Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8eff3b2b authored by Rubin Xu's avatar Rubin Xu
Browse files

Emit security log when backup service is toggled 

Bug: 301949631
Test: android.devicepolicy.cts.BackupTest
Test: SecurityLoggingTest
Change-Id: I814e8857d1714bb051e8a1c8411e14f01769a84c
parent 27e5ead9

core/api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -8505,6 +8505,7 @@ package android.app.admin { 
    field public static final int TAG_ADB_SHELL_CMD = 210002; // 0x33452

    field public static final int TAG_ADB_SHELL_INTERACTIVE = 210001; // 0x33451

    field public static final int TAG_APP_PROCESS_START = 210005; // 0x33455

    field @FlaggedApi("android.app.admin.flags.backup_service_security_log_event_enabled") public static final int TAG_BACKUP_SERVICE_TOGGLED = 210044; // 0x3347c

    field public static final int TAG_BLUETOOTH_CONNECTION = 210039; // 0x33477

    field public static final int TAG_BLUETOOTH_DISCONNECTION = 210040; // 0x33478

    field public static final int TAG_CAMERA_POLICY_SET = 210034; // 0x33472

core/java/android/app/admin/SecurityLog.java

+15 −0
Original line number Diff line number Diff line
@@ -17,12 +17,14 @@ 
package android.app.admin;



import android.Manifest;

import android.annotation.FlaggedApi;

import android.annotation.IntDef;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.RequiresPermission;

import android.annotation.SystemApi;

import android.annotation.TestApi;

import android.app.admin.flags.Flags;

import android.compat.annotation.UnsupportedAppUsage;

import android.content.ComponentName;

import android.os.Build;
@@ -99,6 +101,7 @@ public class SecurityLog { 
            TAG_PACKAGE_INSTALLED,

            TAG_PACKAGE_UPDATED,

            TAG_PACKAGE_UNINSTALLED,

            TAG_BACKUP_SERVICE_TOGGLED,

    })

    public @interface SecurityLogTag {}
@@ -598,6 +601,18 @@ public class SecurityLog { 
     */

    public static final int TAG_PACKAGE_UNINSTALLED = SecurityLogTags.SECURITY_PACKAGE_UNINSTALLED;



    /**

     * Indicates that an admin has enabled or disabled backup service. The log entry contains the

     * following information about the event encapsulated in an {@link Object} array, accessible

     * via {@link SecurityEvent#getData()}:

     * <li> [0] admin package name ({@code String})

     * <li> [1] admin user ID ({@code Integer})

     * <li> [2] backup service state ({@code Integer}, 1 for enabled, 0 for disabled)

     * @see DevicePolicyManager#setBackupServiceEnabled(ComponentName, boolean)

     */

    @FlaggedApi(Flags.FLAG_BACKUP_SERVICE_SECURITY_LOG_EVENT_ENABLED)

    public static final int TAG_BACKUP_SERVICE_TOGGLED =

            SecurityLogTags.SECURITY_BACKUP_SERVICE_TOGGLED;

    /**

     * Event severity level indicating that the event corresponds to normal workflow.

     */

core/java/android/app/admin/SecurityLogTags.logtags

+2 −1
Original line number Diff line number Diff line
@@ -48,3 +48,4 @@ option java_package android.app.admin 
210041 security_package_installed               (package_name|3),(version_code|1),(user_id|1)

210042 security_package_updated                 (package_name|3),(version_code|1),(user_id|1)

210043 security_package_uninstalled             (package_name|3),(version_code|1),(user_id|1)

210044 security_backup_service_toggled          (package|3),(admin_user|1),(enabled|1)
 
 No newline at end of file

core/java/android/app/admin/flags/flags.aconfig

+7 −0
Original line number Diff line number Diff line
@@ -62,3 +62,10 @@ flag { 
    description: "Exempt the default sms app of the context user for suspension when calling setPersonalAppsSuspended"

    bug: "309183330"

}



flag {

  name: "backup_service_security_log_event_enabled"

  namespace: "enterprise"

  description: "Emit a security log event when DPM.setBackupServiceEnabled is called"

  bug: "304999634"

}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+8 −0
Original line number Diff line number Diff line
@@ -220,6 +220,7 @@ import static android.app.admin.ProvisioningException.ERROR_REMOVE_NON_REQUIRED_ 
import static android.app.admin.ProvisioningException.ERROR_SETTING_PROFILE_OWNER_FAILED;

import static android.app.admin.ProvisioningException.ERROR_SET_DEVICE_OWNER_FAILED;

import static android.app.admin.ProvisioningException.ERROR_STARTING_PROFILE_FAILED;

import static android.app.admin.flags.Flags.backupServiceSecurityLogEventEnabled;

import static android.app.admin.flags.Flags.dumpsysPolicyEngineMigrationEnabled;

import static android.app.admin.flags.Flags.policyEngineMigrationV2Enabled;

import static android.content.Intent.ACTION_MANAGED_PROFILE_AVAILABLE;
@@ -17926,6 +17927,13 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                || isProfileOwner(caller) || isFinancedDeviceOwner(caller));















        toggleBackupServiceActive(caller.getUserId(), enabled);

























        if (backupServiceSecurityLogEventEnabled()) {













            if (SecurityLog.isLoggingEnabled()) {













                SecurityLog.writeEvent(SecurityLog.TAG_BACKUP_SERVICE_TOGGLED,













                        caller.getPackageName(), caller.getUserId(), enabled ? 1 : 0);













            }













        }















    }





























    @Override