当前位置:   article > 正文

麒麟安全中心 kysec_kysec-sync-daemon

kysec-sync-daemon

安全中心不能设置应用控制??

/usr/sbin/security-switch --set custom --list exectl

安全中心

这是安全中心的程序 /usr/sbin/ksc-defender

查看扩展属性

kysec_get /home/myb/ls

采用的是文件系统的xattr扩展属性-selinux也是在此维护的信息,然后acl中获取到进行判断

root@myb-kylinV10:/home/myb# strace kysec_get  /home/myb/ls
execve("/usr/sbin/kysec_get", ["kysec_get", "/home/myb/ls"], [/* 24 vars */]) = 0
brk(NULL)                               = 0x1f3a000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=108151, ...}) = 0
mmap(NULL, 108151, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f603a03a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18704, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a039000
mmap(NULL, 2115416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039c2b000
mprotect(0x7f6039c2f000, 2093056, PROT_NONE) = 0
mmap(0x7f6039e2e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6039e2e000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec_core.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=10288, ...}) = 0
mmap(NULL, 2105560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039a28000
mprotect(0x7f6039a2a000, 2093056, PROT_NONE) = 0
mmap(0x7f6039c29000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6039c29000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f603965e000
mprotect(0x7f603981e000, 2097152, PROT_NONE) = 0
mmap(0x7f6039a1e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7f6039a1e000
mmap(0x7f6039a24000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6039a24000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec_log.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\17\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=10472, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a038000
mmap(NULL, 2105744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f603945b000
mprotect(0x7f603945d000, 2093056, PROT_NONE) = 0
mmap(0x7f603965c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f603965c000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libsecurity.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\10\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=6072, ...}) = 0
mmap(NULL, 2101344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039259000
mprotect(0x7f603925a000, 2093056, PROT_NONE) = 0
mmap(0x7f6039459000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f6039459000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\20\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
mmap(NULL, 2113744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039054000
mprotect(0x7f6039058000, 2093056, PROT_NONE) = 0
mmap(0x7f6039257000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6039257000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a037000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a036000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a035000
arch_prctl(ARCH_SET_FS, 0x7f603a036700) = 0
mprotect(0x7f6039a1e000, 16384, PROT_READ) = 0
mprotect(0x7f6039257000, 4096, PROT_READ) = 0
mprotect(0x7f6039459000, 4096, PROT_READ) = 0
mprotect(0x7f603965c000, 4096, PROT_READ) = 0
mprotect(0x7f6039c29000, 4096, PROT_READ) = 0
mprotect(0x7f6039e2e000, 4096, PROT_READ) = 0
mprotect(0x601000, 4096, PROT_READ)     = 0
mprotect(0x7f603a055000, 4096, PROT_READ) = 0
munmap(0x7f603a03a000, 108151)          = 0
brk(NULL)                               = 0x1f3a000
brk(0x1f5b000)                          = 0x1f5b000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=7675968, ...}) = 0
mmap(NULL, 7675968, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6038901000
close(3)                                = 0
open("/sys/kernel/security/kysec/status", O_RDONLY) = 3
read(3, "2", 8)                         = 1
close(3)                                = 0
lstat("/home/myb/ls", {st_mode=S_IFREG|0777, st_size=126456, ...}) = 0
open("/sys/kernel/security/kysec/status", O_RDONLY) = 3
read(3, "2", 8)                         = 1
close(3)                                = 0
lgetxattr("/home/myb/ls", "security.kysec", "none:none:verified", 255) = 18
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 3), ...}) = 0
write(1, "/home/myb/ls: none:none:verified"..., 33/home/myb/ls: none:none:verified
) = 33
exit_group(0)                           = ?
+++ exited with 0 +++
root@myb-kylinV10:/home/myb# 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99

配置扩展属性

kysec_set -n exectl -v unknown /home/myb/ls

kysec_set [-r] -n exectl/protect/userid -v 标记符号 file
-n identify:protect:exectl
-v \
	for identify part, these values are valid:
           secadm          commands for secadm
           audadm          commands for auditadm

       for exectl part, these values are valid:
           unknown              unknown files
           original             original system files
           verified             verified 3rd party files
           kysoft               software installer
           trusted              trusted files

       for protect part, only readonly is valid
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

更新安全标记

实际是查找可执行文件,然后设置标记,对应程序是 /usr/sbin/kysec-daemon

关闭keysec

临时关闭

1、在 grub 引导阶段修改 grub 配置文件, 临时关闭麒麟安全机制:将 “security=kysec” 修改为“ security= ” , 即将安全配置选项置空。

永久关闭

在终端执行命令, 修改 grub 默认配置文件, 永久关闭麒麟安全机制:

$ vim /etc/default/grub

将GRUB_CMDLINE_LINUX_SECURITY=””修改为GRUB_CMDLINE_LINUX_SECURITY=”security= “

更新 grub 选项:

$ update-grub

*重启系统

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/在线问答5/article/detail/891405
推荐阅读
相关标签
  

闽ICP备14008679号