From d61a25c17204b74b81558cb5d67c347f1e87fef1 Mon Sep 17 00:00:00 2001 From: Rubin Xu Date: Mon, 11 Jan 2016 10:23:47 +0000 Subject: [PATCH] ADB security logging Log adb shell, pull and push operations to the security log. Bug: 22860162 Change-Id: I5d24e9d51040ae05a41d9fcb079e84351a217bd3 --- adb/file_sync_service.cpp | 6 ++++++ adb/security_log_tags.h | 28 ++++++++++++++++++++++++++++ adb/shell_service.cpp | 8 ++++++++ 3 files changed, 42 insertions(+) create mode 100644 adb/security_log_tags.h diff --git a/adb/file_sync_service.cpp b/adb/file_sync_service.cpp index 781968bce..ef0418e5e 100644 --- a/adb/file_sync_service.cpp +++ b/adb/file_sync_service.cpp @@ -21,6 +21,7 @@ #include #include +#include #include #include #include @@ -34,6 +35,7 @@ #include "adb_io.h" #include "adb_utils.h" #include "private/android_filesystem_config.h" +#include "security_log_tags.h" #include #include @@ -146,6 +148,8 @@ static bool handle_send_file(int s, const char* path, uid_t uid, syncmsg msg; unsigned int timestamp = 0; + __android_log_security_bswrite(SEC_TAG_ADB_SEND_FILE, path); + int fd = adb_open_mode(path, O_WRONLY | O_CREAT | O_EXCL | O_CLOEXEC, mode); if (fd < 0 && errno == ENOENT) { if (!secure_mkdirs(adb_dirname(path))) { @@ -314,6 +318,8 @@ static bool do_send(int s, const std::string& spec, std::vector& buffer) { } static bool do_recv(int s, const char* path, std::vector& buffer) { + __android_log_security_bswrite(SEC_TAG_ADB_RECV_FILE, path); + int fd = adb_open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) { SendSyncFailErrno(s, "open failed"); diff --git a/adb/security_log_tags.h b/adb/security_log_tags.h new file mode 100644 index 000000000..1d0274494 --- /dev/null +++ b/adb/security_log_tags.h @@ -0,0 +1,28 @@ +/* + * Copyright (C) 2016 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __SECURITY_LOG_TAGS_H +#define __SECURITY_LOG_TAGS_H + +/* TODO: Automatically generate this file from the logtags file when build + * infrastructure is in place. + * Defined in frameworks/base/core/java/android/auditing/SecurityLog.logtags + */ +#define SEC_TAG_ADB_SHELL_INTERACTIVE 210001 +#define SEC_TAG_ADB_SHELL_CMD 210002 +#define SEC_TAG_ADB_RECV_FILE 210003 +#define SEC_TAG_ADB_SEND_FILE 210004 + +#endif diff --git a/adb/shell_service.cpp b/adb/shell_service.cpp index e092dc48c..c3b9044f2 100644 --- a/adb/shell_service.cpp +++ b/adb/shell_service.cpp @@ -95,11 +95,13 @@ #include #include #include +#include #include "adb.h" #include "adb_io.h" #include "adb_trace.h" #include "adb_utils.h" +#include "security_log_tags.h" namespace { @@ -240,6 +242,12 @@ bool Subprocess::ForkAndExec() { ScopedFd parent_error_sfd, child_error_sfd; char pts_name[PATH_MAX]; + if (command_.empty()) { + __android_log_security_bswrite(SEC_TAG_ADB_SHELL_INTERACTIVE, ""); + } else { + __android_log_security_bswrite(SEC_TAG_ADB_SHELL_CMD, command_.c_str()); + } + // Create a socketpair for the fork() child to report any errors back to the parent. Since we // use threads, logging directly from the child might deadlock due to locks held in another // thread during the fork.