Add audit logging API

    field public static final String MANAGE_DEFAULT_APPLICATIONS = "android.permission.MANAGE_DEFAULT_APPLICATIONS";

    field public static final String MANAGE_DEVICE_ADMINS = "android.permission.MANAGE_DEVICE_ADMINS";

    field public static final String MANAGE_DEVICE_POLICY_APP_EXEMPTIONS = "android.permission.MANAGE_DEVICE_POLICY_APP_EXEMPTIONS";

    field @FlaggedApi("android.app.admin.flags.security_log_v2_enabled") public static final String MANAGE_DEVICE_POLICY_AUDIT_LOGGING = "android.permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING";

    field @FlaggedApi("android.app.admin.flags.device_theft_api_enabled") public static final String MANAGE_DEVICE_POLICY_THEFT_DETECTION = "android.permission.MANAGE_DEVICE_POLICY_THEFT_DETECTION";

    field @FlaggedApi("android.permission.flags.enhanced_confirmation_mode_apis_enabled") public static final String MANAGE_ENHANCED_CONFIRMATION_STATES = "android.permission.MANAGE_ENHANCED_CONFIRMATION_STATES";

    field public static final String MANAGE_ETHERNET_NETWORKS = "android.permission.MANAGE_ETHERNET_NETWORKS";

    field @NonNull public static final android.os.Parcelable.Creator<android.app.admin.DevicePolicyDrawableResource> CREATOR;

  }

  public final class DevicePolicyIdentifiers {

    field @FlaggedApi("android.app.admin.flags.security_log_v2_enabled") public static final String AUDIT_LOGGING_POLICY = "auditLogging";

  }

  public class DevicePolicyKeyguardService extends android.app.Service {

    ctor public DevicePolicyKeyguardService();

    method @Nullable public void dismiss();

    method @Nullable public android.content.ComponentName getProfileOwner() throws java.lang.IllegalArgumentException;

    method @Nullable @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS}) public String getProfileOwnerNameAsUser(int) throws java.lang.IllegalArgumentException;

    method @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS}) public int getUserProvisioningState();

    method @FlaggedApi("android.app.admin.flags.security_log_v2_enabled") @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING) public boolean isAuditLogEnabled();

    method public boolean isDeviceManaged();

    method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public boolean isDeviceProvisioned();

    method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public boolean isDeviceProvisioningConfigApplied();

    method @RequiresPermission(android.Manifest.permission.TRIGGER_LOST_MODE) public void sendLostModeLocationUpdate(@NonNull java.util.concurrent.Executor, @NonNull java.util.function.Consumer<java.lang.Boolean>);

    method @Deprecated @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_ADMINS) public boolean setActiveProfileOwner(@NonNull android.content.ComponentName, String) throws java.lang.IllegalArgumentException;

    method @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_POLICY_APP_EXEMPTIONS) public void setApplicationExemptions(@NonNull String, @NonNull java.util.Set<java.lang.Integer>) throws android.content.pm.PackageManager.NameNotFoundException;

    method @FlaggedApi("android.app.admin.flags.security_log_v2_enabled") @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING) public void setAuditLogEnabled(boolean);

    method @FlaggedApi("android.app.admin.flags.security_log_v2_enabled") @RequiresPermission(android.Manifest.permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING) public void setAuditLogEventCallback(@NonNull java.util.concurrent.Executor, @Nullable java.util.function.Consumer<java.util.List<android.app.admin.SecurityLog.SecurityEvent>>);

    method @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public void setDeviceProvisioningConfigApplied();

    method @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public void setDpcDownloaded(boolean);

    method @FlaggedApi("android.app.admin.flags.device_policy_size_tracking_enabled") @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public void setMaxPolicyStorageLimit(int);

import android.annotation.FlaggedApi;

import android.annotation.NonNull;

import android.annotation.SystemApi;

import android.annotation.TestApi;

import android.app.admin.flags.Flags;

import android.os.UserManager;

    @FlaggedApi(FLAG_SECURITY_LOG_V2_ENABLED)

    public static final String SECURITY_LOGGING_POLICY = "securityLogging";

    /**

     * String identifier for {@link DevicePolicyManager#setAuditLogEnabled}.

