Security Logging: log password change events (9c3342f9) · Commits · e / os / android_frameworks_base

core/api/current.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -7871,6 +7871,7 @@ package android.app.admin {
		field public static final int TAG_MEDIA_UNMOUNT = 210014; // 0x3345e
		field public static final int TAG_OS_SHUTDOWN = 210010; // 0x3345a
		field public static final int TAG_OS_STARTUP = 210009; // 0x33459
		field public static final int TAG_PASSWORD_CHANGED = 210036; // 0x33474
		field public static final int TAG_PASSWORD_COMPLEXITY_REQUIRED = 210035; // 0x33473
		field public static final int TAG_PASSWORD_COMPLEXITY_SET = 210017; // 0x33461
		field public static final int TAG_PASSWORD_EXPIRATION_SET = 210016; // 0x33460

core/api/system-current.txt

+5 −0

Original line number	Diff line number	Diff line
		@@ -357,6 +357,7 @@ package android {
		field public static final String WRITE_EMBEDDED_SUBSCRIPTIONS = "android.permission.WRITE_EMBEDDED_SUBSCRIPTIONS";
		field @Deprecated public static final String WRITE_MEDIA_STORAGE = "android.permission.WRITE_MEDIA_STORAGE";
		field public static final String WRITE_OBB = "android.permission.WRITE_OBB";
		field public static final String WRITE_SECURITY_LOG = "android.permission.WRITE_SECURITY_LOG";
		field public static final String WRITE_SMS = "android.permission.WRITE_SMS";
		}

		@@ -1300,6 +1301,10 @@ package android.app.admin {
		field public static final int ERROR_UNKNOWN = 0; // 0x0
		}

		public class SecurityLog {
		method @RequiresPermission(android.Manifest.permission.WRITE_SECURITY_LOG) public static int writeEvent(int, @NonNull java.lang.Object...);
		}

		public final class SystemUpdatePolicy implements android.os.Parcelable {
		method public android.app.admin.SystemUpdatePolicy.InstallationOption getInstallationOptionAt(long);
		field public static final int TYPE_PAUSE = 4; // 0x4

core/java/android/app/admin/DevicePolicyManager.java

+2 −2

Original line number	Diff line number	Diff line
		@@ -8185,10 +8185,10 @@ public class DevicePolicyManager {
		* @hide
		*/
		@RequiresFeature(PackageManager.FEATURE_SECURE_LOCK_SCREEN)
		public void reportPasswordChanged(@UserIdInt int userId) {
		public void reportPasswordChanged(PasswordMetrics metrics, @UserIdInt int userId) {
		if (mService != null) {
		try {
		mService.reportPasswordChanged(userId);
		mService.reportPasswordChanged(metrics, userId);
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		}

core/java/android/app/admin/IDevicePolicyManager.aidl

+1 −1

Original line number	Diff line number	Diff line
		@@ -158,7 +158,7 @@ interface IDevicePolicyManager {
		void forceRemoveActiveAdmin(in ComponentName policyReceiver, int userHandle);
		boolean hasGrantedPolicy(in ComponentName policyReceiver, int usesPolicy, int userHandle);

		void reportPasswordChanged(int userId);
		void reportPasswordChanged(in PasswordMetrics metrics, int userId);
		void reportFailedPasswordAttempt(int userHandle);
		void reportSuccessfulPasswordAttempt(int userHandle);
		void reportFailedBiometricAttempt(int userHandle);

core/java/android/app/admin/SecurityLog.java

+53 −4

Original line number	Diff line number	Diff line
		@@ -16,8 +16,12 @@

		package android.app.admin;

		import android.Manifest;
		import android.annotation.IntDef;
		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.annotation.RequiresPermission;
		import android.annotation.SystemApi;
		import android.annotation.TestApi;
		import android.compat.annotation.UnsupportedAppUsage;
		import android.content.ComponentName;
		@@ -86,7 +90,8 @@ public class SecurityLog {
		TAG_KEY_INTEGRITY_VIOLATION,
		TAG_CERT_VALIDATION_FAILURE,
		TAG_CAMERA_POLICY_SET,
		TAG_PASSWORD_COMPLEXITY_REQUIRED
		TAG_PASSWORD_COMPLEXITY_REQUIRED,
		TAG_PASSWORD_CHANGED,
		})
		public @interface SecurityLogTag {}

