes()); 820 case SecurityLog.TAG_MEDIA_MOUNT: 821 case SecurityLog.TAG_MEDIA_UNMOUNT: 822 // Partial redaction 823 String mountPoint; 824 try { 825 mountPoint = getStringData(0); 826 } catch (Exception e) { 827 return null; 828 } 829 return new SecurityEvent(getId(), 830 mEvent.withNewData(new Object[] {mountPoint, ""}).getBytes()); 831 case SecurityLog.TAG_APP_PROCESS_START: 832 try { 833 userId = UserHandle.getUserId(getIntegerData(2)); 834 } catch (Exception e) { 835 return null; 836 } 837 break; 838 case SecurityLog.TAG_CERT_AUTHORITY_INSTALLED: 839 case SecurityLog.TAG_CERT_AUTHORITY_REMOVED: 840 case SecurityLog.TAG_PACKAGE_INSTALLED: 841 case SecurityLog.TAG_PACKAGE_UPDATED: 842 case SecurityLog.TAG_PACKAGE_UNINSTALLED: 843 try { 844 userId = getIntegerData(2); 845 } catch (Exception e) { 846 return null; 847 } 848 break; 849 case SecurityLog.TAG_KEY_GENERATED: 850 case SecurityLog.TAG_KEY_IMPORT: 851 case SecurityLog.TAG_KEY_DESTRUCTION: 852 try { 853 userId = UserHandle.getUserId(getIntegerData(2)); 854 } catch (Exception e) { 855 return null; 856 } 857 break; 858 case SecurityLog.TAG_KEY_INTEGRITY_VIOLATION: 859 try { 860 userId = UserHandle.getUserId(getIntegerData(1)); 861 } catch (Exception e) { 862 return null; 863 } 864 break; 865 case SecurityLog.TAG_PASSWORD_CHANGED: 866 try { 867 userId = getIntegerData(1); 868 } catch (Exception e) { 869 return null; 870 } 871 break; 872 default: 873 userId = UserHandle.USER_NULL; 874 } 875 // If the event is not user-specific, or matches the accessing user, return it 876 // unmodified, else redact by returning null 877 if (userId == UserHandle.USER_NULL || accessingUser == userId) { 878 return this; 879 } else { 880 return null; 881 } 882 } 883 884 @Override describeContents()885 public int describeContents() { 886 return 0; 887 } 888 889 @Override writeToParcel(Parcel dest, int flags)890 public void writeToParcel(Parcel dest, int flags) { 891 dest.writeLong(mId); 892 dest.writeByteArray(mEvent.getBytes()); 893 } 894 895 public static final @android.annotation.NonNull Parcelable.Creator<SecurityEvent> CREATOR = 896 new Parcelable.Creator<SecurityEvent>() { 897 @Override 898 public SecurityEvent createFromParcel(Parcel source) { 899 return new SecurityEvent(source); 900 } 901 902 @Override 903 public SecurityEvent[] newArray(int size) { 904 return new SecurityEvent[size]; 905 } 906 }; 907 908 /** 909 * @hide 910 */ 911 @Override equals(@ullable Object o)912 public boolean equals(@Nullable Object o) { 913 if (this == o) return true; 914 if (o == null || getClass() != o.getClass()) return false; 915 SecurityEvent other = (SecurityEvent) o; 916 return mEvent.equals(other.mEvent) && mId == other.mId; 917 } 918 919 /** 920 * @hide 921 */ 922 @Override hashCode()923 public int hashCode() { 924 return Objects.hash(mEvent, mId); 925 } 926 927 /** @hide */ eventEquals(SecurityEvent other)928 public boolean eventEquals(SecurityEvent other) { 929 return other != null && mEvent.equals(other.mEvent); 930 } 931 } 932 933 /** 934 * Redacts events in-place according to which user will consume the events. 935 * 936 * @param accessingUser which user will consume the redacted events, or UserHandle.USER_ALL if 937 * redaction should be skipped. 938 * @hide 939 */ redactEvents(ArrayList<SecurityEvent> logList, int accessingUser)940 public static void redactEvents(ArrayList<SecurityEvent> logList, int accessingUser) { 941 if (accessingUser == UserHandle.USER_ALL) return; 942 int end = 0; 943 for (int i = 0; i < logList.size(); i++) { 944 SecurityEvent event = logList.get(i); 945 event = event.redact(accessingUser); 946 if (event != null) { 947 logList.set(end, event); 948 end++; 949 } 950 } 951 for (int i = logList.size() - 1; i >= end; i--) { 952 logList.remove(i); 953 } 954 } 955 956 /** 957 * Retrieve all security logs and return immediately. 958 * @hide 959 */ readEvents(Collection<SecurityEvent> output)960 public static native void readEvents(Collection<SecurityEvent> output) throws IOException; 961 962 /** 963 * Retrieve all security logs since the given timestamp in nanoseconds and return immediately. 964 * @hide 965 */ readEventsSince(long timestamp, Collection<SecurityEvent> output)966 public static native void readEventsSince(long timestamp, Collection<SecurityEvent> output) 967 throws IOException; 968 969 /** 970 * Retrieve all security logs before the last reboot. May return corrupted data due to 971 * unreliable pstore. 972 * @hide 973 */ readPreviousEvents(Collection<SecurityEvent> output)974 public static native void readPreviousEvents(Collection<SecurityEvent> output) 975 throws IOException; 976 977 /** 978 * Retrieve all security logs whose timestamp is equal to or greater than the given timestamp in 979 * nanoseconds. This method will block until either the last log earlier than the given 980 * timestamp is about to be pruned, or after a 2-hour timeout has passed. 981 * @hide 982 */ readEventsOnWrapping(long timestamp, Collection<SecurityEvent> output)983 public static native void readEventsOnWrapping(long timestamp, Collection<SecurityEvent> output) 984 throws IOException; 985 986 /** 987 * Write a log entry to the underlying storage, with several payloads. 988 * Supported types of payload are: integer, long, float, string plus array of supported types. 989 * 990 * <p>Security log is part of Android's device management capability that tracks 991 * security-sensitive events for auditing purposes. 992 * 993 * @param tag the tag ID of the security event 994 * @param payloads a list of payload values. Each tag dictates the expected payload types 995 * and their meanings 996 * @see DevicePolicyManager#setSecurityLoggingEnabled(ComponentName, boolean) 997 * 998 * @hide 999 */ 1000 // TODO(b/218658622): enforce WRITE_SECURITY_LOG in logd. 1001 @SystemApi 1002 @RequiresPermission(Manifest.permission.WRITE_SECURITY_LOG) writeEvent(@ecurityLogTag int tag, @NonNull Object... payloads)1003 public static native int writeEvent(@SecurityLogTag int tag, @NonNull Object... payloads); 1004 } 1005