     *

     * @hide

     */

    @FlaggedApi(FLAG_SECURITY_LOG_V2_ENABLED)

    @SystemApi

    public static final String AUDIT_LOGGING_POLICY = "auditLogging";

    /**

     * String identifier for {@link DevicePolicyManager#setLockTaskPackages}.

     */

import static android.Manifest.permission.SET_TIME_ZONE;

import static android.app.admin.flags.Flags.FLAG_ESIM_MANAGEMENT_ENABLED;

import static android.app.admin.flags.Flags.FLAG_DEVICE_POLICY_SIZE_TRACKING_ENABLED;

import static android.app.admin.flags.Flags.FLAG_SECURITY_LOG_V2_ENABLED;

import static android.app.admin.flags.Flags.onboardingBugreportV2Enabled;

import static android.app.admin.flags.Flags.FLAG_IS_MTE_POLICY_ENFORCED;

import static android.content.Intent.LOCAL_FLAG_FROM_SYSTEM;

    private final boolean mParentInstance;

    private final DevicePolicyResourcesManager mResourcesManager;

    /** @hide */

    public DevicePolicyManager(Context context, IDevicePolicyManager service) {

        this(context, service, false);

        }

    }

    /**

     * Controls whether audit logging is enabled.

     *

     * @hide

     */

    @SystemApi

    @FlaggedApi(FLAG_SECURITY_LOG_V2_ENABLED)

    @RequiresPermission(permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING)

    public void setAuditLogEnabled(boolean enabled) {

        throwIfParentInstance("setAuditLogEnabled");

        try {

            mService.setAuditLogEnabled(mContext.getPackageName(), true);

        } catch (RemoteException re) {

            re.rethrowFromSystemServer();

        }

    }

    /**

     * @return Whether audit logging is enabled.

     *

     * @hide

     */

    @SystemApi

    @FlaggedApi(FLAG_SECURITY_LOG_V2_ENABLED)

    @RequiresPermission(permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING)

    public boolean isAuditLogEnabled() {

        throwIfParentInstance("isAuditLogEnabled");

        try {

            return mService.isAuditLogEnabled(mContext.getPackageName());

        } catch (RemoteException re) {

            re.rethrowFromSystemServer();

            // unreachable

            return false;

        }

    }

    /**

     * Sets audit log event callback. Only one callback per UID is active at any time, when a new

     * callback is set, the previous one is forgotten. Should only be called when audit log policy

     * is enforced by the caller. Disabling the policy clears the callback. Each time a new callback

     * is set, it will first be invoked with all the audit log events available at the time.

     *

     * @param callback callback to invoke when new audit log events become available or {@code null}

     *                 to clear the callback.

     * @hide

     */

    @SystemApi

    @FlaggedApi(FLAG_SECURITY_LOG_V2_ENABLED)

    @RequiresPermission(permission.MANAGE_DEVICE_POLICY_AUDIT_LOGGING)

    public void setAuditLogEventCallback(

            @NonNull @CallbackExecutor Executor executor,

            @Nullable Consumer<List<SecurityEvent>> callback) {

        throwIfParentInstance("setAuditLogEventCallback");

        final IAuditLogEventsCallback wrappedCallback = callback == null

                ? null

                : new IAuditLogEventsCallback.Stub() {

                    @Override

                    public void onNewAuditLogEvents(List<SecurityEvent> events) {

                        executor.execute(() -> callback.accept(events));

                    }

                };

        try {

            mService.setAuditLogEventsCallback(mContext.getPackageName(), wrappedCallback);

        } catch (RemoteException re) {

            re.rethrowFromSystemServer();

        }

    }

    /**

     * Called by device owner or profile owner of an organization-owned managed profile to retrieve

     * all new security logging entries since the last call to this API after device boots.

     * Enforces resolved security logging policy, should only be invoked from device policy engine.

     */

    public abstract void enforceSecurityLoggingPolicy(boolean enabled);

    /**

     * Enforces resolved audit logging policy, should only be invoked from device policy engine.

     */

    public abstract void enforceAuditLoggingPolicy(boolean enabled);

}

/*

 * Copyright (C) 2024 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.app.admin;

import android.app.admin.SecurityLog;

/** @hide */

oneway interface IAuditLogEventsCallback {

    void onNewAuditLogEvents(in List<SecurityLog.SecurityEvent> events);

}

 No newline at end of file