Log key import, destruction and generation failure for audit.

This is required by NIAP audit logging requirements. import and destruction events contain key name and uid. Keystore is added to "log" secondary group to be able to write to security buffer. Test: manual, imported and deleted key via Settings while monitoring adb shell su - logcat -b security Bug:70886042 Change-Id: Iebb29380da5251ff66609884e615aabc379cd389
2018-01-24 20:34:37 +00:00 · 2018-01-24 20:34:37 +00:00 · ff311b4739
commit ff311b4739
parent b6de2e0eb9
3 changed files with 40 additions and 3 deletions
--- a/keystore/KeyStore.cpp
+++ b/keystore/KeyStore.cpp
@ -28,11 +28,22 @@

 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
 #include <android/security/IKeystoreService.h>
+#include <log/log_event_list.h>
+
+#include <private/android_logger.h>

 #include "keystore_utils.h"
 #include "permissions.h"
 #include <keystore/keystore_hidl_support.h>

+namespace {
+
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_KEY_DESTROYED = 210026;
+
+}  // anonymous namespace
+
 namespace keystore {

 const char* KeyStore::kOldMasterKey = ".masterkey";
@ -381,8 +392,12 @@ ResponseCode KeyStore::del(const char* filename, const BlobType type, uid_t user
        auto ret = KS_HANDLE_HIDL_ERROR(dev->deleteKey(blob2hidlVec(keyBlob)));

        // A device doesn't have to implement delete_key.
-        if (ret != ErrorCode::OK && ret != ErrorCode::UNIMPLEMENTED)
-            return ResponseCode::SYSTEM_ERROR;
+        bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
+        if (__android_log_security() && uidAlias.isOk()) {
+            android_log_event_list(SEC_TAG_KEY_DESTROYED)
+                << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY;
+        }
+        if (!success) return ResponseCode::SYSTEM_ERROR;
    }

    rc =
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@ -25,12 +25,15 @@
 #include <algorithm>
 #include <sstream>

+#include <android-base/scopeguard.h>
 #include <binder/IInterface.h>
 #include <binder/IPCThreadState.h>
 #include <binder/IPermissionController.h>
 #include <binder/IServiceManager.h>
+#include <log/log_event_list.h>

 #include <private/android_filesystem_config.h>
+#include <private/android_logger.h>

 #include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>

@ -61,6 +64,11 @@ constexpr size_t kMaxOperations = 15;
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";

+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
+constexpr int SEC_TAG_KEY_IMPORTED = 210025;
+
 struct BIGNUM_Delete {
    void operator()(BIGNUM* p) const { BN_free(p); }
 };
@ -735,6 +743,13 @@ KeyStoreService::generateKey(const String16& name, const KeymasterArguments& par
    // TODO(jbires): remove this getCallingUid call upon implementation of b/25646100
    uid_t originalUid = IPCThreadState::self()->getCallingUid();
    uid = getEffectiveUid(uid);
+    auto logOnScopeExit = android::base::make_scope_guard([&] {
+        if (__android_log_security()) {
+            android_log_event_list(SEC_TAG_AUTH_KEY_GENERATED)
+                << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+                << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+        }
+    });
    KeyStoreServiceReturnCode rc =
        checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
    if (!rc.isOk()) {
@ -950,6 +965,13 @@ KeyStoreService::importKey(const String16& name, const KeymasterArguments& param
                           int32_t* aidl_return) {

    uid = getEffectiveUid(uid);
+    auto logOnScopeExit = android::base::make_scope_guard([&] {
+        if (__android_log_security()) {
+            android_log_event_list(SEC_TAG_KEY_IMPORTED)
+                << int32_t(*aidl_return == static_cast<int32_t>(ResponseCode::NO_ERROR))
+                << String8(name) << int32_t(uid) << LOG_ID_SECURITY;
+        }
+    });
    KeyStoreServiceReturnCode rc =
        checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
    if (!rc.isOk()) {
--- a/keystore/keystore.rc
+++ b/keystore/keystore.rc
@ -1,5 +1,5 @@
 service keystore /system/bin/keystore /data/misc/keystore
    class main
    user keystore
-    group keystore drmrpc readproc
+    group keystore drmrpc readproc log
    writepid /dev/cpuset/foreground/tasks