麒麟安全中心 kysec_kysec-sync-daemon

安全中心不能设置应用控制？？

/usr/sbin/security-switch --set custom --list exectl

安全中心

这是安全中心的程序 /usr/sbin/ksc-defender

查看扩展属性

kysec_get /home/myb/ls

采用的是文件系统的xattr扩展属性-selinux也是在此维护的信息，然后acl中获取到进行判断

root@myb-kylinV10:/home/myb# strace kysec_get  /home/myb/ls
execve("/usr/sbin/kysec_get", ["kysec_get", "/home/myb/ls"], [/* 24 vars */]) = 0
brk(NULL)                               = 0x1f3a000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=108151, ...}) = 0
mmap(NULL, 108151, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f603a03a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18704, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a039000
mmap(NULL, 2115416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039c2b000
mprotect(0x7f6039c2f000, 2093056, PROT_NONE) = 0
mmap(0x7f6039e2e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6039e2e000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec_core.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=10288, ...}) = 0
mmap(NULL, 2105560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039a28000
mprotect(0x7f6039a2a000, 2093056, PROT_NONE) = 0
mmap(0x7f6039c29000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6039c29000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f603965e000
mprotect(0x7f603981e000, 2097152, PROT_NONE) = 0
mmap(0x7f6039a1e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7f6039a1e000
mmap(0x7f6039a24000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6039a24000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec_log.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\17\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=10472, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a038000
mmap(NULL, 2105744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f603945b000
mprotect(0x7f603945d000, 2093056, PROT_NONE) = 0
mmap(0x7f603965c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f603965c000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libsecurity.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\10\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=6072, ...}) = 0
mmap(NULL, 2101344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039259000
mprotect(0x7f603925a000, 2093056, PROT_NONE) = 0
mmap(0x7f6039459000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f6039459000
close(3)                                = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\20\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
mmap(NULL, 2113744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039054000
mprotect(0x7f6039058000, 2093056, PROT_NONE) = 0
mmap(0x7f6039257000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6039257000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a037000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a036000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a035000
arch_prctl(ARCH_SET_FS, 0x7f603a036700) = 0
mprotect(0x7f6039a1e000, 16384, PROT_READ) = 0
mprotect(0x7f6039257000, 4096, PROT_READ) = 0
mprotect(0x7f6039459000, 4096, PROT_READ) = 0
mprotect(0x7f603965c000, 4096, PROT_READ) = 0
mprotect(0x7f6039c29000, 4096, PROT_READ) = 0
mprotect(0x7f6039e2e000, 4096, PROT_READ) = 0
mprotect(0x601000, 4096, PROT_READ)     = 0
mprotect(0x7f603a055000, 4096, PROT_READ) = 0
munmap(0x7f603a03a000, 108151)          = 0
brk(NULL)                               = 0x1f3a000
brk(0x1f5b000)                          = 0x1f5b000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=7675968, ...}) = 0
mmap(NULL, 7675968, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6038901000
close(3)                                = 0
open("/sys/kernel/security/kysec/status", O_RDONLY) = 3
read(3, "2", 8)                         = 1
close(3)                                = 0
lstat("/home/myb/ls", {st_mode=S_IFREG|0777, st_size=126456, ...}) = 0
open("/sys/kernel/security/kysec/status", O_RDONLY) = 3
read(3, "2", 8)                         = 1
close(3)                                = 0
lgetxattr("/home/myb/ls", "security.kysec", "none:none:verified", 255) = 18
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 3), ...}) = 0
write(1, "/home/myb/ls: none:none:verified"..., 33/home/myb/ls: none:none:verified
) = 33
exit_group(0)                           = ?
+++ exited with 0 +++
root@myb-kylinV10:/home/myb# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

配置扩展属性

kysec_set -n exectl -v unknown /home/myb/ls

kysec_set [-r] -n exectl/protect/userid -v 标记符号 file
-n identify:protect:exectl
-v \
	for identify part, these values are valid:
           secadm          commands for secadm
           audadm          commands for auditadm

       for exectl part, these values are valid:
           unknown              unknown files
           original             original system files
           verified             verified 3rd party files
           kysoft               software installer
           trusted              trusted files

       for protect part, only readonly is valid
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

更新安全标记

实际是查找可执行文件，然后设置标记，对应程序是 /usr/sbin/kysec-daemon

关闭keysec

临时关闭

1、在 grub 引导阶段修改 grub 配置文件， 临时关闭麒麟安全机制：将 “security=kysec” 修改为“ security= ” ， 即将安全配置选项置空。

永久关闭

在终端执行命令， 修改 grub 默认配置文件， 永久关闭麒麟安全机制：

$ vim /etc/default/grub

将GRUB_CMDLINE_LINUX_SECURITY=””修改为GRUB_CMDLINE_LINUX_SECURITY=”security= “

更新 grub 选项：

$ update-grub

*重启系统