ADB security logging

Log adb shell, pull and push operations to the security log.

Bug: 22860162
Change-Id: I5d24e9d51040ae05a41d9fcb079e84351a217bd3

adb/file_sync_service.cpp

@@ -21,6 +21,7 @@
 
 #include <dirent.h>
 #include <errno.h>
+#include <log/log.h>
 #include <selinux/android.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -34,6 +35,7 @@
 #include "adb_io.h"
 #include "adb_utils.h"
 #include "private/android_filesystem_config.h"
+#include "security_log_tags.h"
 
 #include <android-base/stringprintf.h>
 #include <android-base/strings.h>
@@ -146,6 +148,8 @@ static bool handle_send_file(int s, const char* path, uid_t uid,
     syncmsg msg;
     unsigned int timestamp = 0;
 
+    __android_log_security_bswrite(SEC_TAG_ADB_SEND_FILE, path);
+
     int fd = adb_open_mode(path, O_WRONLY | O_CREAT | O_EXCL | O_CLOEXEC, mode);
     if (fd < 0 && errno == ENOENT) {
         if (!secure_mkdirs(adb_dirname(path))) {
@@ -314,6 +318,8 @@ static bool do_send(int s, const std::string& spec, std::vector<char>& buffer) {
 }
 
 static bool do_recv(int s, const char* path, std::vector<char>& buffer) {
+    __android_log_security_bswrite(SEC_TAG_ADB_RECV_FILE, path);
+
     int fd = adb_open(path, O_RDONLY | O_CLOEXEC);
     if (fd < 0) {
         SendSyncFailErrno(s, "open failed");

adb/security_log_tags.h

@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __SECURITY_LOG_TAGS_H
+#define __SECURITY_LOG_TAGS_H
+
+/* TODO: Automatically generate this file from the logtags file when build
+ * infrastructure is in place.
+ * Defined in frameworks/base/core/java/android/auditing/SecurityLog.logtags
+ */
+#define SEC_TAG_ADB_SHELL_INTERACTIVE 210001
+#define SEC_TAG_ADB_SHELL_CMD         210002
+#define SEC_TAG_ADB_RECV_FILE         210003
+#define SEC_TAG_ADB_SEND_FILE         210004
+
+#endif

adb/shell_service.cpp

@@ -95,11 +95,13 @@
 #include <android-base/logging.h>
 #include <android-base/stringprintf.h>
 #include <paths.h>
+#include <log/log.h>
 
 #include "adb.h"
 #include "adb_io.h"
 #include "adb_trace.h"
 #include "adb_utils.h"
+#include "security_log_tags.h"
 
 namespace {
 
@@ -240,6 +242,12 @@ bool Subprocess::ForkAndExec() {
     ScopedFd parent_error_sfd, child_error_sfd;
     char pts_name[PATH_MAX];
 
+    if (command_.empty()) {
+        __android_log_security_bswrite(SEC_TAG_ADB_SHELL_INTERACTIVE, "");
+    } else {
+        __android_log_security_bswrite(SEC_TAG_ADB_SHELL_CMD, command_.c_str());
+    }
+
     // Create a socketpair for the fork() child to report any errors back to the parent. Since we
     // use threads, logging directly from the child might deadlock due to locks held in another
     // thread during the fork.