		@@ -494,6 +499,19 @@ public class SecurityLog {
		public static final int TAG_PASSWORD_COMPLEXITY_REQUIRED =
		SecurityLogTags.SECURITY_PASSWORD_COMPLEXITY_REQUIRED;

		/**
		* Indicates that a user has just changed their lockscreen password.
		* The log entry contains the following information about the
		* event, encapsulated in an {@link Object} array and accessible via
		* {@link SecurityEvent#getData()}:
		* <li> [0] complexity for the new password ({@code Integer})
		* <li> [1] target user ID ({@code Integer})
		*
		* <p>Password complexity levels are defined as in
		* {@link DevicePolicyManager#getPasswordComplexity()}
		*/
		public static final int TAG_PASSWORD_CHANGED = SecurityLogTags.SECURITY_PASSWORD_CHANGED;

		/**
		* Event severity level indicating that the event corresponds to normal workflow.
		*/
		@@ -635,6 +653,7 @@ public class SecurityLog {
		case TAG_USER_RESTRICTION_REMOVED:
		case TAG_CAMERA_POLICY_SET:
		case TAG_PASSWORD_COMPLEXITY_REQUIRED:
		case TAG_PASSWORD_CHANGED:
		return LEVEL_INFO;
		case TAG_CERT_AUTHORITY_REMOVED:
		case TAG_CRYPTO_SELF_TEST_COMPLETED:
		@@ -725,6 +744,13 @@ public class SecurityLog {
		return null;
		}
		break;
		case SecurityLog.TAG_PASSWORD_CHANGED:
		try {
		userId = getIntegerData(1);
		} catch (Exception e) {
		return null;
		}
		break;
		default:
		userId = UserHandle.USER_NULL;
		}
		@@ -840,15 +866,38 @@ public class SecurityLog {
		throws IOException;

		/**
		* Write a log entry to the underlying storage, with a string payload.
		* Write a log entry to the security log, with a string payload.
		*
		* <p>Security log is part of Android's device management capability that tracks
		* security-sensitive events for auditing purposes.
		*
		* @param tag the tag ID of the security event
		* @param payload the string payload associated with the tag. Each tag dictates the expected
		* meaning of this string.
		*
		* @see DevicePolicyManager#setSecurityLoggingEnabled(ComponentName, boolean)
		* @hide
		*/
		public static native int writeEvent(int tag, String str);
		// TODO(b/218658622): enforce WRITE_SECURITY_LOG in logd.
		@RequiresPermission(Manifest.permission.WRITE_SECURITY_LOG)
		public static native int writeEvent(@SecurityLogTag int tag, @NonNull String payload);

		/**
		* Write a log entry to the underlying storage, with several payloads.
		* Supported types of payload are: integer, long, float, string plus array of supported types.
		*
		* <p>Security log is part of Android's device management capability that tracks
		* security-sensitive events for auditing purposes.
		*
		* @param tag the tag ID of the security event
		* @param payloads a list of payload values. Each tag dictates the expected payload types
		* and their meanings
		* @see DevicePolicyManager#setSecurityLoggingEnabled(ComponentName, boolean)
		*
		* @hide
		*/
		public static native int writeEvent(int tag, Object... payloads);
		// TODO(b/218658622): enforce WRITE_SECURITY_LOG in logd.
		@SystemApi
		@RequiresPermission(Manifest.permission.WRITE_SECURITY_LOG)
		public static native int writeEvent(@SecurityLogTag int tag, @NonNull Object... payloads);
		}