diff options
| author | 2021-01-10 18:48:22 +0000 | |
|---|---|---|
| committer | 2021-01-12 13:48:46 +0000 | |
| commit | a240c7c2010d183ba9b9371593ca382e31dc5b9c (patch) | |
| tree | fb79f09d953cc1d5fd110fb9be3eebe096591a57 | |
| parent | 8bf124b0d1b767bbd47ac2440c0f408da516e8a6 (diff) | |
Add cred mng app metrics to DPMS
Log:
* install key pair failed
* generate key pair failed
Bug: 165641221
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testInstallKeyPairLogged
atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testGenerateKeyPairLogged
atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testSetKeyPairCertificateLogged
atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testInstallKeyPairLogged
Change-Id: I38da724cae7edb06b9a2848f39125f3c488bf407
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 69 |
1 files changed, 56 insertions, 13 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index fdbd85a77a5b..5ba352ce0cc7 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -375,6 +375,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { private static final String CALLED_FROM_PARENT = "calledFromParent"; private static final String NOT_CALLED_FROM_PARENT = "notCalledFromParent"; + private static final String CREDENTIAL_MANAGEMENT_APP = "credentialManagementApp"; + private static final String NOT_CREDENTIAL_MANAGEMENT_APP = "notCredentialManagementApp"; + // Comprehensive list of delegations. private static final String DELEGATIONS[] = { DELEGATION_CERT_INSTALL, @@ -5125,10 +5128,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { byte[] cert, byte[] chain, String alias, boolean requestAccess, boolean isUserSelectable) { final CallerIdentity caller = getCallerIdentity(who, callerPackage); + final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); + final boolean isCredentialManagementApp = + isCredentialManagementApp(caller, alias, isUserSelectable); Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate(caller, DELEGATION_CERT_INSTALL) - || isCredentialManagementApp(caller, alias, isUserSelectable)))); + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); final long id = mInjector.binderClearCallingIdentity(); try { @@ -5137,6 +5142,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { try { IKeyChainService keyChain = keyChainConnection.getService(); if (!keyChain.installKeyPair(privKey, cert, chain, alias, KeyStore.UID_SELF)) { + logInstallKeyPairFailure(caller, isCredentialManagementApp); return false; } if (requestAccess) { @@ -5146,7 +5152,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { DevicePolicyEventLogger .createEvent(DevicePolicyEnums.INSTALL_KEY_PAIR) .setAdmin(caller.getPackageName()) - .setBoolean(/* isDelegate */ who == null) + .setBoolean(/* isDelegate */ isCallerDelegate) + .setStrings(isCredentialManagementApp + ? CREDENTIAL_MANAGEMENT_APP : NOT_CREDENTIAL_MANAGEMENT_APP) .write(); return true; } catch (RemoteException e) { @@ -5160,16 +5168,29 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } finally { mInjector.binderRestoreCallingIdentity(id); } + logInstallKeyPairFailure(caller, isCredentialManagementApp); return false; } + private void logInstallKeyPairFailure(CallerIdentity caller, + boolean isCredentialManagementApp) { + if (!isCredentialManagementApp) { + return; + } + DevicePolicyEventLogger + .createEvent(DevicePolicyEnums.CREDENTIAL_MANAGEMENT_APP_INSTALL_KEY_PAIR_FAILED) + .setStrings(caller.getPackageName()) + .write(); + } + @Override public boolean removeKeyPair(ComponentName who, String callerPackage, String alias) { final CallerIdentity caller = getCallerIdentity(who, callerPackage); + final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); + final boolean isCredentialManagementApp = isCredentialManagementApp(caller, alias); Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate(caller, DELEGATION_CERT_INSTALL) - || isCredentialManagementApp(caller, alias)))); + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); final long id = Binder.clearCallingIdentity(); try { @@ -5180,7 +5201,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { DevicePolicyEventLogger .createEvent(DevicePolicyEnums.REMOVE_KEY_PAIR) .setAdmin(caller.getPackageName()) - .setBoolean(/* isDelegate */ who == null) + .setBoolean(/* isDelegate */ isCallerDelegate) + .setStrings(isCredentialManagementApp + ? CREDENTIAL_MANAGEMENT_APP : NOT_CREDENTIAL_MANAGEMENT_APP) .write(); return keyChain.removeKeyPair(alias); } catch (RemoteException e) { @@ -5404,6 +5427,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { "Requested Device ID attestation but challenge is empty"); final CallerIdentity caller = getCallerIdentity(who, callerPackage); + final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); + final boolean isCredentialManagementApp = isCredentialManagementApp(caller, alias); if (deviceIdAttestationRequired && attestationUtilsFlags.length > 0) { // TODO: replace enforce methods enforceCallerCanRequestDeviceIdAttestation(caller); @@ -5411,14 +5436,14 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } else { Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate(caller, DELEGATION_CERT_INSTALL) - || isCredentialManagementApp(caller, alias)))); + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); } // As the caller will be granted access to the key, ensure no UID was specified, as // it will not have the desired effect. if (keySpec.getUid() != KeyStore.UID_SELF) { Log.e(LOG_TAG, "Only the caller can be granted access to the generated keypair."); + logGenerateKeyPairFailure(caller, isCredentialManagementApp); return false; } @@ -5444,6 +5469,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { DevicePolicyManager.KEY_GEN_STRONGBOX_UNAVAILABLE, String.format("KeyChain error: %d", generationResult)); default: + logGenerateKeyPairFailure(caller, isCredentialManagementApp); return false; } } @@ -5468,15 +5494,17 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { throw new UnsupportedOperationException( "Device does not support Device ID attestation."); } + logGenerateKeyPairFailure(caller, isCredentialManagementApp); return false; } } DevicePolicyEventLogger .createEvent(DevicePolicyEnums.GENERATE_KEY_PAIR) .setAdmin(caller.getPackageName()) - .setBoolean(/* isDelegate */ who == null) + .setBoolean(/* isDelegate */ isCallerDelegate) .setInt(idAttestationFlags) - .setStrings(algorithm) + .setStrings(algorithm, isCredentialManagementApp + ? CREDENTIAL_MANAGEMENT_APP : NOT_CREDENTIAL_MANAGEMENT_APP) .write(); return true; } @@ -5488,9 +5516,21 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { } finally { mInjector.binderRestoreCallingIdentity(id); } + logGenerateKeyPairFailure(caller, isCredentialManagementApp); return false; } + private void logGenerateKeyPairFailure(CallerIdentity caller, + boolean isCredentialManagementApp) { + if (!isCredentialManagementApp) { + return; + } + DevicePolicyEventLogger + .createEvent(DevicePolicyEnums.CREDENTIAL_MANAGEMENT_APP_GENERATE_KEY_PAIR_FAILED) + .setStrings(caller.getPackageName()) + .write(); + } + private void enforceIndividualAttestationSupportedIfRequested(int[] attestationUtilsFlags) { for (int attestationFlag : attestationUtilsFlags) { if (attestationFlag == USE_INDIVIDUAL_ATTESTATION @@ -5506,10 +5546,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { public boolean setKeyPairCertificate(ComponentName who, String callerPackage, String alias, byte[] cert, byte[] chain, boolean isUserSelectable) { final CallerIdentity caller = getCallerIdentity(who, callerPackage); + final boolean isCallerDelegate = isCallerDelegate(caller, DELEGATION_CERT_INSTALL); + final boolean isCredentialManagementApp = isCredentialManagementApp(caller, alias); Preconditions.checkCallAuthorization((caller.hasAdminComponent() && (isProfileOwner(caller) || isDeviceOwner(caller))) - || (caller.hasPackage() && (isCallerDelegate(caller, DELEGATION_CERT_INSTALL) - || isCredentialManagementApp(caller, alias)))); + || (caller.hasPackage() && (isCallerDelegate || isCredentialManagementApp))); final long id = mInjector.binderClearCallingIdentity(); try (final KeyChainConnection keyChainConnection = @@ -5522,7 +5563,9 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { DevicePolicyEventLogger .createEvent(DevicePolicyEnums.SET_KEY_PAIR_CERTIFICATE) .setAdmin(caller.getPackageName()) - .setBoolean(/* isDelegate */ who == null) + .setBoolean(/* isDelegate */ isCallerDelegate) + .setStrings(isCredentialManagementApp + ? CREDENTIAL_MANAGEMENT_APP : NOT_CREDENTIAL_MANAGEMENT_APP) .write(); return true; } catch (InterruptedException e) { |