Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 40431abf authored by Eran Messeri's avatar Eran Messeri
Browse files

Log setting of password complexity. 

Log a security event when the password complexity is set using the new
setRequiredPasswordComplexity API.

Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest
Bug: 165573442
Change-Id: Ide337ff1f18d1ab0a34bba44004f4bd8b74474c4
parent 6aa9b789

core/api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -7343,6 +7343,7 @@ package android.app.admin { 
    field public static final int TAG_MEDIA_UNMOUNT = 210014; // 0x3345e

    field public static final int TAG_OS_SHUTDOWN = 210010; // 0x3345a

    field public static final int TAG_OS_STARTUP = 210009; // 0x33459

    field public static final int TAG_PASSWORD_COMPLEXITY_REQUIRED = 210035; // 0x33473

    field public static final int TAG_PASSWORD_COMPLEXITY_SET = 210017; // 0x33461

    field public static final int TAG_PASSWORD_EXPIRATION_SET = 210016; // 0x33460

    field public static final int TAG_PASSWORD_HISTORY_LENGTH_SET = 210018; // 0x33462

core/java/android/app/admin/SecurityLog.java

+18 −1
Original line number Diff line number Diff line
@@ -85,7 +85,8 @@ public class SecurityLog { 
            TAG_CRYPTO_SELF_TEST_COMPLETED,

            TAG_KEY_INTEGRITY_VIOLATION,

            TAG_CERT_VALIDATION_FAILURE,

            TAG_CAMERA_POLICY_SET

            TAG_CAMERA_POLICY_SET,

            TAG_PASSWORD_COMPLEXITY_REQUIRED

    })

    public @interface SecurityLogTag {}
@@ -477,6 +478,21 @@ public class SecurityLog { 
    public static final int TAG_CAMERA_POLICY_SET =

            SecurityLogTags.SECURITY_CAMERA_POLICY_SET;



    /**

     * Indicates that an admin has set a password complexity requirement, using the platform's

     * pre-defined complexity levels. The log entry contains the following information about the

     * event, encapsulated in an {@link Object} array and accessible via

     * {@link SecurityEvent#getData()}:

     * <li> [0] admin package name ({@code String})

     * <li> [1] admin user ID ({@code Integer})

     * <li> [2] target user ID ({@code Integer})

     * <li> [3] Password complexity ({@code Integer})

     *

     * @see DevicePolicyManager#setRequiredPasswordComplexity(int)

     */

    public static final int TAG_PASSWORD_COMPLEXITY_REQUIRED =

            SecurityLogTags.SECURITY_PASSWORD_COMPLEXITY_REQUIRED;



    /**

     * Event severity level indicating that the event corresponds to normal workflow.

     */
@@ -617,6 +633,7 @@ public class SecurityLog { 
                case TAG_USER_RESTRICTION_ADDED:

                case TAG_USER_RESTRICTION_REMOVED:

                case TAG_CAMERA_POLICY_SET:

                case TAG_PASSWORD_COMPLEXITY_REQUIRED:

                    return LEVEL_INFO;

                case TAG_CERT_AUTHORITY_REMOVED:

                case TAG_CRYPTO_SELF_TEST_COMPLETED:

core/java/android/app/admin/SecurityLogTags.logtags

+2 −1
Original line number Diff line number Diff line 
# See system/core/logcat/event.logtags for a description of the format of this file.

# See system/logging/logcat/event.logtags for a description of the format of this file.



option java_package android.app.admin
@@ -39,3 +39,4 @@ option java_package android.app.admin 
210032 security_key_integrity_violation         (key_id|3),(uid|1)

210033 security_cert_validation_failure         (reason|3)

210034 security_camera_policy_set               (package|3),(admin_user|1),(target_user|1),(disabled|1)

210035 security_password_complexity_required    (package|3),(admin_user|1),(target_user|1),(complexity|1)

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+11 −1
Original line number Diff line number Diff line
@@ -4304,13 +4304,23 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { 
                    updatePasswordValidityCheckpointLocked(caller.getUserId(), calledOnParent);

                    updatePasswordQualityCacheForUserGroup(caller.getUserId());

                    saveSettingsLocked(caller.getUserId());

                    //TODO: Log password complexity change if security logging is enabled.

                });

            }

            logPasswordComplexityRequiredIfSecurityLogEnabled(admin.info.getComponent(),

                    caller.getUserId(), calledOnParent, passwordComplexity);

        }

        //TODO: Log metrics.

    }













    private void logPasswordComplexityRequiredIfSecurityLogEnabled(ComponentName who, int userId,













            boolean parent, int complexity) {













        if (SecurityLog.isLoggingEnabled()) {













            final int affectedUserId = parent ? getProfileParentId(userId) : userId;













            SecurityLog.writeEvent(SecurityLog.TAG_PASSWORD_COMPLEXITY_REQUIRED,













                    who.getPackageName(), userId, affectedUserId, complexity);













        }













    }



























    private int getEffectivePasswordComplexityRequirementLocked(@UserIdInt int userHandle) {















        ensureLocked();















        List<ActiveAdmin> admins = getActiveAdminsForLockscreenPoliciesLocked(userHandle);